mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
5 995 коммитов 4 Ветки 53 Теги 68 MiB
Граф коммитов

913 Коммитов

Автор SHA1 Сообщение Дата
Brandon Myers 1a0b5afb25
Update ssh releng alert to take new event format into consideration (#1719) 2021-06-10 12:08:27 -05:00
Jonathan Claudius 32bcb2b9ea
Remove session invalidation alert (#1714) 2021-04-16 12:54:42 -05:00
densfox bca65c274d
Add username via auth0 plugin (#1708) 2021-03-16 10:35:26 -05:00
Jonathan Claudius 41e38deacd
Remove Boilerplate comments (#1693) 2020-12-03 14:27:46 -06:00
Jonathan Claudius a5ed47efbe
Add more specific context to vertical auth0 alert (#1685) 2020-09-16 12:06:54 -05:00
Jonathan Claudius fb71be20ea
Add Auth- vertical password guessing alert (#1683) 2020-09-11 14:26:07 -05:00
Jonathan Claudius 140ff2b4d3
Add v0.1 of Auth0 username/password bruteforce alert (#1681) 2020-09-11 14:24:06 -05:00
Brandon Myers ddd211415f
Set geomodel alert severity to be configurable (#1675) 2020-09-09 11:34:21 -05:00
A Smith ce13d3c32a
deprecating fxa logic (#1669) 2020-08-03 10:57:32 -05:00
A Smith bd6e2b3a6b
changing specific tag to encompass all triagebot escalations (#1668) 
* changing specific tag to encompass all triagebot escalations

* updating test to reflect changes
 2020-07-30 12:24:54 -07:00
A Smith dbe90e355d
adding new triagebot escalation alert (#1666) 
* adding new triagebot escalation alert

* changing critical to info for pre-release
 2020-07-29 14:39:06 -05:00
Brandon Myers ab0a82f12a
Add notify mozdefbot for generic_alerts (#1654) 
* Rename ircchannel to channel

* Add notify_mozdefbot parameter to alerts for generic alert
 2020-07-06 16:57:00 -05:00
Brandon Myers b9fc856c04
Rename ircchannel to channel (#1652) 2020-07-06 12:57:02 -05:00
Arcadia Rose 5af28d8717
Alert when the Session Invalidation application is used to terminate a user's sessions (#1646) 
* First pass through writing an alert to fire when the session invalidation tool is used

* Don't fire session_invalidation alert when no terminations took place

* Add information about the actor who instigated terminations to alert details

* Working on test for AlertSessionInvalidation

* Add a blank line before class definition to satisfy linter

* Fixed session_invalidation alert
 2020-06-29 10:25:35 -05:00
Arcadia Rose 4933c6b47c
Create vpn_assignment alert plugin (#1645) 
* Implemented an alert plugin to enrich any alert with information about VPN IP assignments

* Call enrich with list of cidrs considered part of VPNs

* Use utctimestmap and not ts to sort events

* reference the utctimestamp core field
 2020-06-24 10:41:28 -05:00
Arcadia Rose da5546fede
Have the ldap_group alert aggregate on details.email (#1642) 
* Have the ldap_fixup mq plugin parse the email and username out of an actor string and add them to ldap events

* Set email and username to none when not parsed out of details.actor

* Have the ldapGroupModify alert aggregate on the new details.email field

* Wildcards around member

* Shorten line > 80 characters

* Import syntax fix
 2020-06-24 10:41:08 -05:00
Arcadia Rose 6a1ae1e757
Don't fire the ldap_group alert when the LDAP operation involved removing a user from a group (#1640) 2020-06-04 11:57:12 -05:00
Arcadia Rose 8d6cf3d6bf
Make ip_source_enrichment's registration a list to be consistent with others (#1632) 2020-05-26 15:09:28 -05:00
Brandon Myers 61d3cc2128
Remove leftover aws alert from lab (#1634) 2020-05-26 13:34:07 -05:00
Brandon Myers c2afd90dd1
Remove sensitiveuser_uid0 as its not enabled (#1635) 2020-05-26 13:33:45 -05:00
Brandon Myers 3fbd959ffd
Remove unused alerts (#1625) 2020-05-08 13:37:21 -05:00
Emma Rose e0008fbba1
When possible usernames are found, add them to the PromiscKernel alert summary (#1624) 2020-05-08 11:15:12 -05:00
A Smith 5735323e1b
removes sso-dashboard-feedback (#1615) 2020-05-06 14:00:34 -05:00
Brandon Myers 0bc6ebd98e
Revert "Revert "Fix geomodel sourceipaddress (#1604)" (#1616)" (#1617) 
This reverts commit f246cc3526.
 2020-04-29 13:35:05 -05:00
Emma Rose 7ef21bc41c
Fix geomodel alert and update mozdef-util (#1614) 2020-04-29 13:24:49 -05:00
Brandon Myers f246cc3526
Revert "Fix geomodel sourceipaddress (#1604)" (#1616) 
This reverts commit 06b9dd1a73.
 2020-04-28 18:24:20 -05:00
A Smith 3b5b6a265b
adding negative match for informational events, and adding unit tests (#1611) 2020-04-23 15:07:36 -05:00
Brandon Myers a1c460b09d
Remove sample alerts from demo (#1612) 2020-04-23 13:32:12 -05:00
Brandon Myers bc2abfd2fb
Remove auditd_commands alert (#1613) 2020-04-23 13:31:58 -05:00
Brandon Myers b19005b996
Tweak triage bot logger levels to debug (#1603) 2020-04-20 16:20:47 -05:00
Emma Rose 76a235cd89
Fix triagebot matching (#1608) 
* Match alerts based on their classname and allow supported alerts to be disabled in config
 2020-04-20 15:36:05 -05:00
Emma Rose 06b9dd1a73
Fix geomodel sourceipaddress (#1604) 
* Sort events by utctimestamp and set sourceipaddress and sourceipv4address according to the hop destination ip
 2020-04-20 12:33:39 -05:00
Emma Rose f75d3d548a
Alert plugin possible usernames (#1598) 2020-04-20 12:32:21 -05:00
Emma Rose 8f57b4744b
Fix geomodel noisiness (#1553) 2020-04-15 13:09:56 -05:00
Emma Rose 0d5455d405
Enrich GeoModel alerts with information about Tor nodes and VPNs (#1595) 2020-04-15 12:58:27 -05:00
Emma Rose d4c3514e18
Fix the port_scan_enrichment alert plugin (#1547) 2020-04-15 12:55:58 -05:00
Emma Rose d005603cba
Adjust debug logs to a reasonable level (#1602) 2020-04-14 18:01:22 -05:00
Emma Rose d0787d6b24
Switch to toUTC instead of manually formatted timestamps (#1601) 2020-04-14 17:15:07 -05:00
Emma Rose 6e849f2fdb
Feature triage bot v02 (#1576) 2020-04-14 15:37:17 -05:00
Brandon Myers 2add7c524a
Merge pull request #1591 from mozilla/remove_cloudtrail_deadman 
Remove cloudtrail deadman in favor of generic deadman alert
 2020-04-13 15:03:15 -05:00
A Smith b6338a5ddd
Merge pull request #1600 from mozilla/update_summary_proxyexfil 
Update summary of proxy exfil domain alert
 2020-04-09 12:57:10 -05:00
A Smith 6cc0a1e3d2
Merge pull request #1589 from mozilla/add_custom_tags_genericdeadman 
Add custom tags to deadman generic alert
 2020-04-09 12:48:03 -05:00
Emma Rose 192764dbe2
Merge branch 'master' into alert-plugin-enrich-portscan 2020-04-09 11:57:26 -04:00
Brandon Myers 06a2b4e314
Update summary of proxy exfil domain alert 2020-04-08 13:32:07 -05:00
Brandon Myers a2b4ed81e1
Merge pull request #1587 from mozilla/fix-geomodel-magic-strings 
Replace magic strings with constructor methods
 2020-04-07 15:47:09 -05:00
Emma Rose 52366b3c9f
Merge branch 'master' into alert-plugin-enrich-portscan 2020-04-07 14:39:44 -04:00
Emma Rose efdc57a16f
Convert the origin and destination of each hop in a geomodel alert to JSON so that plugins can expect dicts and not NamedTuples 2020-04-03 12:12:21 -04:00
Brandon Myers aab3debc07
Remove cloudtrail deadman in favor of generic deadman alert 2020-04-01 13:46:23 -05:00
Brandon Myers 644fc3f1de
Add custom tags to deadman generic alert 2020-04-01 13:01:44 -05:00
Emma Rose 6a7999ae25
Replace magic string used in query with index_name() 2020-03-31 18:01:34 -04:00