From 6612d9343acfb407a93074917677eacc981280d6 Mon Sep 17 00:00:00 2001 From: SG <13872653+mmguero@users.noreply.github.com> Date: Mon, 16 Aug 2021 15:40:42 -0600 Subject: [PATCH] work on idaholab/Malcolm#19, assigning severity to certain types of events --- .../malcolm_event_categories_severity.yaml | 24 +++ .../pipelines/enrichment/19_severity.conf | 190 ++++++++++++++++++ 2 files changed, 214 insertions(+) create mode 100644 logstash/maps/malcolm_event_categories_severity.yaml create mode 100644 logstash/pipelines/enrichment/19_severity.conf diff --git a/logstash/maps/malcolm_event_categories_severity.yaml b/logstash/maps/malcolm_event_categories_severity.yaml new file mode 100644 index 000000000..a40f8fb58 --- /dev/null +++ b/logstash/maps/malcolm_event_categories_severity.yaml @@ -0,0 +1,24 @@ +"CONNECTION_CROSS_SEGMENT": 25 +"CONNECTION_EXTERNAL": 10 +"CONNECTION_INBOUND": 50 +"CONNECTION_INTERNAL": 1 +"CONNECTION_OUTBOUND": 25 +"DGA_HIGH_ENTROPY": 40 +"FILE_TYPE": 25 +"FILE_TYPE_HIGH": 75 +"FILE_TYPE_MEDIUM": 50 +"NOTICE_VULN": 80 +"NOTICE_MITRE_ATTACK": 80 +"NOTICE_OTHER": 80 +"NOTICE_PROTOCOL": 80 +"NOTICE_SCAN": 80 +"PASSWORD_CLEARTEXT": 90 +"PROTOCOL_OUTDATED_OR_INSECURE": 50 +"PROTOCOL_REMOTE_CONTROL": 75 +"SIGNATURES_CAPA": 50 +"SIGNATURES_CLAMAV": 90 +"SIGNATURES_MALASS": 90 +"SIGNATURES_OTHER": 75 +"SIGNATURES_VIRUSTOTAL": 90 +"SIGNATURES_YARA": 90 +"WEIRD_OTHER": 50 \ No newline at end of file diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf new file mode 100644 index 000000000..e5647f107 --- /dev/null +++ b/logstash/pipelines/enrichment/19_severity.conf @@ -0,0 +1,190 @@ +filter { + + if ("cross_segment" in [tags]) { + mutate { id => "mutate_add_field_severity_item_cross_segment" + add_field => { "[zeek][severity_items]" => "CONNECTION_CROSS_SEGMENT" } } + } + + if ("internal_source" in [tags]) and ("internal_destination" in [tags]) { + mutate { id => "mutate_add_field_severity_item_internal" + add_field => { "[zeek][severity_items]" => "CONNECTION_INTERNAL" } } + } else if ("external_source" in [tags]) and ("external_destination" in [tags]) { + mutate { id => "mutate_add_field_severity_item_external" + add_field => { "[zeek][severity_items]" => "CONNECTION_EXTERNAL" } } + } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) { + mutate { id => "mutate_add_field_severity_item_outbound" + add_field => { "[zeek][severity_items]" => "CONNECTION_OUTBOUND" } } + } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) { + mutate { id => "mutate_add_field_severity_item_inbound" + add_field => { "[zeek][severity_items]" => "CONNECTION_INBOUND" } } + } + + if ([zeek][filetype]) { + # these (high/medium) file types pulled from extractor_override.interesting.zeek + if (("application/PowerShell" in [zeek][filetype]) or + ("application/vnd.microsoft.portable-executable" in [zeek][filetype]) or + ("application/x-csh" in [zeek][filetype]) or + ("application/x-dosexec" in [zeek][filetype]) or + ("application/x-elf" in [zeek][filetype]) or + ("application/x-executable" in [zeek][filetype]) or + ("application/x-ms-application" in [zeek][filetype]) or + ("application/x-msdos-program" in [zeek][filetype]) or + ("application/x-pe-app-32bit-i386" in [zeek][filetype]) or + ("application/x-perl" in [zeek][filetype]) or + ("application/x-python" in [zeek][filetype]) or + ("application/x-sh" in [zeek][filetype]) or + ("text/vbscript" in [zeek][filetype])) { + mutate { id => "mutate_add_field_severity_file_type_high" + add_field => { "[zeek][severity_items]" => "FILE_TYPE_HIGH" } } + } else if (("application/binary" in [zeek][filetype]) or + ("application/ecmascript" in [zeek][filetype]) or + ("application/hta" in [zeek][filetype]) or + ("application/java-archive" in [zeek][filetype]) or + ("application/java-serialized-object" in [zeek][filetype]) or + ("application/java-vm" in [zeek][filetype]) or + ("application/javascript" in [zeek][filetype]) or + ("application/ms-vsi" in [zeek][filetype]) or + ("application/msaccess" in [zeek][filetype]) or + ("application/msaccess.addin" in [zeek][filetype]) or + ("application/msaccess.cab" in [zeek][filetype]) or + ("application/msaccess.ftemplate" in [zeek][filetype]) or + ("application/msaccess.runtime" in [zeek][filetype]) or + ("application/msaccess.webapplication" in [zeek][filetype]) or + ("application/msexcel" in [zeek][filetype]) or + ("application/mspowerpoint" in [zeek][filetype]) or + ("application/msword" in [zeek][filetype]) or + ("application/octet-stream" in [zeek][filetype]) or + ("application/pdf" in [zeek][filetype]) or + ("application/rtf" in [zeek][filetype]) or + ("application/vnd.apple.installer+xml" in [zeek][filetype]) or + ("application/vnd.ms-cab-compressed" in [zeek][filetype]) or + ("application/vnd.ms-excel" in [zeek][filetype]) or + ("application/vnd.ms-excel.addin.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.addin.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.sheet.binary.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.sheet.binary.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.sheet.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.sheet.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.template.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-excel.template.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-office.calx" in [zeek][filetype]) or + ("application/vnd.ms-officetheme" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.addin.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.addin.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.presentation.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.presentation.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.slide.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.slide.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.slideshow.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.slideshow.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.template.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-powerpoint.template.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-word.document.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-word.document.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.ms-word.template.macroEnabled.12" in [zeek][filetype]) or + ("application/vnd.ms-word.template.macroenabled.12" in [zeek][filetype]) or + ("application/vnd.openofficeorg.extension" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.presentationml.presentation" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.presentationml.slide" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.presentationml.slideshow" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.presentationml.template" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.spreadsheetml.template" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.wordprocessingml.document" in [zeek][filetype]) or + ("application/vnd.openxmlformats-officedocument.wordprocessingml.template" in [zeek][filetype]) or + ("application/windows-library+xml" in [zeek][filetype]) or + ("application/x-7z-compressed" in [zeek][filetype]) or + ("application/x-ace-compressed" in [zeek][filetype]) or + ("application/x-apple-diskimage" in [zeek][filetype]) or + ("application/x-bzip" in [zeek][filetype]) or + ("application/x-bzip2" in [zeek][filetype]) or + ("application/x-cfs-compressed" in [zeek][filetype]) or + ("application/x-compress" in [zeek][filetype]) or + ("application/x-compressed" in [zeek][filetype]) or + ("application/x-cpio" in [zeek][filetype]) or + ("application/x-dgc-compressed" in [zeek][filetype]) or + ("application/x-gca-compressed" in [zeek][filetype]) or + ("application/x-gtar" in [zeek][filetype]) or + ("application/x-gzip" in [zeek][filetype]) or + ("application/x-install-instructions" in [zeek][filetype]) or + ("application/x-lzh-compressed" in [zeek][filetype]) or + ("application/x-ms-installer" in [zeek][filetype]) or + ("application/x-ms-shortcut" in [zeek][filetype]) or + ("application/x-msdownload" in [zeek][filetype]) or + ("application/x-rar-compressed" in [zeek][filetype]) or + ("application/x-shockwave-flash" in [zeek][filetype]) or + ("application/x-zip-compressed" in [zeek][filetype]) or + ("application/zip" in [zeek][filetype]) or + ("text/jscript" in [zeek][filetype]) or + ("text/rtf" in [zeek][filetype])) { + mutate { id => "mutate_add_field_severity_file_type_medium" + add_field => { "[zeek][severity_items]" => "FILE_TYPE_MEDIUM" } } + } else { + mutate { id => "mutate_add_field_severity_file_type" + add_field => { "[zeek][severity_items]" => "FILE_TYPE" } } + } + } + + if ([zeek_notice]) { + if ([zeek_notice][category] == "ATTACK") { + mutate { id => "mutate_add_field_severity_notice_mitre_attack" + add_field => { "[zeek][severity_items]" => "NOTICE_MITRE_ATTACK" } } + } else if ([zeek_notice][category] == "Scan") { + mutate { id => "mutate_add_field_severity_notice_scan" + add_field => { "[zeek][severity_items]" => "NOTICE_SCAN" } } + } else if (([zeek_notice][category] == "FTP") or + ([zeek_notice][category] == "HTTP") or + ([zeek_notice][category] == "HTTPATTACKS") or + ([zeek_notice][category] == "SSL")) { + mutate { id => "mutate_add_field_severity_notice_protocol" + add_field => { "[zeek][severity_items]" => "NOTICE_PROTOCOL" } } + } else if (([zeek_notice][category] =~ /^CVE/) or + ([zeek_notice][category] == "EternalSafety") or + ([zeek_notice][category] == "Ripple20") or + ([zeek_notice][category] == "Zerologon")) { + mutate { id => "mutate_add_field_severity_notice_vuln" + add_field => { "[zeek][severity_items]" => "NOTICE_VULN" } } + } else { + mutate { id => "mutate_add_field_severity_notice_other" + add_field => { "[zeek][severity_items]" => "NOTICE_OTHER" } } + } + } + + if ([zeek_weird]) { + mutate { id => "mutate_add_field_severity_weird_other" + add_field => { "[zeek][severity_items]" => "WEIRD_OTHER" } } + } + + if ([zeek][password]) { + mutate { id => "mutate_add_field_severity_password_exists" + add_field => { "[zeek][severity_items]" => "PASSWORD_CLEARTEXT" } } + } + + if ([zeek_signatures]) { + if ([zeek_signatures][engine] == 'capa') { + mutate { id => "mutate_add_field_severity_signatures_capa" + add_field => { "[zeek][severity_items]" => "SIGNATURES_CAPA" } } + } else if ([zeek_signatures][engine] == 'clamav') { + mutate { id => "mutate_add_field_severity_signatures_clamav" + add_field => { "[zeek][severity_items]" => "SIGNATURES_CLAMAV" } } + } else if ([zeek_signatures][engine] == 'malass') { + mutate { id => "mutate_add_field_severity_signatures_malass" + add_field => { "[zeek][severity_items]" => "SIGNATURES_MALASS" } } + } else if ([zeek_signatures][engine] == 'virustotal') { + mutate { id => "mutate_add_field_severity_signatures_virustotal" + add_field => { "[zeek][severity_items]" => "SIGNATURES_VIRUSTOTAL" } } + } else if ([zeek_signatures][engine] == 'yara') { + mutate { id => "mutate_add_field_severity_signatures_yara" + add_field => { "[zeek][severity_items]" => "SIGNATURES_YARA" } } + } else { + mutate { id => "mutate_add_field_severity_signatures_other" + add_field => { "[zeek][severity_items]" => "SIGNATURES_OTHER" } } + } + } + + # "DGA_HIGH_ENTROPY": 40 + # "PROTOCOL_OUTDATED_OR_INSECURE": 50 + +} # filter +