You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1679 lines
73 KiB
1679 lines
73 KiB
[Total Events, Last 1 Hour]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = bar
|
|
display.visualizations.type = singlevalue
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` earliest=-1h | stats count
|
|
|
|
[Total Events, Last 1 Minute]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -1m@m
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = bar
|
|
display.visualizations.type = singlevalue
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` earliest=-1m | stats count
|
|
|
|
[Total Events, Last 1 day]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -1m@m
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = bar
|
|
display.visualizations.type = singlevalue
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` earliest=-1d | stats count
|
|
|
|
[Top 20 Host Names, Last 24 Hours]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = bar
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | top limit=20 "header.hostname"
|
|
|
|
[Total Events Bar Chart Time Picker]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.general.type = visualizations
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | timechart count
|
|
|
|
[Total Events Last 7 Days Bar Chart]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` earliest=-7d@d |timechart count
|
|
|
|
[Total Events Trend, Last 7 Days]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -1m@m
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = bar
|
|
display.visualizations.type = singlevalue
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` earliest=-8d@d latest=-1d@d |timechart count
|
|
|
|
[Number of Events by HostName]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | rename header.hostname as HostName | stats count by HostName
|
|
|
|
[Sandfly by Hostname]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = line
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | rename header.hostname as HostName | stats values(data.name) as Sandfly count by HostName
|
|
|
|
[Timechart by Hostname (1 Week)]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = line
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | rename header.hostname as HostName | timechart span=1w count by HostName
|
|
|
|
[Sandfly Alarms by Status]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | stats count by data.status
|
|
|
|
[Sandfly Alarms by Raw Size]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@w0
|
|
dispatch.latest_time = @w0
|
|
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search`\
|
|
| eval raw_length=len(_raw)\
|
|
| search raw_length > 9999\
|
|
| stats count by raw_length\
|
|
| sort - raw_length
|
|
|
|
[Total Events Last 7 Days Pie Chart]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.general.timeRangePicker.show = 0
|
|
display.general.type = visualizations
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` earliest=-7d@d |timechart count
|
|
|
|
[Template Process Search SHA1 Hash]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
description = Template to search for a current or past running process with matching binary SHA1 hash.
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` data.results.process.hash.sha1="SHA1_HASH_TO_SEARCH_HERE"
|
|
|
|
[Template Process Search Name]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
description = Template to search for a current or past running process with matching process name.
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` data.results.process.name="PROCESS_NAME_HERE"
|
|
|
|
[Template User Search Username]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
description = Template to search for a current or past username found in the remote system /etc/passwd listing.
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` data.results.user.username="USERNAME_HERE"
|
|
|
|
[Operating Systems Identification Data]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
description = Retrieves all OS Identify Sandfly data for all hosts. Contains extensive remote Linux operating system information each time Sandfly scans a host.
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` data.name="os_identify"
|
|
|
|
[Operating System CPU Bugs]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
description = Lists all hardware CPU bugs reported by the operating system.
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["source","sourcetype","data.name","data.results.process.name","data.results.log.lastlog.username","data.results.log.lastlog.hostname","data.results.log.btmp.hostname","header.hostname","data.results.log.btmp.username","data.results.log.wtmp.hostname","data.results.log.wtmp.username","data.results.os.hardware.cpu.bugs{}"]
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = index="*" sourcetype="sandfly:alarms" data.name="os_identify" "data.results.os.hardware.cpu.bugs{}"="*"
|
|
|
|
[SSH Keys - Hosts with Immutable authorized_keys File]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.engine="sandfly_engine_user" data.name="user_ssh_authorized_keys_immutable" data.status="alert"\
|
|
| dedup header.hostname\
|
|
| table header.hostname data.name data.status data.results.explanation
|
|
workload_pool = undefined
|
|
|
|
[SSH Keys - User Names Associated with SSH Key]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -4h@m
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| spath output=aaa_keys path=data.results.user.ssh.authorized_keys.data{}.key \
|
|
| mvexpand aaa_keys \
|
|
| eval aaa_keys_count = mvcount(aaa_keys) \
|
|
| eval aaa_keys_len = len(aaa_keys) \
|
|
| where aaa_keys_len > 0 \
|
|
| fields aaa_keys header.hostname data.results.user.username \
|
|
| rename aaa_keys as ssh_key, header.hostname as host_name, data.results.user.username as user_name \
|
|
| dedup ssh_key, user_name, host_name\
|
|
| stats values(user_name) as "User Names" by ssh_key\
|
|
| rename ssh_key as "SSH Key"\
|
|
| table "User Names" "SSH Key"
|
|
|
|
[SSH Keys - Number of Hosts with SSH Key]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"\
|
|
| spath output=aaa_keys path=data.results.user.ssh.authorized_keys.data{}.key\
|
|
| mvexpand aaa_keys\
|
|
| eval aaa_keys_len=len(aaa_keys)\
|
|
| search aaa_keys_len > 0\
|
|
| dedup header.hostname aaa_keys\
|
|
| stats count by aaa_keys
|
|
|
|
[SSH Keys - authorized_keys File Last Accessed]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed_minutes as aaa_date_accessed_minutes \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed as aaa_date_accessed \
|
|
| eval temp_duration1 = tostring(aaa_date_accessed_minutes*60, "duration") \
|
|
| eval aaa_accessed_duration=replace(temp_duration1,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created_minutes as aaa_date_created_minutes \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
|
|
| eval temp_duration2 = tostring(aaa_date_created_minutes*60, "duration") \
|
|
| eval aaa_created_duration=replace(temp_duration2,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.modified_minutes as aaa_date_modified_minutes \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.modified as aaa_date_modified \
|
|
| eval temp_duration3 = tostring(aaa_date_modified_minutes*60, "duration") \
|
|
| eval aaa_modified_duration=replace(temp_duration3,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name \
|
|
| table host_name user_name aaa_accessed_duration aaa_modified_duration aaa_created_duration\
|
|
| sort aaa_date_accessed_minutes\
|
|
| rename host_name as "Host Name", user_name as "User Name", aaa_accessed_duration as "Last Accessed", aaa_modified_duration as "Last Modified", aaa_created_duration as "Created"
|
|
|
|
[SSH Keys - authorized_keys File Created Today]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_created_epoch >= relative_time(now(), "@d")\
|
|
| table host_name user_name aaa_date_created aaa_file_path\
|
|
| rename host_name as "Host Name", user_name as "User Name", aaa_date_created as "Date Created", aaa_file_path as "File Path"
|
|
|
|
[SSH Keys - authorized_keys File Modified Today]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.modified as aaa_date_modified \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_modified_epoch = strptime(aaa_date_modified, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_modified_epoch >= relative_time(now(), "@d")\
|
|
| table host_name user_name aaa_date_modified aaa_file_path\
|
|
| rename host_name as "Host Name", user_name as "User Name", aaa_date_modified as "Date Modified", aaa_file_path as "File Path"
|
|
|
|
[Host with Immutable authorized_keys File]
|
|
action.email.inline = 1
|
|
action.email.sendcsv = 1
|
|
action.email.sendresults = 1
|
|
action.email.to = ssnapp@gmail.com
|
|
action.email.useNSSubject = 1
|
|
alert.severity = 4
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.engine="sandfly_engine_user" data.name="user_ssh_authorized_keys_immutable" data.status="alert"\
|
|
| dedup header.hostname\
|
|
| table header.hostname data.name data.status data.results.explanation
|
|
workload_pool = undefined
|
|
|
|
[SSH Keys - authorized_keys File Accessed Today]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed as aaa_date_accessed \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_accessed_epoch = strptime(aaa_date_accessed, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_accessed_epoch >= relative_time(now(), "@d")\
|
|
| table aaa_date_accessed host_name user_name aaa_file_path\
|
|
| rename aaa_date_accessed as "Date Accessed", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"
|
|
|
|
[SSH Keys - authorized_keys File Created Last 7 Days]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_created_epoch >= relative_time(now(), "-7d@d")\
|
|
| table aaa_date_created host_name user_name aaa_file_path\
|
|
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"
|
|
|
|
[SSH Keys - authorized_keys File Created Last 24 Hours]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_created_epoch >= relative_time(now(), "-24h")\
|
|
| table aaa_date_created host_name user_name aaa_file_path\
|
|
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"
|
|
|
|
[SSH Keys - authorized_keys File Created Last 48 Hours]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_created_epoch >= relative_time(now(), "-48h")\
|
|
| table aaa_date_created host_name user_name aaa_file_path\
|
|
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"
|
|
|
|
[SSH Keys - authorized_keys File Created Last 72 Hours]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = @d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
|
|
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
|
|
| rename header.hostname as host_name \
|
|
| rename data.results.user.username as user_name \
|
|
| dedup host_name user_name\
|
|
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
|
|
| where aaa_date_created_epoch >= relative_time(now(), "-72h")\
|
|
| table aaa_date_created host_name user_name aaa_file_path\
|
|
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"
|
|
|
|
[SSH Hunter - Keys Last Seen Report]
|
|
action.email.useNSSubject = 1
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details\
|
|
| dedup ssh_key_details.friendly_name \
|
|
| rename ssh_key_details.last_seen as date_last_seen \
|
|
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
|
|
| eval time_diff = ceiling(now() - last_seen_epoch)\
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| table ssh_key_details.friendly_name date_last_seen local_last_seen key_last_seen\
|
|
| rename ssh_key_details.friendly_name as "Friendly Name"\
|
|
| rename date_last_seen as "Date Last Seen (UTC)"\
|
|
| rename local_last_seen as "Date Last Seen (Local Time)"\
|
|
| rename key_last_seen as "Key Last Seen"
|
|
|
|
[Sandfly Hosts to Asset Lookup]
|
|
action.lookup = 1
|
|
action.lookup.filename = sandfly_assets.csv
|
|
alert.severity = 1
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 30 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_hosts` event_type=host_summary\
|
|
| dedup "host_summary.host_id" \
|
|
| spath output=aaa_tags path=host_summary.tags{} \
|
|
| spath output=aaa_active path=host_summary.active \
|
|
| eval asset_ip='host_summary.last_seen_ip_addr' \
|
|
| eval asset_mac="" \
|
|
| eval asset_nt_host="" \
|
|
| eval asset_dns="" \
|
|
| eval asset_owner="" \
|
|
| eval asset_priority="unknown" \
|
|
| eval asset_lat="" \
|
|
| eval asest_long="" \
|
|
| eval asset_city="" \
|
|
| eval asset_country="" \
|
|
| eval assset_bunit="" \
|
|
| eval asset_category=mvjoin(aaa_tags,"|") \
|
|
| eval asset_pci_domain="untrust" \
|
|
| eval asset_is_expected=if(aaa_active == "true", "true", "") \
|
|
| eval asset_should_timesync="" \
|
|
| eval asset_should_update="" \
|
|
| eval asset_requires_av="" \
|
|
| eval asset_cim_entity_zone="" \
|
|
| table asset_* \
|
|
| rename asset_* as *
|
|
|
|
[Sandfly Hosts to Hosts Lookup]
|
|
action.lookup = 1
|
|
action.lookup.filename = sandfly_hosts.csv
|
|
alert.severity = 1
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 15 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_hosts` event_type=host_summary\
|
|
| dedup "host_summary.host_id" \
|
|
| table host_summary.* \
|
|
| rename host_summary.* as *
|
|
|
|
[SSH Hunter - Keys First Seen Today]
|
|
alert.severity = 4
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 15 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_ssh_hunter` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| eval first_seen_epoch = strptime('ssh_key_details.first_seen', "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| where first_seen_epoch >= relative_time(now(), "@d") \
|
|
| table ssh_key_details.friendly_name ssh_key_details.first_seen ssh_key_details.hash.sha512
|
|
|
|
[SSH Hunter - Keys First Seen This Week]
|
|
alert.severity = 4
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 19 * * 0
|
|
dispatch.earliest_time = -1w
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_ssh_hunter` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| eval first_seen_epoch = strptime('ssh_key_details.first_seen', "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| where first_seen_epoch >= relative_time(now(), "-7d@d") \
|
|
| table ssh_key_details.friendly_name ssh_key_details.first_seen ssh_key_details.hash.sha512
|
|
|
|
[Count of Sandflies]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | lookup sandflies.csv sandfly_name as data.name OUTPUT sandfly_name | stats count by sandfly_name | sort - count
|
|
|
|
[Events by Host with Description]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` | dedup timestamp, header.hostname | lookup sandflies.csv sandfly_name as data.name | table timestamp header.hostname header.ip_addr sandfly_description
|
|
|
|
[Top 10 Sandflies over Time Range]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = bar
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search` \
|
|
| dedup timestamp, header.hostname \
|
|
| lookup sandflies.csv sandfly_name as data.name \
|
|
| top limit=10 sandfly_title
|
|
|
|
[Sandflies to Lookup File]
|
|
action.lookup = 1
|
|
action.lookup.filename = sandflies.csv
|
|
action.webhook.enable_allowlist = 0
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 15 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.charting.chart = pie
|
|
display.visualizations.type = singlevalue
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sandflies`\
|
|
| dedup sandfly_info.name\
|
|
| eval sandfly_temp = upper('sandfly_info.name')\
|
|
| eval sandfly_title = replace(sandfly_temp, "_", " ")\
|
|
| table sandfly_info.active sandfly_info.description sandfly_info.name sandfly_title sandfly_info.type\
|
|
| rename sandfly_info.active as sandfly_active\
|
|
| rename sandfly_info.description as "sandfly_description"\
|
|
| rename sandfly_info.name as "sandfly_name"\
|
|
| rename sandfly_info.type as "sandfly_type"
|
|
|
|
[Sandfly TA Internal Errors]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = index=_internal source="*ta_sandfly_security*" "*:log_error:*"
|
|
|
|
[Sandfly TA Internal Logs]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = index=_internal source="*ta_sandfly_security*"
|
|
|
|
[Audit Log Authentication Events]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_audit` audit_log.message="*login*" OR audit_log.message="*SAML*"\
|
|
| stats count by audit_log.message
|
|
|
|
[Scanning Error Log Alert]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.digest_mode = 0
|
|
alert.expires = 7d
|
|
alert.severity = 4
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 30 * * * *
|
|
dispatch.earliest_time = -1h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_errors`\
|
|
| rex field=error_log.error_msg "(?<t_error_tag>[^:]*)" \
|
|
| rex field=error_log.error_msg "[^:]:\s(?<t_error_data>.*)" \
|
|
| eval TimeStamp=strftime(_time,"%x %r") \
|
|
| sort - _time \
|
|
| table TimeStamp t_error_tag error_log.hostname error_log.ip_addr error_log.queue_name t_error_data \
|
|
| rename t_error_tag as ErrorType \
|
|
| rename error_log.hostname as HostName \
|
|
| rename error_log.ip_addr as IP_Address \
|
|
| rename error_log.queue_name as QueueName \
|
|
| rename t_error_data as ErrorData
|
|
|
|
[Username root UID But Not Root]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.results.user.uid=0 AND data.results.user.username != "root"
|
|
|
|
[Logins by Username]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_lastlog"\
|
|
| table _time data.results.log.lastlog.username data.results.log.lastlog.uid data.results.log.lastlog.terminal data.results.log.lastlog.hostname\
|
|
| rename data.results.log.lastlog.* as *
|
|
|
|
[Usernames with SSH Authorized Keys Present]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.ssh.authorized_keys.present=true\
|
|
| table _time header.hostname header.ip_addr data.results.user.username data.results.user.ssh.authorized_keys.present\
|
|
| rename header.* as *\
|
|
| rename data.results.user.* as *
|
|
|
|
[Usernames with Password Hash Present]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.password.present=true \
|
|
| table _time header.hostname header.ip_addr data.results.user.username data.results.user.password.present\
|
|
| rename header.* as *\
|
|
| rename data.results.user.* as *
|
|
|
|
[Usernames with Blank Password Fields]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.password.empty=true\
|
|
| table _time header.hostname header.ip_addr data.results.user.username data.results.user.password.empty\
|
|
| rename header.* as *\
|
|
| rename data.results.user.* as *
|
|
|
|
[Usernames Valid Logins From Hostname]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.page.search.tab = visualizations
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
|
|
| stats count by data.results.log.wtmp.hostname
|
|
|
|
[Usernames Valid Logins by Username]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
|
|
| stats count by data.results.log.wtmp.username
|
|
|
|
[Usernames Valid Logins Against Hostname]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
|
|
| stats count by header.hostname
|
|
workload_pool = undefined
|
|
|
|
[Usernames Present on Host]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.page.search.tab = visualizations
|
|
search = `sandfly_search_alarms` data.name="recon_user_list_all"\
|
|
| stats count by data.results.user.username
|
|
|
|
[Usernames Bad Logins From Hostname]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.page.search.tab = visualizations
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
|
|
| stats count by data.results.log.btmp.hostname
|
|
|
|
[Usernames Bad Logins By Username]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.page.search.tab = visualizations
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
|
|
| stats count by data.results.log.btmp.username
|
|
|
|
[Usernames Bad Logins Against Hostname]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.page.search.tab = visualizations
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
|
|
| stats count by header.hostname
|
|
|
|
[Username Password Hash Types]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.password.present=true\
|
|
| stats count by data.results.user.password.type
|
|
workload_pool = undefined
|
|
|
|
[Username Login Shells In Use]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.page.search.tab = visualizations
|
|
search = `sandfly_search_alarms` data.name="recon_user_list_all"\
|
|
| stats count by data.results.user.shell
|
|
|
|
[Username Logged In]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logged_in_users"\
|
|
| stats count by data.results.log.utmp.username
|
|
|
|
[User Successful Logins Over Time]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = area
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
|
|
| eval _time=strptime('data.results.log.wtmp.date.created',"%Y-%m-%dT%H:%M:%SZ")\
|
|
| timechart count span=1d
|
|
workload_pool = undefined
|
|
|
|
[User Failed Logins Over Time]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = area
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
|
|
| eval _time=strptime('data.results.log.btmp.date.created',"%Y-%m-%dT%H:%M:%SZ")\
|
|
| timechart count span=1d
|
|
|
|
[Processes With Network Ports Operating]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.network_ports.operating=true\
|
|
| stats count by data.results.process.name
|
|
|
|
[Processes With Network Ports Listening]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.network_ports.listening=true\
|
|
| stats count by data.results.process.name
|
|
workload_pool = undefined
|
|
|
|
[Operating System Uptime in Days]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| table _time header.hostname header.ip_addr data.results.os.info.uptime_days data.results.os.info.os_release.pretty_name\
|
|
| rename header.* as *\
|
|
| rename data.results.os.info.* as *
|
|
|
|
[Operating System Product Name]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.hardware.dmi.product_name
|
|
|
|
[Operating System Machine Type]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.info.machine
|
|
|
|
[Operating System Linux Version]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.info.version
|
|
|
|
[Operating System Linux Kernel Release Version]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.info.release
|
|
|
|
[Operating System CPU Model Name]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.hardware.cpu.model_name
|
|
|
|
[Operating System CPU Architecture]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.info.arch
|
|
|
|
[Operating System Bogo MIPS Rating]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.hardware.cpu.bogo_mips
|
|
|
|
[Operating System BIOS Version]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.hardware.dmi.bios_version
|
|
|
|
[Operating System BIOS Vendor]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="os_identify"\
|
|
| stats count by data.results.os.hardware.dmi.bios_vendor
|
|
|
|
[At Jobs by Username]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_persistence_at_jobs_list_all"\
|
|
| stats count by data.results.atjob.username
|
|
|
|
[Crontabs by Username]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -30d@d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = visualizations
|
|
display.page.search.tab = visualizations
|
|
display.statistics.show = 0
|
|
display.visualizations.charting.chart = pie
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_persistence_cron_list_all"\
|
|
| stats count by data.results.cron.username
|
|
|
|
[Intrusion Detection Immutable Process Binary Running]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.flags.immutable=true\
|
|
| table _time header.hostname data.results.process.username data.results.process.command\
|
|
| rename header.* as *\
|
|
| rename data.results.* as *
|
|
|
|
[Intrusion Detection High Entropy Process]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.entropy>=7.5\
|
|
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.entropy\
|
|
| rename header.* as *\
|
|
| rename data.results.* as *
|
|
|
|
[Intrusion Detection Process Running As Sniffer]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
|
|
| search data.results.process.file_descriptors{}.class="*packet*"\
|
|
| table _time header.hostname data.results.process.username data.results.process.command\
|
|
| rename header.* as *\
|
|
| rename data.results.* as *
|
|
|
|
[Intrusion Detection Process Running From /dev/shm]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
|
|
| search data.results.process.path="/dev/shm*"\
|
|
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.path\
|
|
| rename header.* as *\
|
|
| rename data.results.* as *
|
|
|
|
[Intrusion Detection Process Running from Public HTML Directory]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
|
|
| search data.results.process.path="*public_html*"\
|
|
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.path\
|
|
| rename header.* as *\
|
|
| rename data.results.* as *
|
|
|
|
[Intrusion Detection Process Running From Temp Directory]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
|
|
| search data.results.process.path="/tmp/*" OR data.results.process.path="/var/tmp/*"\
|
|
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.path\
|
|
| rename header.* as *\
|
|
| rename data.results.* as *
|
|
|
|
[SSH Hunter - Banned Keys Details]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
|
|
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
|
|
| search aaa_is_banned_key=1
|
|
|
|
[SSH Hunter - Banned Keys Report]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
|
|
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
|
|
| search aaa_is_banned_key=1 \
|
|
| eval aaa_key_tags_list=mvjoin(aaa_key_tags,", ") \
|
|
| rename ssh_key_details.last_seen as date_last_seen \
|
|
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
|
|
| eval time_diff = ceiling(now() - last_seen_epoch) \
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| table ssh_key_details.friendly_name date_last_seen local_last_seen key_last_seen ssh_key_details.num_hosts_current ssh_key_details.num_users_current aaa_key_tags_list\
|
|
| rename ssh_key_details.friendly_name as "Friendly Name" \
|
|
| rename date_last_seen as "Date Last Seen (UTC)" \
|
|
| rename local_last_seen as "Date Last Seen (Local Time)" \
|
|
| rename key_last_seen as "Key Last Seen"\
|
|
| rename ssh_key_details.num_hosts_current as "Hosts"\
|
|
| rename ssh_key_details.num_users_current as "Users"\
|
|
| rename aaa_key_tags_list as "Key Tags"
|
|
|
|
[SSH Hunter - Banned Keys by Host Report]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
|
|
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
|
|
| search aaa_is_banned_key=1 \
|
|
| search ssh_key_details.num_hosts_current>0 \
|
|
| spath output=aaa_key_hosts path=ssh_key_details.key_hosts{} \
|
|
| mvexpand aaa_key_hosts \
|
|
| eval t_key_friendly_name='ssh_key_details.friendly_name'\
|
|
| fields - ssh_key_details.*\
|
|
| spath input=aaa_key_hosts \
|
|
| eval last_seen_epoch = strptime(key_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
|
|
| eval time_diff = ceiling(now() - last_seen_epoch) \
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval t_key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| table t_key_friendly_name node_name os_info_os_release_pretty_name users_with_key key_last_seen local_last_seen t_key_last_seen \
|
|
| rename t_key_friendly_name as "Friendly Name" \
|
|
| rename node_name as "Host Name"\
|
|
| rename os_info_os_release_pretty_name as "OS Release"\
|
|
| rename users_with_key as "Users"\
|
|
| rename key_last_seen as "Date Last Seen (UTC)" \
|
|
| rename local_last_seen as "Date Last Seen (Local Time)" \
|
|
| rename t_key_last_seen as "Key Last Seen"
|
|
|
|
[SSH Hunter - Banned Keys by User Report]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
|
|
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
|
|
| search aaa_is_banned_key=1 \
|
|
| search ssh_key_details.num_users_current>0 \
|
|
| spath output=aaa_key_users path=ssh_key_details.key_users{} \
|
|
| mvexpand aaa_key_users \
|
|
| eval t_key_friendly_name='ssh_key_details.friendly_name'\
|
|
| fields - ssh_key_details.*\
|
|
| spath input=aaa_key_users\
|
|
| eval last_seen_epoch = strptime(key_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
|
|
| eval time_diff = ceiling(now() - last_seen_epoch) \
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval t_key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
|
|
| table t_key_friendly_name username hosts_with_key key_last_seen local_last_seen t_key_last_seen \
|
|
| rename t_key_friendly_name as "Friendly Name" \
|
|
| rename username as "User Name"\
|
|
| rename hosts_with_key as "Hosts"\
|
|
| rename key_last_seen as "Date Last Seen (UTC)" \
|
|
| rename local_last_seen as "Date Last Seen (Local Time)" \
|
|
| rename t_key_last_seen as "Key Last Seen"
|
|
|
|
[SSH Hunter - Banned Keys by Zone Report]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
|
|
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
|
|
| search aaa_is_banned_key=1 \
|
|
| spath output=aaa_key_zones path=ssh_key_details.key_zones{} \
|
|
| mvexpand aaa_key_zones \
|
|
| eval aaa_key_zones_len = len(aaa_key_zones) \
|
|
| where aaa_key_zones_len>0 \
|
|
| eval t_key_friendly_name='ssh_key_details.friendly_name' \
|
|
| fields - ssh_key_details.* \
|
|
| spath input=aaa_key_zones \
|
|
| table t_key_friendly_name name description hosts_count key_permitted permitted_keys_count violation_host_count \
|
|
| rename t_key_friendly_name as "Friendly Name" \
|
|
| rename name as "Zone"\
|
|
| rename description as "Description"\
|
|
| rename hosts_count as "Zone Hosts"\
|
|
| rename key_permitted as "Key Permitted"\
|
|
| rename permitted_keys_count as "Permitted Keys"\
|
|
| rename violation_host_count as "Violation Hosts"
|
|
|
|
[SSH Hunter - Banned Keys Daily Report]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 7d
|
|
alert.severity = 1
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 6 * * *
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
|
|
| dedup ssh_key_details.friendly_name \
|
|
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
|
|
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
|
|
| search aaa_is_banned_key=1 \
|
|
| eval aaa_key_tags_list=mvjoin(aaa_key_tags,", ") \
|
|
| table ssh_key_details.friendly_name ssh_key_details.last_seen ssh_key_details.num_hosts_current ssh_key_details.num_hosts_with_alerts ssh_key_details.zone_violation_hosts ssh_key_details.num_users_current ssh_key_details.permitted_zones_count aaa_key_tags_list\
|
|
| rename ssh_key_details.friendly_name as "Friendly Name" \
|
|
| rename ssh_key_details.last_seen as "Date Last Seen (UTC)" \
|
|
| rename ssh_key_details.num_hosts_current as "Hosts (Current)"\
|
|
| rename ssh_key_details.num_hosts_with_alerts as "Hosts with Alerts"\
|
|
| rename ssh_key_details.zone_violation_hosts as "Zone Violations"\
|
|
| rename ssh_key_details.num_users_current as "Users (Current)"\
|
|
| rename ssh_key_details.permitted_zones_count as "Permitted Zones"\
|
|
| rename aaa_key_tags_list as "Key Tags"
|
|
|
|
[Inactive Hosts Report]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_hosts_summary` host_summary.active="false" \
|
|
| dedup "host_summary.host_id" \
|
|
| eval date_last_scan='host_summary.date_last_scan' \
|
|
| eval date_last_scan=if(isnull(date_last_scan) OR len(date_last_scan)==0 OR date_last_scan=="null", "N/A", date_last_scan) \
|
|
| table host_summary.hostname host_summary.os_info_os_release_pretty_name host_summary.active host_summary.tags{} host_summary.jump_hosts{} host_summary.authentication_status host_summary.credentials_id date_last_scan\
|
|
| rename host_summary.hostname as "Target Address" \
|
|
| rename host_summary.os_info_os_release_pretty_name as "OS" \
|
|
| rename host_summary.active as "Active" \
|
|
| rename host_summary.tags{} as "Tags" \
|
|
| rename host_summary.jump_hosts{} as "Jump Hosts" \
|
|
| rename host_summary.authentication_status as "Auth Status" \
|
|
| rename host_summary.credentials_id as "Credential"\
|
|
| rename date_last_scan as "Last Scan"
|
|
|
|
[Active Hosts Report by Last Scan Date]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -24h@h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_hosts_summary` host_summary.active="true"\
|
|
| dedup "host_summary.host_id" \
|
|
| rename host_summary.date_last_scan as date_last_scan\
|
|
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval time_diff = ceiling(now() - last_scan_epoch) \
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes") \
|
|
| table host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.os_info_os_release_pretty_name date_last_scan host_last_scan\
|
|
| sort - host_last_scan\
|
|
| rename host_summary.hostname as "Target Address"\
|
|
| rename host_summary.last_seen_ip_addr as "IP Address"\
|
|
| rename host_summary.os_info_node as "Hostname"\
|
|
| rename host_summary.os_info_os_release_pretty_name as "OS"\
|
|
| rename date_last_scan as "Date Last Scan (UTC)"\
|
|
| rename host_last_scan as "Host Last Scan"
|
|
|
|
[Hosts Last Scan Greater Than 24 Hours Ago]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 7d
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 6 * * *
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_hosts_summary` host_summary.active="true"\
|
|
| dedup "host_summary.host_id" \
|
|
| rename host_summary.date_last_scan as date_last_scan\
|
|
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval time_diff = ceiling(now() - last_scan_epoch) \
|
|
| search time_diff > 86400\
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes") \
|
|
| table host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.os_info_os_release_pretty_name date_last_scan host_last_scan\
|
|
| sort - host_last_scan\
|
|
| rename host_summary.hostname as "Target Address"\
|
|
| rename host_summary.last_seen_ip_addr as "IP Address"\
|
|
| rename host_summary.os_info_node as "Hostname"\
|
|
| rename host_summary.os_info_os_release_pretty_name as "OS"\
|
|
| rename date_last_scan as "Date Last Scan (UTC)"\
|
|
| rename host_last_scan as "Host Last Scan"
|
|
|
|
[Hosts Last Scan Older Than Last Seen]
|
|
action.webhook.enable_allowlist = 0
|
|
alert.expires = 7d
|
|
alert.severity = 4
|
|
alert.suppress = 0
|
|
alert.track = 1
|
|
counttype = number of events
|
|
cron_schedule = 0 6 * * *
|
|
dispatch.earliest_time = -1d
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.tab = statistics
|
|
enableSched = 1
|
|
quantity = 0
|
|
relation = greater than
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_hosts_summary` host_summary.active="true"\
|
|
| dedup "host_summary.host_id" \
|
|
| rename host_summary.date_last_scan as date_last_scan\
|
|
| rename host_summary.date_last_seen as date_last_seen\
|
|
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z") \
|
|
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z")\
|
|
| eval time_diff = ceiling(last_seen_epoch - last_scan_epoch) \
|
|
| search time_diff > 0\
|
|
| eval temp_duration = tostring(time_diff, "duration") \
|
|
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes") \
|
|
| table host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.os_info_os_release_pretty_name date_last_scan date_last_seen host_last_scan time_diff\
|
|
| sort - host_last_scan\
|
|
| rename host_summary.hostname as "Target Address"\
|
|
| rename host_summary.last_seen_ip_addr as "IP Address"\
|
|
| rename host_summary.os_info_node as "Hostname"\
|
|
| rename host_summary.os_info_os_release_pretty_name as "OS"\
|
|
| rename date_last_scan as "Date Last Scan (UTC)"\
|
|
| rename date_last_seen as "Date Last Seen (UTC)"\
|
|
| rename host_last_scan as "Host Last Scan Difference"
|
|
|
|
[Sandfly Server - Logins by Username]
|
|
action.email.useNSSubject = 1
|
|
action.webhook.enable_allowlist = 0
|
|
alert.track = 0
|
|
dispatch.earliest_time = -7d@h
|
|
dispatch.latest_time = now
|
|
display.general.type = statistics
|
|
display.page.search.mode = fast
|
|
display.page.search.tab = statistics
|
|
display.visualizations.show = 0
|
|
request.ui_dispatch_app = sandfly_security
|
|
request.ui_dispatch_view = search
|
|
search = `sandfly_search_audit` audit_log.message="successful login"\
|
|
| stats count by audit_log.username\
|
|
| sort - count
|