Skip to content

Commit

Permalink
Use the same set of log sources in all lookup tables
Browse files Browse the repository at this point in the history
  • Loading branch information
@akozlovets098
akozlovets098 committed Dec 5, 2023
1 parent 19e3b7b commit c9374fb
Show file tree
Hide file tree
Showing 11 changed files with 1,340 additions and 1,035 deletions.
120 changes: 95 additions & 25 deletions lookup_tables/greynoise/advanced/noise_advanced.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ LogTypeMap:
- LogType: AlphaSOC.Alert
Selectors:
- "$.event.srcIP"
- LogType: Amazon.EKS.Audit
Selectors:
- "$.sourceIPs"
- "$.spec.clusterIP"
- "$.requestObject.spec.clusterIP"
- LogType: Apache.AccessCombined
Selectors:
- "remote_host_ip_address"
Expand All @@ -23,6 +28,9 @@ LogTypeMap:
- LogType: Atlassian.Audit
Selectors:
- "$.attributes.location.ip"
- LogType: Asana.Audit
Selectors:
- "$.context.client_ip_address"
- LogType: AWS.ALB
Selectors:
- "clientIp"
Expand All @@ -49,6 +57,9 @@ LogTypeMap:
- LogType: AWS.WAFWebACL
Selectors:
- "$.httpRequest.clientIp"
- LogType: Box.Event
Selectors:
- "ip_address"
- LogType: CiscoUmbrella.CloudFirewall
Selectors:
- "destinationIp"
Expand All @@ -57,6 +68,10 @@ LogTypeMap:
Selectors:
- "externalIp"
- "internalIp"
- LogType: CiscoUmbrella.IP
Selectors:
- "destinationIp"
- "sourceIp"
- LogType: CiscoUmbrella.Proxy
Selectors:
- "destinationIp"
Expand Down Expand Up @@ -102,24 +117,48 @@ LogTypeMap:
- "LocalAddressIP6"
- "RemoteAddressIP4"
- "RemoteAddressIP6"
- LogType: Crowdstrike.NotManagedAssets
Selectors:
- "aip"
- "CurrentLocalIP"
- LogType: Crowdstrike.ProcessRollup2Stats
Selectors:
- "aip"
- LogType: Crowdstrike.SyntheticProcessRollup2
Selectors:
- "aip"
- LogType: Crowdstrike.Unknown
Selectors:
- "aip"
- LogType: Crowdstrike.UserIdentity
Selectors:
- "aip"
- LogType: Crowdstrike.UserLogonLogoff
Selectors:
- "aip"
- LogType: Crowdstrike.FDREvent
Selectors:
- 'p_any_ip_addresses'
- "p_any_ip_addresses"
- LogType: Dropbox.TeamEvent
Selectors:
- "$.origin.geo_location.ip_address"
- LogType: Duo.Authentication
Selectors:
- "$.access_device.ip"
- "$.auth_device.ip"
- LogType: Box.Event
Selectors:
- "ip_address"
- LogType: GCP.AuditLog
Selectors:
- "$.protoPayload.requestMetadata.callerIP"
- "$.httpRequest.remoteIP"
- "$.httpRequest.serverIP"
- LogType: GCP.HTTPLoadBalancer
Selectors:
- "$.jsonPayload.removeIp"
- "$.httpRequest.remoteIp"
- "$.httpRequest.serverIp"
- LogType: GitHub.Audit
Selectors:
- 'actor_ip'
- "actor_ip"
- LogType: GitLab.API
Selectors:
- "remote_ip"
Expand All @@ -136,6 +175,9 @@ LogTypeMap:
- LogType: GSuite.Reports
Selectors:
- "ipAddress"
- LogType: Jamfpro.Login
Selectors:
- "ipAddress"
- LogType: Juniper.Access
Selectors:
# use p_any_ip_addresses because we extract ip addresses but have no fields
Expand All @@ -150,6 +192,13 @@ LogTypeMap:
- LogType: Juniper.Security
Selectors:
- "source_ip"
- LogType: Lacework.AgentManagement
Selectors:
- "IP_ADDR"
- LogType: Lacework.DNSQuery
Selectors:
- "DNS_SERVER_IP"
- "HOST_IP_ADDR"
- LogType: Lacework.Events
Selectors:
# use p_any_ip_addresses because we extract ip addresses but fields are variable
Expand All @@ -171,6 +220,13 @@ LogTypeMap:
- LogType: Microsoft365.DLP.All
Selectors:
- "ClientIP"
- LogType: MicrosoftGraph.SecurityAlert
Selectors:
# use p_any_ip_addresses because we extract ip addresses but fields are variable
- "p_any_ip_addresses"
- LogType: MongoDB.ProjectEvent
Selectors:
- "remoteAddress"
- LogType: Nginx.Access
Selectors:
- "remoteAddr"
Expand All @@ -186,6 +242,11 @@ LogTypeMap:
- LogType: OnePassword.SignInAttempt
Selectors:
- "$.client.ip_address"
- LogType: OSSEC.EventInfo
Selectors:
- "agentip"
- "dstip"
- "srcip"
- LogType: Panther.Audit
Selectors:
- "sourceIP"
Expand Down Expand Up @@ -219,46 +280,55 @@ LogTypeMap:
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Workday.Activity
Selectors:
- "ipAddress"
- LogType: Workday.SignOnAttempt
Selectors:
- "Session_IP_Address"
- LogType: Zeek.Conn
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.DNS
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.DPD
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.HTTP
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.Notice
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.NTP
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.Ssh
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.Ssl
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.Tunnel
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zeek.Weird
Selectors:
- '$.id.orig_h'
- '$.id.resp_h'
- "$.id.orig_h"
- "$.id.resp_h"
- LogType: Zendesk.Audit
Selectors:
- "ip_address"
Expand Down
Loading

0 comments on commit c9374fb

Please sign in to comment.