From b827f0976f8f7ad20f8ab407557cde2ce768f113 Mon Sep 17 00:00:00 2001 From: Kyle Derevyanik <107499494+sfc-gh-kderevyanik@users.noreply.github.com> Date: Wed, 6 Dec 2023 10:50:42 -0600 Subject: [PATCH 1/6] K8s Schema Typos Fix (#992) --- ...ly_permissive_linux_capabilities_query.yml | 2 +- ...te_or_modify_host_path_vol_mount_query.yml | 2 +- ..._service_type_node_port_deployed_query.yml | 22 +++++++++---------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml index 8e6d296bc..4a5a62cf6 100644 --- a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml +++ b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml @@ -15,7 +15,7 @@ Query: |- WHERE verb IN ('create', 'update') AND objectRef:resource = 'pods' - AND ARRAY_INTERSECTION(REQUEST_OBJECT:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present + AND ARRAY_INTERSECTION(requestObject:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present AND requestObject:spec:containers[0]:securityContext is not null AND p_occurs_since('30 minutes') --insert allow-list for pods that are expected to have privileged linux capabilities, for example a observability agent diff --git a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml index ed9c73a4a..169159041 100644 --- a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml +++ b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml @@ -14,7 +14,7 @@ Query: > WHERE verb IN ('create', 'update', 'patch') AND objectRef:resource = 'pods' - AND request_object:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin') + AND requestObject:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin') AND p_occurs_since('30 minutes') --insert allow-list for expected workloads that require a sensitive mount LIMIT 10 diff --git a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml index 405eda796..ecff02932 100644 --- a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml +++ b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml @@ -7,21 +7,21 @@ Description: > This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network. Query: > SELECT *, - OBJECT_REF:name as service, - OBJECT_REF:namespace as namespace, - OBJECT_REF:resource as resource_type, + objectRef:name as service, + objectRef:namespace as namespace, + objectRef:resource as resource_type, COALESCE(impersonated_user, USER:username) as src_user, - USER_AGENT, - RESPONSE_OBJECT:spec:externalTrafficPolicy as external_traffic_policy, - RESPONSE_OBJECT:spec:internalTrafficPolicy as internal_traffic_policy, - RESPONSE_OBJECT:spec:clusterIP as cluster_ip_address, + userAgent, + responseObject:spec:externalTrafficPolicy as external_traffic_policy, + responseObject:spec:internalTrafficPolicy as internal_traffic_policy, + responseObject:spec:clusterIP as cluster_ip_address, VALUE:port as port, --port where traffic gets forwarded to in the pod VALUE:protocol as protocol, --protocol the service uses VALUE:nodePort as node_port, --which port acts as the nodeport on all the nodes - REQUEST_OBJECT:spec:type as type, - IFF(REQUEST_OBJECT:spec:status:loadBalancer is null, 'No LB Present', - REQUEST_OBJECT:spec:status:loadBalancer) as load_balancer, - RESPONSE_STATUS:code as response_status + requestObject:spec:type as type, + IFF(requestObject:spec:status:loadBalancer is null, 'No LB Present', + requestObject:spec:status:loadBalancer) as load_balancer, + responseStatus:code as response_status FROM panther_logs.public.kubernetes_control_plane, lateral flatten(response_object:spec:ports) WHERE objectRef:resource = 'services' From a13a3cbd297cb04740699679a3713d80e7bcce25 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 6 Dec 2023 23:02:31 +0200 Subject: [PATCH 2/6] Update lookup tables with new log sources (#988) * Use the same set of log sources in all lookup tables * Add new log sources to lookup tables * Fix Tailscale.Network selectors to be able to reach attribute of the object in array --------- Co-authored-by: Evan Gibler --- .../greynoise/advanced/noise_advanced.yml | 282 +++++++++++- .../greynoise/advanced/riot_advanced.yml | 282 +++++++++++- lookup_tables/greynoise/basic/noise_basic.yml | 282 +++++++++++- lookup_tables/greynoise/basic/riot_basic.yml | 282 +++++++++++- lookup_tables/ipinfo/ipinfo_asn.yml | 432 +++++++++++------ lookup_tables/ipinfo/ipinfo_asn_datalake.yml | 432 +++++++++++------ lookup_tables/ipinfo/ipinfo_location.yml | 432 +++++++++++------ .../ipinfo/ipinfo_location_datalake.yml | 432 +++++++++++------ lookup_tables/ipinfo/ipinfo_privacy.yml | 434 ++++++++++++------ .../ipinfo/ipinfo_privacy_datalake.yml | 432 +++++++++++------ lookup_tables/tor/tor_exit_nodes.yml | 433 +++++++++++------ 11 files changed, 3121 insertions(+), 1034 deletions(-) diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index 8d0522435..a09f5d3c3 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -14,6 +14,14 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +31,13 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -38,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -49,6 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" + - LogType: Box.Event + Selectors: + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,11 +113,18 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -74,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -84,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -102,27 +171,57 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -136,6 +235,13 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,10 +256,39 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -171,24 +306,49 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -202,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -211,54 +381,116 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index e6f4d5353..ae82a0797 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -14,6 +14,14 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +31,13 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -38,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -49,6 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" + - LogType: Box.Event + Selectors: + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,11 +113,18 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -74,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -84,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -102,27 +171,57 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -136,6 +235,13 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,10 +256,39 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -171,24 +306,49 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -202,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -211,54 +381,116 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index cdc619b5f..dcb235596 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -14,6 +14,14 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +31,13 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -38,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -49,6 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" + - LogType: Box.Event + Selectors: + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,11 +113,18 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -74,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -84,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -102,27 +171,57 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -136,6 +235,13 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,10 +256,39 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -171,24 +306,49 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -202,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -211,54 +381,116 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 3836746ee..0705637d2 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -14,6 +14,14 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +31,13 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -38,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -49,6 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" + - LogType: Box.Event + Selectors: + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,11 +113,18 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -74,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -84,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -102,27 +171,57 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -136,6 +235,13 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,10 +256,39 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -171,24 +306,49 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -202,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -211,54 +381,116 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index dcd127849..a9f7602d7 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -13,321 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index 639798795..de1b02e2f 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -13,321 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 8417b144b..9aff65042 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -13,321 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index 434b13379..da657eeb9 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -13,321 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index 5638c14ee..da7781172 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -13,321 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" + - LogType: GitHub.Audit + Selectors: + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' - - LogType: GitHub.Audit + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter Selectors: - - 'actor_ip' + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index 35ada1b20..5e4b45faa 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -13,321 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 4cae8a3a2..9e1011174 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -13,324 +13,487 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.spec.clusterIP' - - '$.requestObject.spec.clusterIP' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: # add p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'sourceIPAddress' - - 'p_any_ip_addresses' + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" From 7cc653719a3cdb3b993e438dcf49ff881e2c8c51 Mon Sep 17 00:00:00 2001 From: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:59:06 +0200 Subject: [PATCH 3/6] Added shebang line to test_scenarios tool (#993) --- test_scenarios/send_data.py | 2 ++ 1 file changed, 2 insertions(+) mode change 100644 => 100755 test_scenarios/send_data.py diff --git a/test_scenarios/send_data.py b/test_scenarios/send_data.py old mode 100644 new mode 100755 index f6a2aeab1..aba33781e --- a/test_scenarios/send_data.py +++ b/test_scenarios/send_data.py @@ -1,3 +1,5 @@ +#!/usr/bin/env -S python3 + import argparse import gzip import json From fe1a3f8a108c52baacfdaff98c27482817ac241a Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Thu, 7 Dec 2023 15:08:53 +0200 Subject: [PATCH 4/6] Add references to rules (asana_rules) (#994) --- rules/asana_rules/asana_service_account_created.yml | 1 + rules/asana_rules/asana_team_privacy_public.yml | 1 + .../asana_workspace_default_session_duration_never.yml | 1 + rules/asana_rules/asana_workspace_email_domain_added.yml | 1 + .../asana_workspace_form_link_auth_requirement_disabled.yml | 1 + .../asana_workspace_guest_invite_permissions_anyone.yml | 1 + rules/asana_rules/asana_workspace_new_admin.yml | 3 ++- rules/asana_rules/asana_workspace_org_export.yml | 1 + .../asana_workspace_password_requirements_simple.yml | 1 + .../asana_workspace_require_app_approvals_disabled.yml | 1 + rules/asana_rules/asana_workspace_saml_optional.yml | 1 + 11 files changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/asana_rules/asana_service_account_created.yml b/rules/asana_rules/asana_service_account_created.yml index d0e726dcc..2372ebc0e 100644 --- a/rules/asana_rules/asana_service_account_created.yml +++ b/rules/asana_rules/asana_service_account_created.yml @@ -4,6 +4,7 @@ DisplayName: "Asana Service Account Created" Enabled: true Filename: asana_service_account_created.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://help.asana.com/hc/en-us/articles/14217496838427-Service-Accounts Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/asana_rules/asana_team_privacy_public.yml b/rules/asana_rules/asana_team_privacy_public.yml index d9a17bbec..7bc2d0ec1 100644 --- a/rules/asana_rules/asana_team_privacy_public.yml +++ b/rules/asana_rules/asana_team_privacy_public.yml @@ -3,6 +3,7 @@ Description: An Asana team's privacy setting was changed to public to the organi DisplayName: "Asana Team Privacy Public" Enabled: true Filename: asana_team_privacy_public.py +Reference: https://help.asana.com/hc/en-us/articles/14211433439387-Team-permissions Severity: Low Tests: - ExpectedResult: true diff --git a/rules/asana_rules/asana_workspace_default_session_duration_never.yml b/rules/asana_rules/asana_workspace_default_session_duration_never.yml index 62d864768..2e2100a22 100644 --- a/rules/asana_rules/asana_workspace_default_session_duration_never.yml +++ b/rules/asana_rules/asana_workspace_default_session_duration_never.yml @@ -3,6 +3,7 @@ Description: 'An Asana workspace''s default session duration (how often users ne DisplayName: "Asana Workspace Default Session Duration Never" Enabled: true Filename: asana_workspace_default_session_duration_never.py +Reference: https://help.asana.com/hc/en-us/articles/14218320495899-Manage-Session-Duration Severity: Low Tests: - ExpectedResult: true diff --git a/rules/asana_rules/asana_workspace_email_domain_added.yml b/rules/asana_rules/asana_workspace_email_domain_added.yml index 240d3e48c..028f0404c 100644 --- a/rules/asana_rules/asana_workspace_email_domain_added.yml +++ b/rules/asana_rules/asana_workspace_email_domain_added.yml @@ -3,6 +3,7 @@ Description: 'A new email domain has been added to an Asana workspace. Reviewer DisplayName: "Asana Workspace Email Domain Added" Enabled: true Filename: asana_workspace_email_domain_added.py +Reference: https://help.asana.com/hc/en-us/articles/15901227439515-Email-domain-management-for-Asana-organizations Severity: Low Tests: - ExpectedResult: true diff --git a/rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml b/rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml index 51f57cdb5..49b28f593 100644 --- a/rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml +++ b/rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml @@ -3,6 +3,7 @@ Description: 'An Asana Workspace Form Link is a unique URL that allows you to cr DisplayName: "Asana Workspace Form Link Auth Requirement Disabled" Enabled: true Filename: asana_workspace_form_link_auth_requirement_disabled.py +Reference: https://help.asana.com/hc/en-us/articles/14111697664923-Forms-access-permissions#:~:text=SSO%2C%20SAML%2C%20or-,no%20authentication%20method,-).%20If%20no%20authentication Severity: Low Tests: - ExpectedResult: true diff --git a/rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml b/rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml index 5de84537f..e893fd917 100644 --- a/rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml +++ b/rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml @@ -3,6 +3,7 @@ Description: Typically inviting guests to Asana is permitted by few users. Enabl DisplayName: "Asana Workspace Guest Invite Permissions Anyone" Enabled: true Filename: asana_workspace_guest_invite_permissions_anyone.py +Reference: https://help.asana.com/hc/en-us/articles/14109494654875-Admin-console#:~:text=Google%20SSO%20password.-,Guest%20invite%20controls,-Super%20admins%20of Severity: Low Tests: - ExpectedResult: true diff --git a/rules/asana_rules/asana_workspace_new_admin.yml b/rules/asana_rules/asana_workspace_new_admin.yml index 28e8e4741..ccbc3d729 100644 --- a/rules/asana_rules/asana_workspace_new_admin.yml +++ b/rules/asana_rules/asana_workspace_new_admin.yml @@ -1,8 +1,9 @@ AnalysisType: rule -Description: Asana Workspace New Admin +Description: Admin role was granted to the user who previously did not have admin permissions DisplayName: Asana Workspace New Admin Enabled: true Filename: asana_workspace_new_admin.py +Reference: https://help.asana.com/hc/en-us/articles/14141552580635-Admin-and-super-admin-roles-in-Asana Severity: High Tests: - ExpectedResult: False diff --git a/rules/asana_rules/asana_workspace_org_export.yml b/rules/asana_rules/asana_workspace_org_export.yml index a8f5a5c50..1ac3bcf87 100644 --- a/rules/asana_rules/asana_workspace_org_export.yml +++ b/rules/asana_rules/asana_workspace_org_export.yml @@ -4,6 +4,7 @@ DisplayName: Asana Workspace Org Export Enabled: true Filename: asana_workspace_org_export.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://help.asana.com/hc/en-us/articles/14139896860955-Privacy-and-security#:~:text=like%20to%20see.-,Full%20export%20of%20an%20organization,-Available%20on%20Asana Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/asana_rules/asana_workspace_password_requirements_simple.yml b/rules/asana_rules/asana_workspace_password_requirements_simple.yml index c27b6ba5c..9d81f042e 100644 --- a/rules/asana_rules/asana_workspace_password_requirements_simple.yml +++ b/rules/asana_rules/asana_workspace_password_requirements_simple.yml @@ -4,6 +4,7 @@ DisplayName: "Asana Workspace Password Requirements Simple" Enabled: true Filename: asana_workspace_password_requirements_simple.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://help.asana.com/hc/en-us/articles/14075208738587-Authentication-and-access-management-options-for-paid-plans Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml b/rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml index 36f1e625f..767e4399d 100644 --- a/rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml +++ b/rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml @@ -4,6 +4,7 @@ DisplayName: Asana Workspace Require App Approvals Disabled Enabled: true Filename: asana_workspace_require_app_approvals_disabled.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://help.asana.com/hc/en-us/articles/14109494654875-Admin-console#:~:text=used%20by%20default-,Require%20app%20approval,-Admins%20manage%20a Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/asana_rules/asana_workspace_saml_optional.yml b/rules/asana_rules/asana_workspace_saml_optional.yml index cac2ae8df..06ea65b2a 100644 --- a/rules/asana_rules/asana_workspace_saml_optional.yml +++ b/rules/asana_rules/asana_workspace_saml_optional.yml @@ -4,6 +4,7 @@ DisplayName: "Asana Workspace SAML Optional" Enabled: true Filename: asana_workspace_saml_optional.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://help.asana.com/hc/en-us/articles/14075208738587-Premium-Business-and-Enterprise-authentication#gl-saml:~:text=to%20your%20organization.-,SAML,-If%20your%20company Severity: Medium Tests: - ExpectedResult: false From a5380ca278a13c7709ab5a986b83ca66f646cfd1 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Thu, 7 Dec 2023 17:27:16 +0200 Subject: [PATCH 5/6] Add references to rules (auth0_rules) (#995) --- rules/auth0_rules/auth0_custom_role_created.yml | 1 + rules/auth0_rules/auth0_integration_installed.yml | 1 + rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml | 1 + rules/auth0_rules/auth0_mfa_policy_disabled.yml | 1 + rules/auth0_rules/auth0_mfa_policy_enabled.yml | 1 + rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml | 1 + rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml | 1 + rules/auth0_rules/auth0_post_login_action_flow.yml | 1 + rules/auth0_rules/auth0_user_invitation_created.yml | 1 + rules/auth0_rules/auth0_user_joined_tenant.yml | 1 + 10 files changed, 10 insertions(+) diff --git a/rules/auth0_rules/auth0_custom_role_created.yml b/rules/auth0_rules/auth0_custom_role_created.yml index 7ddff3d0c..b8b83ec92 100644 --- a/rules/auth0_rules/auth0_custom_role_created.yml +++ b/rules/auth0_rules/auth0_custom_role_created.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 Custom Role Created" Enabled: true Filename: auth0_custom_role_created.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant if a user created a role without proper authorization. +Reference: https://auth0.com/docs/manage-users/access-control/configure-core-rbac/roles/create-roles Severity: High Tests: - ExpectedResult: false diff --git a/rules/auth0_rules/auth0_integration_installed.yml b/rules/auth0_rules/auth0_integration_installed.yml index 4e16d3715..b5ad246d0 100644 --- a/rules/auth0_rules/auth0_integration_installed.yml +++ b/rules/auth0_rules/auth0_integration_installed.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 Integration Installed" Enabled: true Filename: auth0_integration_installed.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://auth0.com/blog/actions-integrations-are-now-ga/ Severity: Info Tests: - ExpectedResult: true diff --git a/rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml b/rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml index 70e0d3b0d..ded2e3df6 100644 --- a/rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml +++ b/rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 mfa factor enabled" Enabled: true Filename: auth0_mfa_factor_setting_enabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors Severity: Info Tests: - ExpectedResult: true diff --git a/rules/auth0_rules/auth0_mfa_policy_disabled.yml b/rules/auth0_rules/auth0_mfa_policy_disabled.yml index 372fbfdf4..d62ca0b7d 100644 --- a/rules/auth0_rules/auth0_mfa_policy_disabled.yml +++ b/rules/auth0_rules/auth0_mfa_policy_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Policy Disabled" Enabled: true Filename: auth0_mfa_policy_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=prompted%20for%20MFA.-,Never,-%3A%20MFA%20is%20not Severity: High Tests: - ExpectedResult: false diff --git a/rules/auth0_rules/auth0_mfa_policy_enabled.yml b/rules/auth0_rules/auth0_mfa_policy_enabled.yml index 9ac110173..214ec95e3 100644 --- a/rules/auth0_rules/auth0_mfa_policy_enabled.yml +++ b/rules/auth0_rules/auth0_mfa_policy_enabled.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Policy Enabled" Enabled: true Filename: auth0_mfa_policy_enabled.py Runbook: Assess if this was done by the user for a valid business reason and was expected. This alert indicates a setting change that aligns with best security practices, follow-up may be unnecessary. +Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=In%20the-,Define%20policies,-section%2C%20select%20a Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml b/rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml index d2c48ca9b..3eb615c2e 100644 --- a/rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml +++ b/rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Risk Assessment Disabled" Enabled: true Filename: auth0_mfa_risk_assessment_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=Always%20policy%2C%20the-,MFA%20Risk%20Assessors,-section%20appears.%20By Severity: High Tests: - ExpectedResult: false diff --git a/rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml b/rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml index 9a4c558cf..8bec3511c 100644 --- a/rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml +++ b/rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Risk Assessment Enabled" Enabled: true Filename: auth0_mfa_risk_assessment_enabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant when enabling this setting as it's in the best security interest for your organization's security posture. +Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=Always%20policy%2C%20the-,MFA%20Risk%20Assessors,-section%20appears.%20By Severity: Info Tests: - ExpectedResult: false diff --git a/rules/auth0_rules/auth0_post_login_action_flow.yml b/rules/auth0_rules/auth0_post_login_action_flow.yml index 513d2939c..244d6a5a0 100644 --- a/rules/auth0_rules/auth0_post_login_action_flow.yml +++ b/rules/auth0_rules/auth0_post_login_action_flow.yml @@ -4,6 +4,7 @@ DisplayName: "Auth0 Post Login Action Flow Updated" Enabled: true Filename: auth0_post_login_action_flow.py Runbook: Assess if this was done by the user for a valid business reason. Be sure to replace any steps that were removed without authorization. +Reference: https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/api-object Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/auth0_rules/auth0_user_invitation_created.yml b/rules/auth0_rules/auth0_user_invitation_created.yml index 29bcf5379..69a0208dc 100644 --- a/rules/auth0_rules/auth0_user_invitation_created.yml +++ b/rules/auth0_rules/auth0_user_invitation_created.yml @@ -2,6 +2,7 @@ AnalysisType: rule DisplayName: "Auth0 User Invitation Created" Enabled: true Filename: auth0_user_invitation_created.py +Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members Severity: Info Tests: - ExpectedResult: true diff --git a/rules/auth0_rules/auth0_user_joined_tenant.yml b/rules/auth0_rules/auth0_user_joined_tenant.yml index a2db76893..44a7869f7 100644 --- a/rules/auth0_rules/auth0_user_joined_tenant.yml +++ b/rules/auth0_rules/auth0_user_joined_tenant.yml @@ -4,6 +4,7 @@ Description: User accepted invitation from Auth0 member to join an Auth0 tenant. Enabled: true Filename: auth0_user_joined_tenant.py RuleID: Auth0.User.Joined.Tenant +Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members#send-membership-invitations:~:text=.-,Send%20membership%20invitations,-You%20can Severity: Info LogTypes: - Auth0.Events From c65b17524b99d49f8dece2c47a0d2e50a87c3671 Mon Sep 17 00:00:00 2001 From: Panos Sakkos Date: Fri, 8 Dec 2023 16:36:53 +0200 Subject: [PATCH 6/6] format detections (#997) --- rules/azure_signin_rules/azure_failed_signins.py | 6 +----- rules/azure_signin_rules/azure_legacyauth.py | 6 +----- rules/azure_signin_rules/azure_risklevel_passthrough.py | 6 +----- .../crowdstrike_rules/crowdstrike_detection_passthrough.py | 5 +---- rules/crowdstrike_rules/crowdstrike_dns_request.py | 5 +---- rules/duo_rules/duo_admin_create_admin.py | 5 +---- rules/duo_rules/duo_admin_new_admin_api_app_integration.py | 5 +---- rules/duo_rules/duo_admin_sso_saml_requirement_disabled.py | 5 +---- rules/duo_rules/duo_admin_user_mfa_bypass_enabled.py | 5 +---- rules/gsuite_reports_rules/gsuite_drive_external_share.py | 7 +------ rules/onelogin_rules/onelogin_active_login_activity.py | 6 +----- rules/onelogin_rules/onelogin_high_risk_login.py | 6 +----- rules/tailscale_rules/tailscale_https_disabled.py | 5 +---- .../tailscale_machine_approval_requirements_disabled.py | 5 +---- rules/tailscale_rules/tailscale_magicdns_disabled.py | 5 +---- 15 files changed, 15 insertions(+), 67 deletions(-) diff --git a/rules/azure_signin_rules/azure_failed_signins.py b/rules/azure_signin_rules/azure_failed_signins.py index c4e7e65dc..d8d3917e1 100644 --- a/rules/azure_signin_rules/azure_failed_signins.py +++ b/rules/azure_signin_rules/azure_failed_signins.py @@ -1,9 +1,5 @@ from global_filter_azuresignin import filter_include_event -from panther_azuresignin_helpers import ( - actor_user, - azure_signin_alert_context, - is_sign_in_event, -) +from panther_azuresignin_helpers import actor_user, azure_signin_alert_context, is_sign_in_event from panther_base_helpers import deep_get diff --git a/rules/azure_signin_rules/azure_legacyauth.py b/rules/azure_signin_rules/azure_legacyauth.py index 808caf6ad..36fbb6065 100644 --- a/rules/azure_signin_rules/azure_legacyauth.py +++ b/rules/azure_signin_rules/azure_legacyauth.py @@ -2,11 +2,7 @@ from unittest.mock import MagicMock from global_filter_azuresignin import filter_include_event -from panther_azuresignin_helpers import ( - actor_user, - azure_signin_alert_context, - is_sign_in_event, -) +from panther_azuresignin_helpers import actor_user, azure_signin_alert_context, is_sign_in_event from panther_base_helpers import deep_get LEGACY_AUTH_USERAGENTS = ["BAV2ROPC", "CBAInPROD"] # CBAInPROD is reported to be IMAP diff --git a/rules/azure_signin_rules/azure_risklevel_passthrough.py b/rules/azure_signin_rules/azure_risklevel_passthrough.py index c36a10be4..3972c1d0b 100644 --- a/rules/azure_signin_rules/azure_risklevel_passthrough.py +++ b/rules/azure_signin_rules/azure_risklevel_passthrough.py @@ -1,9 +1,5 @@ from global_filter_azuresignin import filter_include_event -from panther_azuresignin_helpers import ( - actor_user, - azure_signin_alert_context, - is_sign_in_event, -) +from panther_azuresignin_helpers import actor_user, azure_signin_alert_context, is_sign_in_event from panther_base_helpers import deep_get PASSTHROUGH_SEVERITIES = {"low", "medium", "high"} diff --git a/rules/crowdstrike_rules/crowdstrike_detection_passthrough.py b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.py index 1a9ada8c0..9fd8bf89d 100644 --- a/rules/crowdstrike_rules/crowdstrike_detection_passthrough.py +++ b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.py @@ -1,7 +1,4 @@ -from panther_base_helpers import ( - crowdstrike_detection_alert_context, - get_crowdstrike_field, -) +from panther_base_helpers import crowdstrike_detection_alert_context, get_crowdstrike_field def rule(event): diff --git a/rules/crowdstrike_rules/crowdstrike_dns_request.py b/rules/crowdstrike_rules/crowdstrike_dns_request.py index 9216c141c..ec02a053b 100644 --- a/rules/crowdstrike_rules/crowdstrike_dns_request.py +++ b/rules/crowdstrike_rules/crowdstrike_dns_request.py @@ -1,7 +1,4 @@ -from panther_base_helpers import ( - filter_crowdstrike_fdr_event_type, - get_crowdstrike_field, -) +from panther_base_helpers import filter_crowdstrike_fdr_event_type, get_crowdstrike_field # baddomain.com is present for testing purposes. Add domains you wish to be alerted on to this list DENYLIST = ["baddomain.com"] diff --git a/rules/duo_rules/duo_admin_create_admin.py b/rules/duo_rules/duo_admin_create_admin.py index 285f80511..fff5857d8 100644 --- a/rules/duo_rules/duo_admin_create_admin.py +++ b/rules/duo_rules/duo_admin_create_admin.py @@ -1,7 +1,4 @@ -from panther_duo_helpers import ( - deserialize_administrator_log_event_description, - duo_alert_context, -) +from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context def rule(event): diff --git a/rules/duo_rules/duo_admin_new_admin_api_app_integration.py b/rules/duo_rules/duo_admin_new_admin_api_app_integration.py index d58db3338..6215b5193 100644 --- a/rules/duo_rules/duo_admin_new_admin_api_app_integration.py +++ b/rules/duo_rules/duo_admin_new_admin_api_app_integration.py @@ -1,7 +1,4 @@ -from panther_duo_helpers import ( - deserialize_administrator_log_event_description, - duo_alert_context, -) +from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context def rule(event): diff --git a/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.py b/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.py index bb8831e99..dde34ca4f 100644 --- a/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.py +++ b/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.py @@ -1,7 +1,4 @@ -from panther_duo_helpers import ( - deserialize_administrator_log_event_description, - duo_alert_context, -) +from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context def rule(event): diff --git a/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.py b/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.py index 299a766e8..db30665d1 100644 --- a/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.py +++ b/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.py @@ -1,7 +1,4 @@ -from panther_duo_helpers import ( - deserialize_administrator_log_event_description, - duo_alert_context, -) +from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context def rule(event): diff --git a/rules/gsuite_reports_rules/gsuite_drive_external_share.py b/rules/gsuite_reports_rules/gsuite_drive_external_share.py index 559e99e26..ac427233a 100644 --- a/rules/gsuite_reports_rules/gsuite_drive_external_share.py +++ b/rules/gsuite_reports_rules/gsuite_drive_external_share.py @@ -1,11 +1,6 @@ import datetime -from panther_base_helpers import ( - PantherUnexpectedAlert, - deep_get, - pattern_match, - pattern_match_list, -) +from panther_base_helpers import PantherUnexpectedAlert, deep_get, pattern_match, pattern_match_list COMPANY_DOMAIN = "your-company-name.com" EXCEPTION_PATTERNS = { diff --git a/rules/onelogin_rules/onelogin_active_login_activity.py b/rules/onelogin_rules/onelogin_active_login_activity.py index 994f7c759..48fb51dd1 100644 --- a/rules/onelogin_rules/onelogin_active_login_activity.py +++ b/rules/onelogin_rules/onelogin_active_login_activity.py @@ -1,11 +1,7 @@ from datetime import timedelta from panther_base_helpers import is_ip_in_network -from panther_detection_helpers.caching import ( - add_to_string_set, - get_string_set, - put_string_set, -) +from panther_detection_helpers.caching import add_to_string_set, get_string_set, put_string_set THRESH = 2 THRESH_TTL = timedelta(hours=12).total_seconds() diff --git a/rules/onelogin_rules/onelogin_high_risk_login.py b/rules/onelogin_rules/onelogin_high_risk_login.py index 6a2142c5a..9600ce362 100644 --- a/rules/onelogin_rules/onelogin_high_risk_login.py +++ b/rules/onelogin_rules/onelogin_high_risk_login.py @@ -1,10 +1,6 @@ from datetime import timedelta -from panther_detection_helpers.caching import ( - get_counter, - increment_counter, - reset_counter, -) +from panther_detection_helpers.caching import get_counter, increment_counter, reset_counter THRESH_TTL = timedelta(minutes=10).total_seconds() diff --git a/rules/tailscale_rules/tailscale_https_disabled.py b/rules/tailscale_rules/tailscale_https_disabled.py index d69eac9f4..a3361e569 100644 --- a/rules/tailscale_rules/tailscale_https_disabled.py +++ b/rules/tailscale_rules/tailscale_https_disabled.py @@ -1,9 +1,6 @@ from global_filter_tailscale import filter_include_event from panther_base_helpers import deep_get -from panther_tailscale_helpers import ( - is_tailscale_admin_console_event, - tailscale_alert_context, -) +from panther_tailscale_helpers import is_tailscale_admin_console_event, tailscale_alert_context def rule(event): diff --git a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.py b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.py index ee8f08e93..64d390f29 100644 --- a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.py +++ b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.py @@ -1,9 +1,6 @@ from global_filter_tailscale import filter_include_event from panther_base_helpers import deep_get -from panther_tailscale_helpers import ( - is_tailscale_admin_console_event, - tailscale_alert_context, -) +from panther_tailscale_helpers import is_tailscale_admin_console_event, tailscale_alert_context def rule(event): diff --git a/rules/tailscale_rules/tailscale_magicdns_disabled.py b/rules/tailscale_rules/tailscale_magicdns_disabled.py index 1f1f499ad..ad29e9aaf 100644 --- a/rules/tailscale_rules/tailscale_magicdns_disabled.py +++ b/rules/tailscale_rules/tailscale_magicdns_disabled.py @@ -1,9 +1,6 @@ from global_filter_tailscale import filter_include_event from panther_base_helpers import deep_get -from panther_tailscale_helpers import ( - is_tailscale_admin_console_event, - tailscale_alert_context, -) +from panther_tailscale_helpers import is_tailscale_admin_console_event, tailscale_alert_context def rule(event):