mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
1 535 коммитов 4 Ветки 53 Теги 68 MiB
Граф коммитов

1535 Коммитов

Автор SHA1 Сообщение Дата
A Smith f4e442b679
Revert "Auth0 fixes" 2017-06-15 15:06:24 -05:00
Guillaume Destuynder (kang) c2a4ac5aa9
Fixups: enclose some field operations in try..except 
use a non-reserved keyword for summary formatting
 2017-06-15 15:06:23 -05:00
Guillaume Destuynder (kang) 54b3946988
Show the auth0 connection in the mozdef event 2017-06-15 15:06:23 -05:00
Guillaume Destuynder (kang) bfccf2b33d
Store auth0 source (auth0 prod or dev for ex) in event.hostname instead 
of event.source, since the later gets dropped anyway, and hostname seems
like the right place regardless
 2017-06-15 15:06:23 -05:00
Guillaume Destuynder (kang) 834247038e
Fix comment to point to new auth0 API url 2017-06-15 15:06:23 -05:00
Guillaume Destuynder (kang) f7dd17f90b
Use user's name as.. username, instead of a username object to fix https://bugzilla.mozilla.org/show_bug.cgi?id=1352562 2017-06-15 15:06:23 -05:00
Guillaume Destuynder (kang) 122c7bd1f8
Drop "msg.details.details" as this structure of log does not seem to 
exist in auth0 any longer
Use "details.auth0_raw" to store the raw auth0 msg as it no longer
includes huge json docs, so this is actually useful
Replace ad-hoc unicode conversion by a generic conversion function
(byteify), this also should fixes python3 compat
 2017-06-15 15:06:22 -05:00
Guillaume Destuynder (kang) 03d41929de
Emit debug msg and fallback to the msg code when there is no mapping to 
a known msg string
 2017-06-15 15:06:22 -05:00
Guillaume Destuynder (kang) 95d1389525
Add support for new fields: 
seacft: Success Exchange (Authorization Code for Access Token)
feacft: Failed Exchange (Authorization Code for Access Token)

Add traceback support for debugging missing fields
 2017-06-15 15:06:22 -05:00
Brandon Myers b44365871a
Add logger statement in alert plugins 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:22 -05:00
Phrozyn ec64df35cf
Adding new mq services 2017-06-15 15:06:22 -05:00
Phrozyn 028505cd3b
Adding new mqworkers for fluentd2mozdef from aws infosec services. 2017-06-15 15:06:21 -05:00
Michal Purzynski 98acbee884
Make the time window in which the duo_authfail alert looks for events several times longer than the duo cron job period 2017-06-15 15:06:21 -05:00
Brandon Myers 14491ad7d0
Add pentest server to ssh whitelist 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:21 -05:00
Brandon Myers b8399efbc2
Change config name in generic alerts 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:21 -05:00
Brandon Myers fb0ae880a1
Improve generic alert keynames 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:20 -05:00
Brandon Myers 9a919cb114
Add additional logic in summary alert field 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:20 -05:00
Michal Purzynski b153a49111
Default to dict even if not dict is present in a config file 2017-06-15 15:06:20 -05:00
Michal Purzynski d9412421c4
Add more tags to match on to the duo fraud alert 2017-06-15 15:06:20 -05:00
Michal Purzynski 89e43ca1e9
Prevent the pagerduty plugin from failing with incorrect configuration file 2017-06-15 15:06:20 -05:00
Michal Purzynski 4dbff91d9d
Moar fixes 2017-06-15 15:06:19 -05:00
Michal Purzynski cc9dd681c4
Bruteforce ssh fixes 2017-06-15 15:06:19 -05:00
Michal Purzynski f542334505
Bring the duo_authfail to the newest message format, several fixups. 2017-06-15 15:06:19 -05:00
Michal Purzynski 62d72c74c9
Whitelist changes 2017-06-15 15:06:19 -05:00
Phrozyn daf143ed1b
Correct indentation in alertdetails.js 2017-06-15 15:06:19 -05:00
Phrozyn 38f687ee9f
Correct pathing in alertdetails.js 2017-06-15 15:06:18 -05:00
Phrozyn 779619f9de
Resolved issue of dynamic pathing in kibana links. 2017-06-15 15:06:18 -05:00
Phrozyn fc4c8c0331
Update url in index.py for rest interface to kibana dashboards. 2017-06-15 15:06:18 -05:00
Phrozyn 235c98f885
update alertdetails.js and alertssummary.html with correct kibana links. 2017-06-15 15:06:18 -05:00
Brandon Myers 8a704533ab
Add positive test case for cloudtrail deadman 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:17 -05:00
Brandon Myers 87ddd04a78
Add cloudtrail new alerts 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:17 -05:00
Brandon Myers a5fc302094
Remove fake event generation in deadman alert 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:15 -05:00
Brandon Myers a0bb668465
Fixup deadman alert 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:15 -05:00
Michal Purzynski c7cd94ce88
Change the level of all alerts to WARNING 2017-06-15 15:06:14 -05:00
Brandon Myers 42d1178a8f
Modify generic alert loader with validation 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:07 -05:00
Guillaume Destuynder (kang) c314c16fcb
Add support for loading alert defaults and fail when required alert 
fields are missing
 2017-06-15 15:06:07 -05:00
Guillaume Destuynder (kang) 32db0d63a1
Add url to the alert so that it shows up in the alert dashboard 
as per a09e83c5cc/meteor/app/client/alertdetails.html (L36)
 2017-06-15 15:06:07 -05:00
Michal Purzynski a18f2d6b2e
More cosmetics for the pagerduty alert plugin 2017-06-15 15:06:06 -05:00
Brandon Myers e2aa079c66
Allow aggregation key to be specified generic loader 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:06 -05:00
Phrozyn 9e243733a6
Adding details.hostname to defaulttemplate so that the hostname is always mapped as a string. 2017-06-15 15:06:06 -05:00
Brandon Myers 01c8d0edb5
Modify generic alert loader to use hjson 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:06 -05:00
Michal Purzynski 718d1f2749
Create an example configuration file for the pagerduty plugin 2017-06-15 15:06:06 -05:00
Michal Purzynski c166472751
Change the duo_auth_fail category to a meaningful one 2017-06-15 15:06:05 -05:00
Brandon Myers a4cefe9f26
Modify update_generic_alerts to use ssh key 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:05 -05:00
Brandon Myers bcbe1a56e5
Fixup update generic alerts cron 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:05 -05:00
Brandon Myers 173ce77f5d
Add ability to customize alert classname 
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
 2017-06-15 15:06:05 -05:00
Michal Purzynski 3ea54c9f5f
Cleanups. 2017-06-15 15:06:05 -05:00
Michal Purzynski 0cd6b57449
Make the plugin more configurable and parametrized 2017-06-15 15:06:04 -05:00
Michal Purzynski 8258c5c59d
Bring the pagerduty alert back to what it used to be, once. 2017-06-15 15:06:04 -05:00
Michal Purzynski 2976b9c160
Do not import modules that we do not need 2017-06-15 15:06:04 -05:00