diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index 8d0522435..bce7fb4ba 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index e6f4d5353..1b126dd69 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index cdc619b5f..df41f9dce 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 3836746ee..0f8b6bc94 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -14,6 +14,11 @@ LogTypeMap: - LogType: AlphaSOC.Alert Selectors: - "$.event.srcIP" + - LogType: Amazon.EKS.Audit + Selectors: + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - "remote_host_ip_address" @@ -23,6 +28,9 @@ LogTypeMap: - LogType: Atlassian.Audit Selectors: - "$.attributes.location.ip" + - LogType: Asana.Audit + Selectors: + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - "clientIp" @@ -49,6 +57,9 @@ LogTypeMap: - LogType: AWS.WAFWebACL Selectors: - "$.httpRequest.clientIp" + - LogType: Box.Event + Selectors: + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - "destinationIp" @@ -57,6 +68,10 @@ LogTypeMap: Selectors: - "externalIp" - "internalIp" + - LogType: CiscoUmbrella.IP + Selectors: + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - "destinationIp" @@ -102,24 +117,48 @@ LogTypeMap: - "LocalAddressIP6" - "RemoteAddressIP4" - "RemoteAddressIP6" + - LogType: Crowdstrike.NotManagedAssets + Selectors: + - "aip" + - "CurrentLocalIP" + - LogType: Crowdstrike.ProcessRollup2Stats + Selectors: + - "aip" + - LogType: Crowdstrike.SyntheticProcessRollup2 + Selectors: + - "aip" + - LogType: Crowdstrike.Unknown + Selectors: + - "aip" + - LogType: Crowdstrike.UserIdentity + Selectors: + - "aip" + - LogType: Crowdstrike.UserLogonLogoff + Selectors: + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" + - LogType: Dropbox.TeamEvent + Selectors: + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - "$.access_device.ip" - "$.auth_device.ip" - - LogType: Box.Event - Selectors: - - "ip_address" - LogType: GCP.AuditLog Selectors: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" + - LogType: GCP.HTTPLoadBalancer + Selectors: + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - "remote_ip" @@ -136,6 +175,9 @@ LogTypeMap: - LogType: GSuite.Reports Selectors: - "ipAddress" + - LogType: Jamfpro.Login + Selectors: + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields @@ -150,6 +192,13 @@ LogTypeMap: - LogType: Juniper.Security Selectors: - "source_ip" + - LogType: Lacework.AgentManagement + Selectors: + - "IP_ADDR" + - LogType: Lacework.DNSQuery + Selectors: + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable @@ -171,6 +220,13 @@ LogTypeMap: - LogType: Microsoft365.DLP.All Selectors: - "ClientIP" + - LogType: MicrosoftGraph.SecurityAlert + Selectors: + # use p_any_ip_addresses because we extract ip addresses but fields are variable + - "p_any_ip_addresses" + - LogType: MongoDB.ProjectEvent + Selectors: + - "remoteAddress" - LogType: Nginx.Access Selectors: - "remoteAddr" @@ -186,6 +242,11 @@ LogTypeMap: - LogType: OnePassword.SignInAttempt Selectors: - "$.client.ip_address" + - LogType: OSSEC.EventInfo + Selectors: + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - "sourceIP" @@ -219,46 +280,55 @@ LogTypeMap: Selectors: - "dest_ip" - "src_ip" + - LogType: Sysdig.Audit + Selectors: + - "$.content.userOriginIP" + - LogType: Workday.Activity + Selectors: + - "ipAddress" + - LogType: Workday.SignOnAttempt + Selectors: + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index dcd127849..791203eae 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index 639798795..7d1706a9b 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 8417b144b..87ae50159 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index 434b13379..af5f81cd0 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index 5638c14ee..45dccad22 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" + - LogType: GitHub.Audit + Selectors: + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' - - LogType: GitHub.Audit - Selectors: - - 'actor_ip' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index 35ada1b20..7d1fdc813 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -13,321 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.sourceIPs' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: - - 'sourceIPAddress' + # add p_any_ip_addresses because we extract ip addresses from polymorphic events + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 4cae8a3a2..e612f1cae 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -13,324 +13,325 @@ LogTypeMap: AssociatedLogTypes: - LogType: AlphaSOC.Alert Selectors: - - '$.event.srcIP' + - "$.event.srcIP" - LogType: Amazon.EKS.Audit Selectors: - - '$.spec.clusterIP' - - '$.requestObject.spec.clusterIP' + - "$.sourceIPs" + - "$.spec.clusterIP" + - "$.requestObject.spec.clusterIP" - LogType: Apache.AccessCombined Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Apache.AccessCommon Selectors: - - 'remote_host_ip_address' + - "remote_host_ip_address" - LogType: Atlassian.Audit Selectors: - - '$.attributes.location.ip' + - "$.attributes.location.ip" - LogType: Asana.Audit Selectors: - - '$.context.client_ip_address' + - "$.context.client_ip_address" - LogType: AWS.ALB Selectors: - - 'clientIp' + - "clientIp" - LogType: AWS.CloudTrail Selectors: # add p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'sourceIPAddress' - - 'p_any_ip_addresses' + - "sourceIPAddress" + - "p_any_ip_addresses" - LogType: AWS.GuardDuty Selectors: # use p_any_ip_addresses because we extract ip addresses from polymorphic events - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.S3ServerAccess Selectors: - - 'remoteip' + - "remoteip" - LogType: AWS.VPCDns Selectors: # use p_any_ip_addresses because the answers are variable and not always ip addresses - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: AWS.VPCFlow Selectors: - - 'dstAddr' - - 'srcAddr' + - "dstAddr" + - "srcAddr" - LogType: AWS.WAFWebACL Selectors: - - '$.httpRequest.clientIp' + - "$.httpRequest.clientIp" - LogType: Box.Event Selectors: - - 'ip_address' + - "ip_address" - LogType: CiscoUmbrella.CloudFirewall Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.DNS Selectors: - - 'externalIp' - - 'internalIp' + - "externalIp" + - "internalIp" - LogType: CiscoUmbrella.IP Selectors: - - 'destinationIp' - - 'sourceIp' + - "destinationIp" + - "sourceIp" - LogType: CiscoUmbrella.Proxy Selectors: - - 'destinationIp' - - 'externalIp' - - 'internalIp' + - "destinationIp" + - "externalIp" + - "internalIp" - LogType: Cloudflare.HttpRequest Selectors: - - 'ClientIP' - - 'EdgeServerIP' - - 'OriginIP' + - "ClientIP" + - "EdgeServerIP" + - "OriginIP" - LogType: Cloudflare.Firewall Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Cloudflare.Spectrum Selectors: - - 'ClientIP' - - 'OriginIP' + - "ClientIP" + - "OriginIP" - LogType: Crowdstrike.ActivityAudit Selectors: - - 'UserIp' + - "UserIp" - LogType: Crowdstrike.DetectionSummary Selectors: - - 'LocalIP' - - 'OriginSourceIpAddress' + - "LocalIP" + - "OriginSourceIpAddress" - LogType: Crowdstrike.DNSRequest Selectors: - - 'IpAddress' + - "IpAddress" - LogType: Crowdstrike.AIDMaster Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.ManagedAssets Selectors: - - 'GatewayIP' + - "GatewayIP" - LogType: Crowdstrike.NetworkConnect Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NetworkListen Selectors: - - 'LocalAddressIP4' - - 'LocalAddressIP6' - - 'RemoteAddressIP4' - - 'RemoteAddressIP6' + - "LocalAddressIP4" + - "LocalAddressIP6" + - "RemoteAddressIP4" + - "RemoteAddressIP6" - LogType: Crowdstrike.NotManagedAssets Selectors: - - 'aip' - - 'CurrentLocalIP' + - "aip" + - "CurrentLocalIP" - LogType: Crowdstrike.ProcessRollup2Stats Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.SyntheticProcessRollup2 Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.Unknown Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserIdentity Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.UserLogonLogoff Selectors: - - 'aip' + - "aip" - LogType: Crowdstrike.FDREvent Selectors: - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Dropbox.TeamEvent Selectors: - - '$.origin.geo_location.ip_address' + - "$.origin.geo_location.ip_address" - LogType: Duo.Authentication Selectors: - - '$.access_device.ip' - - '$.auth_device.ip' + - "$.access_device.ip" + - "$.auth_device.ip" - LogType: GCP.AuditLog Selectors: - - '$.protoPayload.requestMetadata.callerIP' - - '$.httpRequest.remoteIP' - - '$.httpRequest.serverIP' + - "$.protoPayload.requestMetadata.callerIP" + - "$.httpRequest.remoteIP" + - "$.httpRequest.serverIP" - LogType: GCP.HTTPLoadBalancer Selectors: - - '$.jsonPayload.removeIp' - - '$.httpRequest.remoteIp' - - '$.httpRequest.serverIp' + - "$.jsonPayload.removeIp" + - "$.httpRequest.remoteIp" + - "$.httpRequest.serverIp" - LogType: GitHub.Audit Selectors: - - 'actor_ip' + - "actor_ip" - LogType: GitLab.API Selectors: - - 'remote_ip' + - "remote_ip" - LogType: GitLab.Production Selectors: - - 'remote_ip' + - "remote_ip" - LogType: Gravitational.TeleportAudit Selectors: - - 'dst_addr' - - 'src_addr' + - "dst_addr" + - "src_addr" - LogType: GSuite.ActivityEvent Selectors: - - 'ipAddress' + - "ipAddress" - LogType: GSuite.Reports Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Jamfpro.Login Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Juniper.Access Selectors: # use p_any_ip_addresses because we extract ip addresses but have no fields - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Juniper.Audit Selectors: - - 'login_ip' + - "login_ip" - LogType: Juniper.Firewall Selectors: - - 'SRC' - - 'DST' + - "SRC" + - "DST" - LogType: Juniper.Security Selectors: - - 'source_ip' + - "source_ip" - LogType: Lacework.AgentManagement Selectors: - - 'IP_ADDR' + - "IP_ADDR" - LogType: Lacework.DNSQuery Selectors: - - 'DNS_SERVER_IP' - - 'HOST_IP_ADDR' + - "DNS_SERVER_IP" + - "HOST_IP_ADDR" - LogType: Lacework.Events Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: Microsoft365.Audit.AzureActiveDirectory Selectors: - - 'ActorIpAddress' - - 'ClientIP' + - "ActorIpAddress" + - "ClientIP" - LogType: Microsoft365.Audit.Exchange Selectors: - - 'ClientIP' - - 'ClientIPAddress' + - "ClientIP" + - "ClientIPAddress" - LogType: Microsoft365.Audit.SharePoint Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.Audit.General Selectors: - - 'ClientIP' + - "ClientIP" - LogType: Microsoft365.DLP.All Selectors: - - 'ClientIP' + - "ClientIP" - LogType: MicrosoftGraph.SecurityAlert Selectors: # use p_any_ip_addresses because we extract ip addresses but fields are variable - - 'p_any_ip_addresses' + - "p_any_ip_addresses" - LogType: MongoDB.ProjectEvent Selectors: - - 'remoteAddress' + - "remoteAddress" - LogType: Nginx.Access Selectors: - - 'remoteAddr' + - "remoteAddr" - LogType: Okta.SystemLog Selectors: - - '$.client.ipAddress' + - "$.client.ipAddress" - LogType: OneLogin.Events Selectors: - - 'ipaddr' + - "ipaddr" - LogType: OnePassword.ItemUsage Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OnePassword.SignInAttempt Selectors: - - '$.client.ip_address' + - "$.client.ip_address" - LogType: OSSEC.EventInfo Selectors: - - 'agentip' - - 'dstip' - - 'srcip' + - "agentip" + - "dstip" + - "srcip" - LogType: Panther.Audit Selectors: - - 'sourceIP' + - "sourceIP" - LogType: Salesforce.Login Selectors: - - 'CLIENT_IP' - - 'SOURCE_IP' + - "CLIENT_IP" + - "SOURCE_IP" - LogType: Salesforce.LoginAs Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.Logout Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Salesforce.URI Selectors: - - 'CLIENT_IP' + - "CLIENT_IP" - LogType: Slack.AccessLogs Selectors: - - 'ip' + - "ip" - LogType: Slack.AuditLogs Selectors: - - '$.context.ip_address' + - "$.context.ip_address" - LogType: Sophos.Central Selectors: - - '$.source_info.ip' + - "$.source_info.ip" - LogType: Suricata.Anomaly Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Suricata.DNS Selectors: - - 'dest_ip' - - 'src_ip' + - "dest_ip" + - "src_ip" - LogType: Sysdig.Audit Selectors: - - '$.content.userOriginIP' + - "$.content.userOriginIP" - LogType: Workday.Activity Selectors: - - 'ipAddress' + - "ipAddress" - LogType: Workday.SignOnAttempt Selectors: - - 'Session_IP_Address' + - "Session_IP_Address" - LogType: Zeek.Conn Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DNS Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.DPD Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.HTTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Notice Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.NTP Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssh Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Ssl Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Tunnel Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zeek.Weird Selectors: - - '$.id.orig_h' - - '$.id.resp_h' + - "$.id.orig_h" + - "$.id.resp_h" - LogType: Zendesk.Audit Selectors: - - 'ip_address' + - "ip_address" - LogType: Zoom.Activity Selectors: - - 'ip_address' + - "ip_address"