-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DeepSecurity support #27
DeepSecurity support #27
Conversation
'rule.category': 'cs1', | ||
'host.id': 'cn1', | ||
'event.original': 'msg', | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should be done with ecs
settings.
|
||
return logdata | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Belows are copied from __init__.py
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
プルリクありがとうございます!いくつか修正して欲しいので対応をお願いします。
@@ -0,0 +1,165 @@ | |||
# es_loaderでDeepSecurityのログを取り込む |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
プルリクありがとうございます。
このファイルはこちらに保存をお願いします。
/docs/contributed/deepsecurity_ja.md
es-loaderの下に置くと、lambdaのパッケージサイズが増えるのと管理が煩雑になるので、docsは一カ所にまとめようと思います。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
了解です。移動します!
"index_patterns" : [ | ||
"log-deepsecurity*" | ||
], | ||
"mappings" : { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log-* ですでに定義済みのフィールドは、再度の定義は不要なので削除をお願いします。
destination,ip, destination.port, source.ip, souce.port, timestamp 等
文字列のtypeはデフォルトでkeywordとしてるので、数字になる可能性等がなければこちらも設定不要です。
https://github.com/aws-samples/siem-on-amazon-elasticsearch/blob/dc942d03c64c1130b9add025f32de0595fad0abc/source/lambda/deploy_es/data.ini#L42-L46
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
重複していたものと、keywordを指定したものを削除しました。
index = log-deepsecurity | ||
s3_key = ds_agent | ||
format = json | ||
scripted_fields = True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
scrpted_fieldsはobsoletedする予定なので、こちらのフィールドに置き換えをお願いします。
https://github.com/aws-samples/siem-on-amazon-elasticsearch/blob/dc942d03c64c1130b9add025f32de0595fad0abc/source/lambda/es_loader/aws.ini#L184-L191
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
更新しておきました。
source/lambda/es_loader/aws.ini
Outdated
@@ -634,3 +634,30 @@ event.kind = event | |||
script_ecs = cloud.instance.id event.action event.category event.outcome source.ip source.port user.name user.id | |||
geoip = source | |||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
source/lambda/es_loader/user.ini.sample への追加でお願いします。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
移動しました!
source/lambda/es_loader/aws.ini
Outdated
@@ -634,3 +634,30 @@ event.kind = event | |||
script_ecs = cloud.instance.id event.action event.category event.outcome source.ip source.port user.name user.id | |||
geoip = source | |||
|
|||
|
|||
[deepsecurity] | |||
# https://cloudone.trendmicro.com/docs/workload-security/event-syslog-message-formats/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
こちらのコメントの追加をお願いします
# See README for more details
# https://github.com/aws-samples/siem-on-amazon-elasticsearch/blob/main/docs/contributed/deepsecurity_ja.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
追加しておきました!
import base64 | ||
import json | ||
import ipaddress | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
この方法で関数のimport をして、106行以降の削除お願いします
from siem import merge, put_value_into_dict, get_value_from_dict
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
importして、削除しておきました!
[deepsecurity] | ||
index = log-deepsecurity | ||
s3_key = ds_agent | ||
format = json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CEFフォーマットのサポートのissueを作りました。+1をお願いします
#28
マージしました。ありがとうございます! |
Dashboard for S3 accesslog #27
Issue #, if available:
Description of changes:
Supports DeepSecurity CEF format logs.
CEF logs in JSON samples,
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.