mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #1529 from mpurzynski/gdnew 

Correct messages demultiplexing and some mapping errors.
This commit is contained in:
A Smith 2019-12-11 11:17:09 -06:00 коммит произвёл GitHub
Родитель f2474dc341 ef636a1800
Коммит 507ce76032
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 30 добавлений и 40 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
mq/esworker_guardduty.py
Просмотреть файл

@ -78,6 +78,7 @@ class GDtaskConsumer(taskConsumer):
isolatedmessage["details"]["finding"]["probeevent"] = probe
self.build_submit_message(isolatedmessage)
elif message["details"]["finding"]["action"]["actionType"] == "AWS_API_CALL":
# Fixup the api call data somewhat, depending on what we were given
if "recentApiCalls" in message["details"]["finding"]["additionalInfo"]:
message["details"]["finding"]["additionalInfo"]["apiCalls"] = message["details"]["finding"][
"additionalInfo"
@ -90,8 +91,8 @@ class GDtaskConsumer(taskConsumer):
isolatedmessage = message
isolatedmessage["details"]["finding"]["apicalls"] = call
self.build_submit_message(isolatedmessage)
else:
self.build_submit_message(message)
else:
self.build_submit_message(message)
def esConnect():

9
mq/plugins/guardDuty.py
Просмотреть файл

@ -121,15 +121,6 @@ class message(object):
# Fake it till you make it
attdir = {
"Recon:EC2/PortProbeUnprotectedPort": "INBOUND",
"CryptoCurrency:EC2/BitcoinTool.B!DNS": "INBOUND",
"Trojan:EC2/DGADomainRequest.B": "INBOUND",
"UnauthorizedAccess:IAMUser/TorIPCaller": "INBOUND",
"Persistence:IAMUser/ResourcePermissions": "INBOUND",
"Persistence:IAMUser/NetworkPermissions": "INBOUND",
"Persistence:IAMUser/UserPermissions": "INBOUND",
"Recon:IAMUser/ResourcePermissions": "INBOUND",
"Recon:EC2/PortProbeEMRUnprotectedPort": "INBOUND",
"PrivilegeEscalation:IAMUser/AdministrativePermissions": "INBOUND",
}
if "direction" not in newmessage["details"]:
newmessage["details"]["direction"] = "INBOUND"

56
mq/plugins/guardduty_mapping.yml
Просмотреть файл

@ -1054,7 +1054,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1073,7 +1073,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1092,7 +1092,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1103,15 +1103,13 @@
findingid: details.id
arn: details.arn
awsaccountid: details.accountId
awsregion: details.region
resourcetype: details.resource.resourceType
accesskeyid: details.resource.accessKeyDetails.accessKeyId
principalid: details.resource.accessKeyDetails.principalId
usertype: details.resource.accessKeyDetails.userType
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1130,7 +1128,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1149,7 +1147,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1168,7 +1166,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1187,7 +1185,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1206,7 +1204,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1225,7 +1223,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1244,7 +1242,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1263,7 +1261,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1282,7 +1280,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1301,7 +1299,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1320,7 +1318,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1450,7 +1448,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1469,7 +1467,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1488,7 +1486,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1507,7 +1505,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1526,7 +1524,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1545,7 +1543,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1564,7 +1562,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1583,7 +1581,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1602,7 +1600,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1621,7 +1619,7 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
@ -1640,9 +1638,9 @@
username: details.resource.accessKeyDetails.userName
detectorid: details.finding.detectorId
evidence: details.finding.evidence
apiname: details.finding.apicalls.name
apiname: details.finding.apicalls.api
sourceipaddress: details.finding.action.awsApiCallAction.remoteIpDetails.ipAddressV4
gdeventcreatedts: details.createdAt
gdeventupdatedts: details.updatedAt
gdeventfirstseents: details.finding.eventFirstSeen
gdeventlastseents: details.finding.eventLastSeen
gdeventlastseents: details.finding.eventLastSeen