forked from NVISOsecurity/ee-outliers
-
Notifications
You must be signed in to change notification settings - Fork 0
/
outliers.conf
150 lines (130 loc) · 5.28 KB
/
outliers.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
##############################
# GENERAL
##############################
[general]
# Elasticsearch parameters
es_url=http://esnode1:9200
es_index_pattern=logstash-eagleeye-*
es_scan_size=10000
es_scroll_time=25m
es_timeout=300
# The field name representing the event timestamp in Elasticsearch
timestamp_field=@timestamp
# Save outlier detection results to Elasticsearch (if set to 0, Elasticsearch events won't be touched - great for testing)
es_save_results=1
# Print outlier matches to the console. For testing purposes, it's advised to enable this so that the analyst can directly see on the command line which outliers are detected
print_outliers_to_console=0
# How far back should we process events and look for outliers?
# Both values are combined (for example the below will look back 7 days and 12 hours, up until right now).
history_window_days=7
history_window_hours=12
# Wipe all existing outliers that fall in the history window upon first run
es_wipe_all_existing_outliers=0
# Should existing outliers be checked (and removed) for a match with the configuration whitelist
es_wipe_all_whitelisted_outliers=1
# General flags to run, test or train models
# Training is only used by the Machine Learning models (word2vec)
run_models=1
test_models=0
train_models=0
# 0 for no progress info, 1-4 for progressively more output, 5+ for all the log output
log_verbosity=1
# CRITICAL ERROR WARNING INFO DEBUG
log_level=INFO
log_file=/mappedvolumes/logs/outliers.log
##############################
# ASSET FIELDS
##############################
[assets]
meta.logged_in_users = user
meta.hostname = host
osqueryfilter.address = ip
suricatafilter.dest_ip = ip
suricatafilter.src_ip = ip
suricatafilter.tls.sni = domain
suricatafilter.http.hostname = domain
suricatafilter.dns.rrname = domain
brofilter.server_name = domain
brofilter.host = domain
brofilter.query = domain
brofilter.id_orig_h = ip
brofilter.id_resp_h = ip
brofilter.id_orig_h_geo_info.name = country
brofilter.id_resp_h_geo_info.name = country
brofilter.user = user
brofilter.src = ip
brofilter.dst = ip
wineventfilter.hostname = host
wineventfilter.workstationname = host
wineventfilter.ipaddress = ip
wineventfilter.targetusername = user
wineventfilter.subjectusername = user
syslogfilter.user-name = user
syslogfilter.calling-station-id = mac
syslogfilter.calling-station-id_geo_info.name = country
syslogfilter.username = user
binddnsfilter.clientip = ip
binddnsfilter.query = domain
officefilter.auditdata.userid = user
officefilter.auditdata.mailboxownerupn = user
officefilter.auditdata.clientipaddress = ip
##############################
# NOTIFIER
##############################
[notifier]
email_notifier=0
smtp_user=<USERNAME>
smtp_pass=<PASSWORD>
smtp_server=<SMTP SERVER>
smtp_port=465
# Number of element keep in memory to avoid twice alerts for same notification
max_cache_ignore=1000
##############################
# DAEMON
##############################
[daemon]
# Only used when running ee-outliers in daemon mode. Below schedule will run each day at 00:00.
schedule=0 0 * * *
##############################
# TERMS PARAMETERS
##############################
[terms]
# Define how many events should be processed at the same time, before looking for outliers.
# More often means better results, but will result in increased memory usage.
terms_batch_eval_size=100000
##############################
# METRICS PARAMETERS
##############################
[metrics]
# Define how many events should be processed at the same time, before looking for outliers.
# More often means better results, but will result in increased memory usage.
metrics_batch_eval_size=100000
##############################
# MACHINE LEARNING PARAMETERS
##############################
[machine_learning]
# Defaults to 0, so all logs are shown. Set TF_CPP_MIN_LOG_LEVEL to 1 to filter out INFO logs, 2 to additionall filter out WARNING, 3 to additionally filter out ERROR.
tensorflow_log_level=2
word2vec_batch_eval_size=1000
word2vec_use_cache=1
word2vec_use_test_data=0
training_data_size_pct=100
training_steps=100000
models_directory=/tmp/ee-outliers/trained_models/
##############################
# DERIVED FIELDS
##############################
[derivedfields]
# These fields will be extracted from all processed events, and added as new fields in case an outlier event is found.
# The format for the new field will be: outlier.<field_name>, for example: outliers.initials
# The format to use is GROK. These fields are extracted BEFORE the analysis happens, which means that these fields can also be used as for example aggregators or targets in use cases.
timestamp=%{YEAR:timestamp_year}-%{MONTHNUM:timestamp_month}-%{MONTHDAY:timestamp_day}[T ]%{HOUR:timestamp_hour}:?%{MINUTE:timestamp_minute}(?::?%{SECOND:timestamp_second})?%{ISO8601_TIMEZONE:timestamp_timezone}?
######################################################################################################################################################
# WHITELISTS
######################################################################################################################################################
[whitelist_literals]
slack_connection=rare outbound connection: Slack.exe
[whitelist_regexps]
scheduled_task_user_specific_2=^.*rare scheduled task:.*-.*-.*-.*-.*$
autorun_user_specific=^.*rare autorun:.*-.*-.*-.*-.*$