Neues Dashboard und Lösung für starkes Noise bei UEBA Off-Hours
All checks were successful
release-tag / release-image (push) Successful in 2m9s
All checks were successful
release-tag / release-image (push) Successful in 2m9s
This commit is contained in:
1006
deploy/grafana/provisioning/dashboards/siem-soc-privileged.json
Normal file
1006
deploy/grafana/provisioning/dashboards/siem-soc-privileged.json
Normal file
File diff suppressed because it is too large
Load Diff
36
main.go
36
main.go
@@ -5791,6 +5791,14 @@ WHERE channel_name = 'Security'
|
||||
AND target_user <> ''
|
||||
AND target_user <> '-'
|
||||
AND target_user NOT LIKE '%$'
|
||||
AND logon_type IN ('2', '7', '10', '11')
|
||||
AND LOWER(target_user) NOT IN (
|
||||
'system',
|
||||
'localsystem',
|
||||
'local service',
|
||||
'network service',
|
||||
'anonymous logon'
|
||||
)
|
||||
GROUP BY hostname, target_user
|
||||
`
|
||||
|
||||
@@ -5809,7 +5817,7 @@ GROUP BY hostname, target_user
|
||||
}
|
||||
|
||||
user = normalizeUsername(user)
|
||||
if user == "" || isMachineAccount(user) {
|
||||
if isNoiseAccount(user) {
|
||||
continue
|
||||
}
|
||||
|
||||
@@ -6093,3 +6101,29 @@ GROUP BY e.hostname, e.target_user
|
||||
|
||||
return rows.Err()
|
||||
}
|
||||
|
||||
func isNoiseAccount(username string) bool {
|
||||
u := normalizeUsername(username)
|
||||
|
||||
if u == "" || isMachineAccount(u) {
|
||||
return true
|
||||
}
|
||||
|
||||
switch u {
|
||||
case "system",
|
||||
"localsystem",
|
||||
"local service",
|
||||
"network service",
|
||||
"anonymous logon",
|
||||
"dwm-1",
|
||||
"dwm-2",
|
||||
"dwm-3",
|
||||
"umfd-0",
|
||||
"umfd-1",
|
||||
"umfd-2",
|
||||
"umfd-3":
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user