work on idaholab#19, assigning severity to certain types of events

docker-compose-standalone.yml

@@ -89,8 +89,9 @@ x-kibana-helper-variables: &kibana-helper-variables
   ISM_SNAPSHOT_REPO : 'logs'
 
 x-logstash-variables: &logstash-variables
-  LOGSTASH_OUI_LOOKUP  : 'true'
-  LOGSTASH_REVERSE_DNS : 'false'
+  LOGSTASH_OUI_LOOKUP       : 'true'
+  LOGSTASH_SEVERITY_SCORING : 'true'
+  LOGSTASH_REVERSE_DNS      : 'false'
   # ES_EXTERNAL_HOSTS : '10.0.0.123:9200'
   # ES_EXTERNAL_SSL : 'true'
   # ES_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false'
@@ -108,6 +109,7 @@ x-common-upload-variables: &common-upload-variables
 
 x-common-lookup-variables: &common-lookup-variables
   FREQ_LOOKUP : 'false'
+  FREQ_SEVERITY_THRESHOLD : '2.0'
 
 x-common-beats-variables: &common-beats-variables
   BEATS_SSL : 'false'

docker-compose.yml

@@ -89,8 +89,9 @@ x-kibana-helper-variables: &kibana-helper-variables
   ISM_SNAPSHOT_REPO : 'logs'
 
 x-logstash-variables: &logstash-variables
-  LOGSTASH_OUI_LOOKUP  : 'true'
-  LOGSTASH_REVERSE_DNS : 'false'
+  LOGSTASH_OUI_LOOKUP       : 'true'
+  LOGSTASH_SEVERITY_SCORING : 'true'
+  LOGSTASH_REVERSE_DNS      : 'false'
   # ES_EXTERNAL_HOSTS : '10.0.0.123:9200'
   # ES_EXTERNAL_SSL : 'true'
   # ES_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false'
@@ -108,6 +109,7 @@ x-common-upload-variables: &common-upload-variables
 
 x-common-lookup-variables: &common-lookup-variables
   FREQ_LOOKUP : 'false'
+  FREQ_SEVERITY_THRESHOLD : '2.0'
 
 x-common-beats-variables: &common-beats-variables
   BEATS_SSL : 'false'

kibana/zeek_template.json

@@ -40,6 +40,8 @@
         "event.outcome": { "type": "keyword" },
         "event.provider": { "type": "keyword" },
         "event.start": { "type": "date" },
+        "event.severity": { "type": "integer" },
+        "event.severity_tags": { "type": "keyword" },
         "event.type": { "type": "keyword" },
         "file.accessed": { "type": "date" },
         "file.created": { "type": "date" },

logstash/maps/malcolm_severity.yaml

@@ -3,7 +3,8 @@
 "CONNECTION_INBOUND": 50
 "CONNECTION_INTERNAL": 0
 "CONNECTION_OUTBOUND": 25
-"FILE_TYPE": 5
+"DOMAIN_HIGH_ENTROPY": 0
+"FILE_TYPE": 0
 "FILE_TYPE_HIGH": 75
 "FILE_TYPE_MEDIUM": 50
 "NOTICE_VULN": 90
@@ -13,7 +14,6 @@
 "NOTICE_SCAN": 60
 "PASSWORD_CLEARTEXT": 90
 "PROTOCOL_OUTDATED_OR_INSECURE": 60
-"PROTOCOL_REMOTE_CONTROL": 70
 "SIGNATURES_CAPA": 50
 "SIGNATURES_CLAMAV": 90
 "SIGNATURES_MALASS": 90

moloch/etc/config.ini

@@ -71,6 +71,8 @@ zeek.community_id=db:zeek.community_id;kind:termfield;friendly:Zeek Connection C
 zeek.logType=db:zeek.logType;kind:termfield;friendly:Zeek Log Type;help:Zeek Log Type
 zeek.ts=db:zeek.ts;kind:termfield;friendly:Timestamp;help:Zeek Timestamp
 host.name=db:host.name;kind:termfield;friendly:Zeek Node;help:Zeek Node
+event.severity=db:event.severity;kind:integer;friendly:Severity;help:Severity
+event.severity_tags=db:event.severity_tags;kind:termfield;friendly:Severity Tags;help:Severity Tags
 
 # basic connection information
 zeek.orig_h=db:zeek.orig_h;kind:termfield;friendly:Originating host;help:Originating Host

moloch/wise/source.zeeklogs.js

@@ -27,6 +27,8 @@ function ZeekLogs (api, section) {
   // add right-clicks
   var allFields = [
     "communityId",
+    "event.severity",
+    "event.severity_tags",
     "host.name",
     "ip.protocol",
     "mac.dst",
@@ -950,6 +952,8 @@ function ZeekLogs (api, section) {
     "      +arrayList(session.zeek, 'password', 'Password', 'zeek.password')\n" +
     "      +arrayList(session.zeek, 'freq_score_v1', 'Freq Score v1', 'zeek.freq_score_v1')\n" +
     "      +arrayList(session.zeek, 'freq_score_v2', 'Freq Score v2', 'zeek.freq_score_v2')\n" +
+    "      +arrayList(session.event, 'severity', 'Severity', 'event.severity')\n" +
+    "      +arrayList(session.event, 'severity_tags', 'Severity Tags', 'event.severity_tags')\n" +
 
     // file information
     "  if (session.zeek.fuid || session.zeek.filename || session.zeek.filetype)\n" +