Filter für Massenevents (NewIP und New UserContext auf auto plausible gestellt.
Some checks failed
release-tag / release-image (push) Has been cancelled
Some checks failed
release-tag / release-image (push) Has been cancelled
This commit is contained in:
199
main.go
199
main.go
@@ -5435,48 +5435,85 @@ GROUP BY e.hostname, e.target_user, e.src_ip, e.workstation
|
|||||||
|
|
||||||
newCount++
|
newCount++
|
||||||
|
|
||||||
score := 2.0
|
score := 1.0
|
||||||
severity := "medium"
|
severity := "low"
|
||||||
|
|
||||||
if count >= 5 {
|
if count >= 5 {
|
||||||
score = 4.0
|
score = 4.0
|
||||||
severity = "high"
|
severity = "high"
|
||||||
|
|
||||||
|
created, err := d.insertDetection(ctx, Detection{
|
||||||
|
RuleName: "ueba_new_user_context",
|
||||||
|
Severity: severity,
|
||||||
|
Hostname: host,
|
||||||
|
Channel: "Security",
|
||||||
|
EventID: 4624,
|
||||||
|
Score: score,
|
||||||
|
WindowStart: windowStart,
|
||||||
|
WindowEnd: windowEnd,
|
||||||
|
Summary: fmt.Sprintf(
|
||||||
|
"UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s",
|
||||||
|
user,
|
||||||
|
host,
|
||||||
|
srcIP,
|
||||||
|
workstation,
|
||||||
|
),
|
||||||
|
Details: mustJSON(map[string]any{
|
||||||
|
"user": user,
|
||||||
|
"src_ip": srcIP,
|
||||||
|
"workstation": workstation,
|
||||||
|
"host": host,
|
||||||
|
"count": count,
|
||||||
|
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||||
|
"window": d.cfg.UEBANewContextWindow.String(),
|
||||||
|
}),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if created {
|
||||||
|
d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc()
|
||||||
|
d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
created, err := d.insertDetection(ctx, Detection{
|
||||||
|
RuleName: "ueba_new_user_context",
|
||||||
|
Severity: severity,
|
||||||
|
Hostname: host,
|
||||||
|
Channel: "Security",
|
||||||
|
EventID: 4624,
|
||||||
|
Score: score,
|
||||||
|
Status: "plausible",
|
||||||
|
WindowStart: windowStart,
|
||||||
|
WindowEnd: windowEnd,
|
||||||
|
Summary: fmt.Sprintf(
|
||||||
|
"UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s",
|
||||||
|
user,
|
||||||
|
host,
|
||||||
|
srcIP,
|
||||||
|
workstation,
|
||||||
|
),
|
||||||
|
Details: mustJSON(map[string]any{
|
||||||
|
"user": user,
|
||||||
|
"src_ip": srcIP,
|
||||||
|
"workstation": workstation,
|
||||||
|
"host": host,
|
||||||
|
"count": count,
|
||||||
|
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||||
|
"window": d.cfg.UEBANewContextWindow.String(),
|
||||||
|
}),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if created {
|
||||||
|
d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc()
|
||||||
|
d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
created, err := d.insertDetection(ctx, Detection{
|
|
||||||
RuleName: "ueba_new_user_context",
|
|
||||||
Severity: severity,
|
|
||||||
Hostname: host,
|
|
||||||
Channel: "Security",
|
|
||||||
EventID: 4624,
|
|
||||||
Score: score,
|
|
||||||
WindowStart: windowStart,
|
|
||||||
WindowEnd: windowEnd,
|
|
||||||
Summary: fmt.Sprintf(
|
|
||||||
"UEBA: Benutzer %s meldet sich in neuem Kontext an: Host=%s IP=%s Workstation=%s",
|
|
||||||
user,
|
|
||||||
host,
|
|
||||||
srcIP,
|
|
||||||
workstation,
|
|
||||||
),
|
|
||||||
Details: mustJSON(map[string]any{
|
|
||||||
"user": user,
|
|
||||||
"src_ip": srcIP,
|
|
||||||
"workstation": workstation,
|
|
||||||
"host": host,
|
|
||||||
"count": count,
|
|
||||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
|
||||||
"window": d.cfg.UEBANewContextWindow.String(),
|
|
||||||
}),
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if created {
|
|
||||||
d.detectionHitsTotal.WithLabelValues("ueba_new_user_context", severity).Inc()
|
|
||||||
d.anomalyScoreGauge.WithLabelValues(host, "ueba_new_user_context").Set(score)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := rows.Err(); err != nil {
|
if err := rows.Err(); err != nil {
|
||||||
@@ -6128,41 +6165,69 @@ GROUP BY e.hostname, e.target_user, e.src_ip
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
score := 1.5 + math.Log10(float64(cnt)+1)
|
score := 1.0 + math.Log10(float64(cnt)+1)
|
||||||
|
|
||||||
severity := "medium"
|
severity := "low"
|
||||||
if cnt >= 5 {
|
if cnt >= 5 {
|
||||||
severity = "high"
|
severity = "medium"
|
||||||
|
created, err := d.insertDetection(ctx, Detection{
|
||||||
|
RuleName: "new_source_ip_for_user",
|
||||||
|
Severity: severity,
|
||||||
|
Hostname: host,
|
||||||
|
Channel: "Security",
|
||||||
|
EventID: 4624,
|
||||||
|
Score: score,
|
||||||
|
WindowStart: windowStart,
|
||||||
|
WindowEnd: windowEnd,
|
||||||
|
Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP),
|
||||||
|
Details: mustJSON(map[string]any{
|
||||||
|
"user": user,
|
||||||
|
"src_ip": srcIP,
|
||||||
|
"host": host,
|
||||||
|
"count": cnt,
|
||||||
|
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||||
|
"window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()),
|
||||||
|
"event_id": 4624,
|
||||||
|
}),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if created {
|
||||||
|
d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc()
|
||||||
|
d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
created, err := d.insertDetection(ctx, Detection{
|
||||||
|
RuleName: "new_source_ip_for_user",
|
||||||
|
Severity: severity,
|
||||||
|
Hostname: host,
|
||||||
|
Channel: "Security",
|
||||||
|
EventID: 4624,
|
||||||
|
Score: score,
|
||||||
|
WindowStart: windowStart,
|
||||||
|
WindowEnd: windowEnd,
|
||||||
|
Status: "plausibe",
|
||||||
|
Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP),
|
||||||
|
Details: mustJSON(map[string]any{
|
||||||
|
"user": user,
|
||||||
|
"src_ip": srcIP,
|
||||||
|
"host": host,
|
||||||
|
"count": cnt,
|
||||||
|
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
||||||
|
"window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()),
|
||||||
|
"event_id": 4624,
|
||||||
|
}),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if created {
|
||||||
|
d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc()
|
||||||
|
d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
created, err := d.insertDetection(ctx, Detection{
|
|
||||||
RuleName: "new_source_ip_for_user",
|
|
||||||
Severity: severity,
|
|
||||||
Hostname: host,
|
|
||||||
Channel: "Security",
|
|
||||||
EventID: 4624,
|
|
||||||
Score: score,
|
|
||||||
WindowStart: windowStart,
|
|
||||||
WindowEnd: windowEnd,
|
|
||||||
Summary: fmt.Sprintf("Benutzer %s meldet sich auf %s erstmals von Quell-IP %s an", user, host, srcIP),
|
|
||||||
Details: mustJSON(map[string]any{
|
|
||||||
"user": user,
|
|
||||||
"src_ip": srcIP,
|
|
||||||
"host": host,
|
|
||||||
"count": cnt,
|
|
||||||
"first_seen": firstSeen.UTC().Format(time.RFC3339Nano),
|
|
||||||
"window_minutes": int(d.cfg.NewSourceIPWindow.Minutes()),
|
|
||||||
"event_id": 4624,
|
|
||||||
}),
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if created {
|
|
||||||
d.detectionHitsTotal.WithLabelValues("new_source_ip_for_user", severity).Inc()
|
|
||||||
d.anomalyScoreGauge.WithLabelValues(host, "new_source_ip_for_user").Set(score)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return rows.Err()
|
return rows.Err()
|
||||||
|
|||||||
Reference in New Issue
Block a user