8254fa09e7
Revert "Bump jquery from 3.4.0 to 3.5.0 in /meteor ( #1620 )" ( #1658 )
...
This reverts commit 2788729e2c
2020-07-08 15:50:39 -05:00
c706e902a5
Add check to display SQS stats table if set is populated ( #1655 )
2020-07-08 15:00:02 -05:00
3e5909ab52
backporting package-lock from production ( #1651 )
2020-07-06 17:49:49 -05:00
ab0a82f12a
Add notify mozdefbot for generic_alerts ( #1654 )
...
* Rename ircchannel to channel
* Add notify_mozdefbot parameter to alerts for generic alert
2020-07-06 16:57:00 -05:00
b9fc856c04
Rename ircchannel to channel ( #1652 )
2020-07-06 12:57:02 -05:00
2788729e2c
Bump jquery from 3.4.0 to 3.5.0 in /meteor ( #1620 )
...
Bumps [jquery](https://github.com/jquery/jquery ) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/jquery/jquery/releases )
- [Commits](https://github.com/jquery/jquery/compare/3.4.0...3.5.0 )
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-06-29 10:25:47 -05:00
5af28d8717
Alert when the Session Invalidation application is used to terminate a user's sessions ( #1646 )
...
* First pass through writing an alert to fire when the session invalidation tool is used
* Don't fire session_invalidation alert when no terminations took place
* Add information about the actor who instigated terminations to alert details
* Working on test for AlertSessionInvalidation
* Add a blank line before class definition to satisfy linter
* Fixed session_invalidation alert
2020-06-29 10:25:35 -05:00
49973b5256
adds requestparameter for cloudtrail plugin ( #1648 )
2020-06-29 10:23:51 -05:00
2e39026568
Update gitpython to 3.1.3 ( #1647 )
2020-06-26 10:25:36 -05:00
7840b9c24e
disabling date detection to improve on mapping conflicts ( #1643 )
2020-06-24 12:01:23 -05:00
4933c6b47c
Create vpn_assignment alert plugin ( #1645 )
...
* Implemented an alert plugin to enrich any alert with information about VPN IP assignments
* Call enrich with list of cidrs considered part of VPNs
* Use utctimestmap and not ts to sort events
* reference the utctimestamp core field
2020-06-24 10:41:28 -05:00
da5546fede
Have the ldap_group alert aggregate on details.email ( #1642 )
...
* Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events
* Set email and username to none when not parsed out of details.actor
* Have the ldapGroupModify alert aggregate on the new details.email field
* Wildcards around member
* Shorten line > 80 characters
* Import syntax fix
2020-06-24 10:41:08 -05:00
bfea37de3a
removing deprecated references to fluentd sqs ( #1644 )
2020-06-24 09:57:15 -05:00
3090d1f239
Bump httplib2 from 0.13.0 to 0.18.0 ( #1633 )
...
Bumps [httplib2](https://github.com/httplib2/httplib2 ) from 0.13.0 to 0.18.0.
- [Release notes](https://github.com/httplib2/httplib2/releases )
- [Changelog](https://github.com/httplib2/httplib2/blob/master/CHANGELOG )
- [Commits](https://github.com/httplib2/httplib2/compare/v0.13.0...v0.18.0 )
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-06-22 13:19:37 -05:00
6a1ae1e757
Don't fire the ldap_group alert when the LDAP operation involved removing a user from a group ( #1640 )
2020-06-04 11:57:12 -05:00
0b10f83438
Update the GuardDuty schema to reflect upstream changes ( #1641 )
2020-06-03 14:15:03 -07:00
e96abc8c3d
Fixup cron .sh files to align with one .sh file per python script ( #1638 )
2020-05-28 13:11:47 -05:00
8d831ef9db
replace the details.response key with details.userresponse to satisfy ES ( #1637 )
...
Co-authored-by: Arcadia Rose <arose@mozilla.com>
2020-05-27 17:48:21 -05:00
0fe049f158
remove old_topic ( #1636 )
...
* remove old_topic
* adding test for change
2020-05-27 17:28:40 -05:00
4998158261
Remove correlate mac address cron script ( #1639 )
2020-05-27 17:06:19 -05:00
0031fd9f20
adding logic to handle empty recording_file_end ( #1631 )
...
* adding logic to handle empty recording_file_end
* updating changes to account for both recording fields, and adding test
2020-05-27 17:06:08 -05:00
8d6cf3d6bf
Make ip_source_enrichment's registration a list to be consistent with others ( #1632 )
2020-05-26 15:09:28 -05:00
61d3cc2128
Remove leftover aws alert from lab ( #1634 )
2020-05-26 13:34:07 -05:00
c2afd90dd1
Remove sensitiveuser_uid0 as its not enabled ( #1635 )
2020-05-26 13:33:45 -05:00
325bab4d14
adding a few fields for parsing fixup ( #1630 )
...
* adding a few fields for parsing fixup
* adding all conflicting fields we register that are not present
2020-05-19 15:41:52 -05:00
d1d3cb99b3
Improve the test that checks that update_alert_status is called to actually check that the REST endpoint is hit ( #1628 )
2020-05-12 15:49:15 -05:00
7ab26651b5
Fix triagebot mq format ( #1627 )
2020-05-12 11:15:30 -05:00
ae17a0a886
Fixup initial setup docs ( #1629 )
2020-05-11 17:15:34 -05:00
3fbd959ffd
Remove unused alerts ( #1625 )
2020-05-08 13:37:21 -05:00
9da9219520
Disable use of codeowners in GitHub ( #1626 )
...
As /cloudy_mozdef/ isn't being worked on anymore, there's little need to enable
Gene specific ability to review code in that directory structure. The way GitHub
implements CODEOWNERS, the result is that Gene gets asked for review on any PR
which contains a change to CHANGELOG.md or /docs/ which is most PRs, however his
review is not sufficient for merge as the PR would contain other changes as well.
By removing CODEOWNERS the repo goes back to expecing review from those authorized
and not differentiating areas in the codebase
2020-05-08 13:35:42 -05:00
e0008fbba1
When possible usernames are found, add them to the PromiscKernel alert summary ( #1624 )
2020-05-08 11:15:12 -05:00
68fbf17bf6
Add vpc requestparameters to cloudtrail mapping plugin ( #1623 )
2020-05-06 14:05:06 -05:00
5735323e1b
removes sso-dashboard-feedback ( #1615 )
2020-05-06 14:00:34 -05:00
348e761759
Update cloudtrail mapping for details.responseelements.state ( #1622 )
2020-04-30 14:40:58 -05:00
d0c6870d02
Mozdef utilv3 0 6 ( #1619 )
...
* Update mozdef-util to version 3.0.6
* Update requirements to use new mozdef-util
2020-04-29 16:58:06 -05:00
0bc6ebd98e
Revert "Revert "Fix geomodel sourceipaddress ( #1604 )" ( #1616 )" ( #1617 )
...
This reverts commit f246cc3526
2020-04-29 13:35:05 -05:00
7ef21bc41c
Fix geomodel alert and update mozdef-util ( #1614 )
2020-04-29 13:24:49 -05:00
f246cc3526
Revert "Fix geomodel sourceipaddress ( #1604 )" ( #1616 )
...
This reverts commit 06b9dd1a73
2020-04-28 18:24:20 -05:00
3cd9ff6bea
Update cloudtrail mapping conflicts ( #1610 )
2020-04-23 15:08:23 -05:00
332b35ac55
duo event parsing fixes ( #1609 )
...
* add duo api host, replace UTC logic with toUTC, account for differences between api version 1 and 2
* remove send_to_file from debug option
2020-04-23 15:08:11 -05:00
04bd718aab
remove empty start time keys, or assume value ( #1605 )
...
* remove empty start time keys, or assume value
* adding new test case for multiple empty start fields
* updating summary of test
* updating zoom_fixup.py to correct parsing errors.
2020-04-23 15:07:50 -05:00
3b5b6a265b
adding negative match for informational events, and adding unit tests ( #1611 )
2020-04-23 15:07:36 -05:00
a1c460b09d
Remove sample alerts from demo ( #1612 )
2020-04-23 13:32:12 -05:00
bc2abfd2fb
Remove auditd_commands alert ( #1613 )
2020-04-23 13:31:58 -05:00
b19005b996
Tweak triage bot logger levels to debug ( #1603 )
2020-04-20 16:20:47 -05:00
6b0e09a0c8
Extend the geoip fetcher to also download the ASN database. Changes the configuration file syntax slightly. ( #1562 )
2020-04-20 15:36:31 -05:00
76a235cd89
Fix triagebot matching ( #1608 )
...
* Match alerts based on their classname and allow supported alerts to be disabled in config
2020-04-20 15:36:05 -05:00
06b9dd1a73
Fix geomodel sourceipaddress ( #1604 )
...
* Sort events by utctimestamp and set sourceipaddress and sourceipv4address according to the hop destination ip
2020-04-20 12:33:39 -05:00
f75d3d548a
Alert plugin possible usernames ( #1598 )
2020-04-20 12:32:21 -05:00
6ede727ee2
Clarify what the auth0 url should be in a comment ( #1606 )
2020-04-17 12:50:43 -05:00
A Smith
Brandon Myers
dependabot[bot]
Arcadia Rose
Michal Purzynski
Gene Wood