Filter für Massenevents (NewIP und New UserContext auf auto plausible gestellt.
Some checks failed
release-tag / release-image (push) Has been cancelled
Some checks failed
release-tag / release-image (push) Has been cancelled
This commit is contained in:
199
main.go
199
main.go
@@ -5435,48 +5435,85 @@ GROUP BY e.hostname, e.target_user, e.src_ip, e.workstation
|
||||
|
||||
newCount++
|
||||
|
||||
score := 2.0
|
||||
severity := "medium"
|
||||
score := 1.0
|
||||
severity := "low"
|
||||
|
||||
if count >= 5 {
|
||||
score = 4.0
|
||||
severity = "high"
|
||||
|
||||
created, err := d.insertDetection(ctx, Detection{
|
||||
RuleName: "ueba_new_user_context",
|
||||
Severity: severity,
|
||||
Hostname: host,
|
||||
Channel: "Security",
|
||||
EventID: 4624,
|
||||
Score: score,
|
||||
WindowStart: windowStart,
|
||||
WindowEnd: windowEnd,
|
||||
Summary: fmt.Sprintf(
|
||||
"UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s",
|
||||
user,
|
||||
host,
|
||||
srcIP,
|
||||
workstation,
|
||||
),
|
||||
Details: mustJSON(map[string]any{
|
||||
"user": user,
|
||||
"src_ip": srcIP,
|
||||
"workstation": workstation,
|
||||
"host": host,
|
||||
"count": count,
|
||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||
"window": d.cfg.UEBANewContextWindow.String(),
|
||||
}),
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if created {
|
||||
d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc()
|
||||
d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score)
|
||||
}
|
||||
} else {
|
||||
created, err := d.insertDetection(ctx, Detection{
|
||||
RuleName: "ueba_new_user_context",
|
||||
Severity: severity,
|
||||
Hostname: host,
|
||||
Channel: "Security",
|
||||
EventID: 4624,
|
||||
Score: score,
|
||||
Status: "plausible",
|
||||
WindowStart: windowStart,
|
||||
WindowEnd: windowEnd,
|
||||
Summary: fmt.Sprintf(
|
||||
"UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s",
|
||||
user,
|
||||
host,
|
||||
srcIP,
|
||||
workstation,
|
||||
),
|
||||
Details: mustJSON(map[string]any{
|
||||
"user": user,
|
||||
"src_ip": srcIP,
|
||||
"workstation": workstation,
|
||||
"host": host,
|
||||
"count": count,
|
||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||
"window": d.cfg.UEBANewContextWindow.String(),
|
||||
}),
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if created {
|
||||
d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc()
|
||||
d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score)
|
||||
}
|
||||
}
|
||||
|
||||
created, err := d.insertDetection(ctx, Detection{
|
||||
RuleName: "ueba_new_user_context",
|
||||
Severity: severity,
|
||||
Hostname: host,
|
||||
Channel: "Security",
|
||||
EventID: 4624,
|
||||
Score: score,
|
||||
WindowStart: windowStart,
|
||||
WindowEnd: windowEnd,
|
||||
Summary: fmt.Sprintf(
|
||||
"UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s",
|
||||
user,
|
||||
host,
|
||||
srcIP,
|
||||
workstation,
|
||||
),
|
||||
Details: mustJSON(map[string]any{
|
||||
"user": user,
|
||||
"src_ip": srcIP,
|
||||
"workstation": workstation,
|
||||
"host": host,
|
||||
"count": count,
|
||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||
"window": d.cfg.UEBANewContextWindow.String(),
|
||||
}),
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if created {
|
||||
d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc()
|
||||
d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score)
|
||||
}
|
||||
}
|
||||
|
||||
if err := rows.Err(); err != nil {
|
||||
@@ -6128,41 +6165,69 @@ GROUP BY e.hostname, e.target_user, e.src_ip
|
||||
continue
|
||||
}
|
||||
|
||||
score := 1.5 + math.Log10(float64(cnt)+1)
|
||||
score := 1.0 + math.Log10(float64(cnt)+1)
|
||||
|
||||
severity := "medium"
|
||||
severity := "low"
|
||||
if cnt >= 5 {
|
||||
severity = "high"
|
||||
severity = "medium"
|
||||
created, err := d.insertDetection(ctx, Detection{
|
||||
RuleName: "new_source_ip_for_user",
|
||||
Severity: severity,
|
||||
Hostname: host,
|
||||
Channel: "Security",
|
||||
EventID: 4624,
|
||||
Score: score,
|
||||
WindowStart: windowStart,
|
||||
WindowEnd: windowEnd,
|
||||
Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP),
|
||||
Details: mustJSON(map[string]any{
|
||||
"user": user,
|
||||
"src_ip": srcIP,
|
||||
"host": host,
|
||||
"count": cnt,
|
||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||
"window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()),
|
||||
"event_id": 4624,
|
||||
}),
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if created {
|
||||
d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc()
|
||||
d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score)
|
||||
}
|
||||
} else {
|
||||
created, err := d.insertDetection(ctx, Detection{
|
||||
RuleName: "new_source_ip_for_user",
|
||||
Severity: severity,
|
||||
Hostname: host,
|
||||
Channel: "Security",
|
||||
EventID: 4624,
|
||||
Score: score,
|
||||
WindowStart: windowStart,
|
||||
WindowEnd: windowEnd,
|
||||
Status: "plausibe",
|
||||
Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP),
|
||||
Details: mustJSON(map[string]any{
|
||||
"user": user,
|
||||
"src_ip": srcIP,
|
||||
"host": host,
|
||||
"count": cnt,
|
||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||
"window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()),
|
||||
"event_id": 4624,
|
||||
}),
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if created {
|
||||
d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc()
|
||||
d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score)
|
||||
}
|
||||
}
|
||||
|
||||
created, err := d.insertDetection(ctx, Detection{
|
||||
RuleName: "new_source_ip_for_user",
|
||||
Severity: severity,
|
||||
Hostname: host,
|
||||
Channel: "Security",
|
||||
EventID: 4624,
|
||||
Score: score,
|
||||
WindowStart: windowStart,
|
||||
WindowEnd: windowEnd,
|
||||
Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP),
|
||||
Details: mustJSON(map[string]any{
|
||||
"user": user,
|
||||
"src_ip": srcIP,
|
||||
"host": host,
|
||||
"count": cnt,
|
||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||
"window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()),
|
||||
"event_id": 4624,
|
||||
}),
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if created {
|
||||
d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc()
|
||||
d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score)
|
||||
}
|
||||
}
|
||||
|
||||
return rows.Err()
|
||||
|
||||
Reference in New Issue
Block a user