MozDef/alerts/ldap_group.py

#!/usr/bin/env python

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2014 Mozilla Corporation

from lib.alerttask import AlertTask
from mozdef_util.query_models import\
    PhraseMatch,\
    SearchQuery,\
    TermMatch,\
    WildcardMatch


class ldapGroupModify(AlertTask):
    def main(self):
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('category', 'ldapChange'),
            TermMatch('details.changetype', 'modify'),
            PhraseMatch("summary", "groups")
        ])

        # ignore test accounts and attempts to create accounts that already exist.
        search_query.add_must_not([
            WildcardMatch('details.actor', '*bind*'),
            WildcardMatch('details.changepairs', 'delete:*member*')
        ])

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.email', samplesLimit=50)
        self.walkAggregations(threshold=1, config={})

    # Set alert properties
    def onAggregation(self, agg):
        email = agg['value']
        events = agg['events']

        category = 'ldap'
        tags = ['ldap']
        severity = 'INFO'

        if email is None:
            summary = 'LDAP group change detected'
        else:
            summary = 'LDAP group change initiated by {0}'.format(email)

        # Create the alert object based on these properties
        return self.createAlertDict(summary, category, tags, events, severity)
update to a more universal match 2016-04-03 02:04:32 +03:00			`#!/usr/bin/env python`

			`# This Source Code Form is subject to the terms of the Mozilla Public`
			`# License, v. 2.0. If a copy of the MPL was not distributed with this`
Update MPL license to https 2019-08-02 02:41:37 +03:00			`# file, You can obtain one at https://mozilla.org/MPL/2.0/.`
update to a more universal match 2016-04-03 02:04:32 +03:00			`# Copyright (c) 2014 Mozilla Corporation`

			`from lib.alerttask import AlertTask`
Have the ldap_group alert aggregate on details.email (#1642) * Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events * Set email and username to none when not parsed out of details.actor * Have the ldapGroupModify alert aggregate on the new details.email field * Wildcards around member * Shorten line > 80 characters * Import syntax fix 2020-06-24 18:41:08 +03:00			`from mozdef_util.query_models import\`
			`PhraseMatch,\`
			`SearchQuery,\`
			`TermMatch,\`
			`WildcardMatch`
Update alerts to use search query class Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2016-08-03 23:40:10 +03:00
update to a more universal match 2016-04-03 02:04:32 +03:00
			`class ldapGroupModify(AlertTask):`
			`def main(self):`
Update alerts to use search query class Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2016-08-03 23:40:10 +03:00			`search_query = SearchQuery(minutes=15)`

			`search_query.add_must([`
Update TermFilter to TermMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2016-08-19 22:50:16 +03:00			`TermMatch('category', 'ldapChange'),`
Fix incorrect ES field names Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2017-01-12 01:03:29 +03:00			`TermMatch('details.changetype', 'modify'),`
Update formatting weirdness in alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2016-10-18 21:43:41 +03:00			`PhraseMatch("summary", "groups")`
Update alerts to use search query class Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2016-08-03 23:40:10 +03:00			`])`
update to a more universal match 2016-04-03 02:04:32 +03:00
adding negative match for informational events, and adding unit tests (#1611) 2020-04-23 23:07:36 +03:00			`# ignore test accounts and attempts to create accounts that already exist.`
			`search_query.add_must_not([`
			`WildcardMatch('details.actor', 'bind'),`
Have the ldap_group alert aggregate on details.email (#1642) * Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events * Set email and username to none when not parsed out of details.actor * Have the ldapGroupModify alert aggregate on the new details.email field * Wildcards around member * Shorten line > 80 characters * Import syntax fix 2020-06-24 18:41:08 +03:00			`WildcardMatch('details.changepairs', 'delete:member')`
adding negative match for informational events, and adding unit tests (#1611) 2020-04-23 23:07:36 +03:00			`])`

Update alerts to use search query class Signed-off-by: Brandon Myers <bmyers@mozilla.com> 2016-08-03 23:40:10 +03:00			`self.filtersManual(search_query)`
Have the ldap_group alert aggregate on details.email (#1642) * Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events * Set email and username to none when not parsed out of details.actor * Have the ldapGroupModify alert aggregate on the new details.email field * Wildcards around member * Shorten line > 80 characters * Import syntax fix 2020-06-24 18:41:08 +03:00			`self.searchEventsAggregated('details.email', samplesLimit=50)`
			`self.walkAggregations(threshold=1, config={})`
update to a more universal match 2016-04-03 02:04:32 +03:00
			`# Set alert properties`
Have the ldap_group alert aggregate on details.email (#1642) * Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events * Set email and username to none when not parsed out of details.actor * Have the ldapGroupModify alert aggregate on the new details.email field * Wildcards around member * Shorten line > 80 characters * Import syntax fix 2020-06-24 18:41:08 +03:00			`def onAggregation(self, agg):`
			`email = agg['value']`
			`events = agg['events']`

update to a more universal match 2016-04-03 02:04:32 +03:00			`category = 'ldap'`
			`tags = ['ldap']`
			`severity = 'INFO'`
Have the ldap_group alert aggregate on details.email (#1642) * Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events * Set email and username to none when not parsed out of details.actor * Have the ldapGroupModify alert aggregate on the new details.email field * Wildcards around member * Shorten line > 80 characters * Import syntax fix 2020-06-24 18:41:08 +03:00
			`if email is None:`
			`summary = 'LDAP group change detected'`
			`else:`
			`summary = 'LDAP group change initiated by {0}'.format(email)`
update to a more universal match 2016-04-03 02:04:32 +03:00
			`# Create the alert object based on these properties`
Have the ldap_group alert aggregate on details.email (#1642) * Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events * Set email and username to none when not parsed out of details.actor * Have the ldapGroupModify alert aggregate on the new details.email field * Wildcards around member * Shorten line > 80 characters * Import syntax fix 2020-06-24 18:41:08 +03:00			`return self.createAlertDict(summary, category, tags, events, severity)`