From 56c3e865755bf2ad75b73c8ac7f186ab29b606d4 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 5 Dec 2023 13:44:42 +0200 Subject: [PATCH 1/3] Use the same set of log sources in all lookup tables --- .../greynoise/advanced/noise_advanced.yml | 120 ++++++-- .../greynoise/advanced/riot_advanced.yml | 120 ++++++-- lookup_tables/greynoise/basic/noise_basic.yml | 120 ++++++-- lookup_tables/greynoise/basic/riot_basic.yml | 120 ++++++-- lookup_tables/ipinfo/ipinfo_asn.yml | 270 ++++++++--------- lookup_tables/ipinfo/ipinfo_asn_datalake.yml | 270 ++++++++--------- lookup_tables/ipinfo/ipinfo_location.yml | 270 ++++++++--------- .../ipinfo/ipinfo_location_datalake.yml | 270 ++++++++--------- lookup_tables/ipinfo/ipinfo_privacy.yml | 274 +++++++++--------- .../ipinfo/ipinfo_privacy_datalake.yml | 270 ++++++++--------- lookup_tables/tor/tor_exit_nodes.yml | 271 ++++++++--------- 11 files changed, 1340 insertions(+), 1035 deletions(-) diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index 8d0522435..bce7fb4ba 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index e6f4d5353..1b126dd69 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index cdc619b5f..df41f9dce 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 3836746ee..0f8b6bc94 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index dcd127849..791203eae 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index 639798795..7d1706a9b 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 8417b144b..87ae50159 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index 434b13379..af5f81cd0 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index 5638c14ee..45dccad22 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" + - LogType: GitHub.Audit + Selectors: + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' - - LogType: GitHub.Audit - Selectors: - - 'actor_ip' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index 35ada1b20..7d1fdc813 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 4cae8a3a2..e612f1cae 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -13,324 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.spec.clusterIP' - - '$.requestObject.spec.clusterIP' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: # add p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'sourceIPAddress' - - 'p_any_ip_addresses' + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" From 3c564464d3420ed607d551300d3980af9136edf2 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 5 Dec 2023 17:01:46 +0200 Subject: [PATCH 2/3] Add new log sources to lookup tables --- .../greynoise/advanced/noise_advanced.yml | 162 ++++++++++++++++++ .../greynoise/advanced/riot_advanced.yml | 162 ++++++++++++++++++ lookup_tables/greynoise/basic/noise_basic.yml | 162 ++++++++++++++++++ lookup_tables/greynoise/basic/riot_basic.yml | 162 ++++++++++++++++++ lookup_tables/ipinfo/ipinfo_asn.yml | 162 ++++++++++++++++++ lookup_tables/ipinfo/ipinfo_asn_datalake.yml | 162 ++++++++++++++++++ lookup_tables/ipinfo/ipinfo_location.yml | 162 ++++++++++++++++++ .../ipinfo/ipinfo_location_datalake.yml | 162 ++++++++++++++++++ lookup_tables/ipinfo/ipinfo_privacy.yml | 162 ++++++++++++++++++ .../ipinfo/ipinfo_privacy_datalake.yml | 162 ++++++++++++++++++ lookup_tables/tor/tor_exit_nodes.yml | 162 ++++++++++++++++++ 11 files changed, 1782 insertions(+) diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index bce7fb4ba..857e8be39 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index 1b126dd69..a598d1bd8 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index df41f9dce..72ca271fe 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 0f8b6bc94..737c464cb 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index 791203eae..18b4c9ba6 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index 7d1706a9b..e287e31cc 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 87ae50159..6faeb21ec 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index af5f81cd0..cdbcdd6fb 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index 45dccad22..861f4fb3d 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index 7d1fdc813..d6d5ef06e 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index e612f1cae..5c5be4295 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -19,6 +19,9 @@ LogTypeMap: - "$.sourceIPs" - "$.spec.clusterIP" - "$.requestObject.spec.clusterIP" + - LogType: Anomali.Indicator + Selectors: + - "ip" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -31,6 +34,10 @@ LogTypeMap: - LogType: Asana.Audit Selectors: - "$.context.client_ip_address" + - LogType: Auth0.Events + Selectors: + - "$.data.ip" + - "$.data.client_ip" - LogType: AWS.ALB Selectors: - "clientIp" @@ -46,6 +53,14 @@ LogTypeMap: - LogType: AWS.S3ServerAccess Selectors: - "remoteip" + - LogType: AWS.SecurityFindingFormat + Selectors: + - "$.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4" + - "$.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4" + - LogType: AWS.TransitGatewayFlow + Selectors: + - "srcAddr" + - "dstAddr" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses @@ -57,9 +72,39 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Azure.Audit + Selectors: + - "callerIpAddress" + - "$.properties.initiatedBy.user.ipAddress" + - LogType: Bitwarden.Events + Selectors: + - "ipAddress" - LogType: Box.Event Selectors: - "ip_address" + - LogType: CarbonBlack.AlertV2 + Selectors: + - "device_external_ip" + - "device_internal_ip" + - "netconn_local_ip" + - "netconn_local_ipv4" + - "netconn_local_ipv6" + - "netconn_remote_ip" + - "netconn_remote_ipv4" + - "netconn_remote_ipv6" + - LogType: CarbonBlack.Audit + Selectors: + - "clientIp" + - LogType: CarbonBlack.EndpointEvent + Selectors: + - "device_external_ip" + - "local_ip" + - "remote_ip" + - "netconn_proxy_ip" + - LogType: CarbonBlack.WatchlistHit + Selectors: + - "device_external_ip" + - "device_internal_ip" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -77,6 +122,9 @@ LogTypeMap: - "destinationIp" - "externalIp" - "internalIp" + - LogType: Cloudflare.Audit + Selectors: + - "ActorIP" - LogType: Cloudflare.HttpRequest Selectors: - "ClientIP" @@ -89,6 +137,9 @@ LogTypeMap: Selectors: - "ClientIP" - "OriginIP" + - LogType: Crowdstrike.CriticalFile + Selectors: + - "aip" - LogType: Crowdstrike.ActivityAudit Selectors: - "UserIp" @@ -99,6 +150,9 @@ LogTypeMap: - LogType: Crowdstrike.DNSRequest Selectors: - "IpAddress" + - LogType: Crowdstrike.GroupIdentity + Selectors: + - "aip" - LogType: Crowdstrike.AIDMaster Selectors: - "aip" @@ -121,6 +175,9 @@ LogTypeMap: Selectors: - "aip" - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2 + Selectors: + - "aip" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - "aip" @@ -162,6 +219,9 @@ LogTypeMap: - LogType: GitLab.API Selectors: - "remote_ip" + - LogType: GitLab.Audit + Selectors: + - "ip_address" - LogType: GitLab.Production Selectors: - "remote_ip" @@ -175,6 +235,10 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.ComplianceReporter + Selectors: + - "$.process.terminal_id.ip_address" + - "$.socket_inet.ip_address" - LogType: Jamfpro.Login Selectors: - "ipAddress" @@ -195,6 +259,9 @@ LogTypeMap: - LogType: Lacework.AgentManagement Selectors: - "IP_ADDR" + - LogType: Lacework.Applications + Selectors: + - "$.PROPS_MACHINE.ip_addr" - LogType: Lacework.DNSQuery Selectors: - "DNS_SERVER_IP" @@ -203,6 +270,25 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: Lacework.Interfaces + Selectors: + - "IP_ADDR" + - LogType: Lacework.InternalIPA + Selectors: + - "IP_ADDR" + - LogType: Lacework.MachineSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.PodSummary + Selectors: + - "PRIMARY_IP_ADDR" + - LogType: Lacework.UserLogin + Selectors: + - "SOURCE_IP_ADDR" + - LogType: Linux.Auditd + Selectors: + - "addr" + - "ip" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - "ActorIpAddress" @@ -224,18 +310,27 @@ LogTypeMap: Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - "p_any_ip_addresses" + - LogType: MongoDB.OrganizationEvent + Selectors: + - "remoteAddress" - LogType: MongoDB.ProjectEvent Selectors: - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" + - LogType: Notion.AuditLogs + Selectors: + - "$.event.ip_address" - LogType: Okta.SystemLog Selectors: - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - "ipaddr" + - LogType: OnePassword.AuditEvent + Selectors: + - "$.session.ip" - LogType: OnePassword.ItemUsage Selectors: - "$.client.ip_address" @@ -250,6 +345,10 @@ LogTypeMap: - LogType: Panther.Audit Selectors: - "sourceIP" + - LogType: Tenable.Vulnerability + Selectors: + - "$.asset.ipv6" + - "$.asset.ipv4" - LogType: Salesforce.Login Selectors: - "CLIENT_IP" @@ -263,6 +362,16 @@ LogTypeMap: - LogType: Salesforce.URI Selectors: - "CLIENT_IP" + - LogType: SentinelOne.DeepVisibility + Selectors: + - "$.event.sourceAddress.address" + - "$.event.destinationAddress.address" + - "$.event.local.address" + - LogType: SentinelOne.DeepVisibilityV2 + Selectors: + - "src_ip_address" + - "dst_ip_address" + - "src_endpoint_ip_address" - LogType: Slack.AccessLogs Selectors: - "ip" @@ -272,17 +381,60 @@ LogTypeMap: - LogType: Sophos.Central Selectors: - "$.source_info.ip" + - LogType: Suricata.Alert + Selectors: + - "$.tls.sni" + - "$.dest_ip" + - "$.src_ip" - LogType: Suricata.Anomaly Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.DHCP + Selectors: + - "$.dest_ip" + - "$.dhcp.assigned_ip" + - "$.src_ip" - LogType: Suricata.DNS Selectors: - "dest_ip" - "src_ip" + - LogType: Suricata.FileInfo + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.Flow + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.HTTP + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.SSH + Selectors: + - "dest_ip" + - "src_ip" + - LogType: Suricata.TLS + Selectors: + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" + - LogType: Tailscale.Network + Selectors: + - "$.event.virtualTraffic.srcIp" + - "$.event.virtualTraffic.dstIp" + - "$.event.subnetTraffic.srcIp" + - "$.event.subnetTraffic.dstIp" + - "$.event.exitTraffic.srcIp" + - "$.event.exitTraffic.dstIp" + - "$.event.physicalTraffic.srcIp" + - "$.event.physicalTraffic.dstIp" + - LogType: Tines.Audit + Selectors: + - "request_ip" - LogType: Workday.Activity Selectors: - "ipAddress" @@ -293,6 +445,9 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.DHCP + Selectors: + - "requested_addr" - LogType: Zeek.DNS Selectors: - "$.id.orig_h" @@ -313,6 +468,13 @@ LogTypeMap: Selectors: - "$.id.orig_h" - "$.id.resp_h" + - LogType: Zeek.SIP + Selectors: + - "$.id.orig_h" + - "$.id.resp_h" + - LogType: Zeek.Software + Selectors: + - "host" - LogType: Zeek.Ssh Selectors: - "$.id.orig_h" From 0e896753fc9f7a8392d518d3d3c3774efe657be1 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Wed, 6 Dec 2023 17:02:38 +0200 Subject: [PATCH 3/3] Fix Tailscale.Network selectors to be able to reach attribute of the object in array --- .../greynoise/advanced/noise_advanced.yml | 16 ++++++++-------- .../greynoise/advanced/riot_advanced.yml | 16 ++++++++-------- lookup_tables/greynoise/basic/noise_basic.yml | 16 ++++++++-------- lookup_tables/greynoise/basic/riot_basic.yml | 16 ++++++++-------- lookup_tables/ipinfo/ipinfo_asn.yml | 16 ++++++++-------- lookup_tables/ipinfo/ipinfo_asn_datalake.yml | 16 ++++++++-------- lookup_tables/ipinfo/ipinfo_location.yml | 16 ++++++++-------- .../ipinfo/ipinfo_location_datalake.yml | 16 ++++++++-------- lookup_tables/ipinfo/ipinfo_privacy.yml | 16 ++++++++-------- lookup_tables/ipinfo/ipinfo_privacy_datalake.yml | 16 ++++++++-------- lookup_tables/tor/tor_exit_nodes.yml | 16 ++++++++-------- 11 files changed, 88 insertions(+), 88 deletions(-) diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index 857e8be39..a09f5d3c3 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index a598d1bd8..ae82a0797 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index 72ca271fe..dcb235596 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 737c464cb..0705637d2 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index 18b4c9ba6..a9f7602d7 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index e287e31cc..de1b02e2f 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 6faeb21ec..9aff65042 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index cdbcdd6fb..da657eeb9 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index 861f4fb3d..da7781172 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index d6d5ef06e..5e4b45faa 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 5c5be4295..9e1011174 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -424,14 +424,14 @@ LogTypeMap: - "$.content.userOriginIP" - LogType: Tailscale.Network Selectors: - - "$.event.virtualTraffic.srcIp" - - "$.event.virtualTraffic.dstIp" - - "$.event.subnetTraffic.srcIp" - - "$.event.subnetTraffic.dstIp" - - "$.event.exitTraffic.srcIp" - - "$.event.exitTraffic.dstIp" - - "$.event.physicalTraffic.srcIp" - - "$.event.physicalTraffic.dstIp" + - "$.event.virtualTraffic[].srcIp" + - "$.event.virtualTraffic[].dstIp" + - "$.event.subnetTraffic[].srcIp" + - "$.event.subnetTraffic[].dstIp" + - "$.event.exitTraffic[].srcIp" + - "$.event.exitTraffic[].dstIp" + - "$.event.physicalTraffic[].srcIp" + - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip"