Skip to content

Instantly share code, notes, and snippets.

@Deborah-Digges

Deborah-Digges/README.md

Last active August 11, 2020 18:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Deborah-Digges/011e349accbc4c5185fb74a781cb3b71 to your computer and use it in GitHub Desktop.
Save Deborah-Digges/011e349accbc4c5185fb74a781cb3b71 to your computer and use it in GitHub Desktop.
Download ZIP
Send logs to Splunk
Raw
README.md

Hacky script to send a bunch of logs to splunk directly

Currently, we don't have a tool that can send

  • a specific set of logs
  • with the right shape
  • to a tenant
  • in any environment

We have a bunch of separate tools that do different parts of this. We need a way to consolidate this functionality into fox-cli.

Raw
script.js
const logs = require("./security-logs");
const mappedlogs = logs.map(log => JSON.stringify({ event: log })).join('\n');
const endpoint = "https://prd-p-qw9p9.splunkcloud.com:8088/services/collector/event"; // https://localhost:8088/services/collector/event for local
const code = "YOUR-HEC-CODE";
console.log(`curl -k -H "Authorization: Splunk ${code}" ${endpoint} -d '${mappedlogs}'`)
Raw
security-logs.js
module.exports = [{
log_id: '90020200713210545393000823903627644987691646458750042114',
data: {
date: '2020-07-13T21:05:40.432Z',
type: 's',
connection: 'Username-Password-Authentication',
connection_id: 'con_oLIdHByO0DTEPJ6u',
client_id: 'l87BhM2D7sCdX6e3WWwpf6Fk5d19LjBi',
client_name: 'My App',
ip: '2607:f2c0:e009:e705:4514:77da:876c:954',
user_agent:
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
details: {
prompts: [
{
name: 'lock-password-authenticate',
initiatedAt: 1594674178493,
completedAt: 1594674178756,
connection: 'Username-Password-Authentication',
connection_id: 'con_oLIdHByO0DTEPJ6u',
strategy: 'auth0',
identity: '5f0ccc02d86d8c0013f0e7da',
stats: {
loginsCount: 1
},
session_user: '5f0ccc026be0ee0019508f75',
elapsedTime: 263
},
{
name: 'login',
flow: 'login',
initiatedAt: 1594674169575,
completedAt: 1594674178761,
user_id: 'auth0|5f0ccc02d86d8c0013f0e7da',
user_name: 'example@email.com',
elapsedTime: 9186
},
{
name: 'mfa',
flow: 'mfa',
initiatedAt: 1594674178937,
completedAt: 1594674338961,
performed_acr: ['http://schemas.openid.net/pape/policies/2007/06/multi-factor'],
performed_amr: ['mfa'],
provider: 'guardian',
elapsedTime: 160024
},
{
name: 'consent',
flow: 'consent',
initiatedAt: 1594674338983,
completedAt: 1594674340410,
grantInfo: {
id: '5f0ccca45a0faf0965ca1136',
audience: 'https://test.com/api/v2/',
scope: 'openid profile email',
expiration: null
},
elapsedTime: 1427
}
],
initiatedAt: 1594674169572,
completedAt: 1594674340431,
elapsedTime: 170859,
session_id: 'CFobLuzAhGihGtOQGHzh4Z-ZOdQNvW8L',
stats: {
loginsCount: 1
}
},
hostname: 'test.com',
user_id: 'auth0|5f0ccc02d86d8c0013f0e7da',
user_name: 'email@email.com',
strategy: 'auth0',
strategy_type: 'database',
log_id: '90020200713210545393000823903627644987691646458750042114'
}
},
{
log_id: "900202001014530000000000000000000000000001",
data: {
"date": "2019-04-17T17:00:00.819Z",
"type": "scoa",
"connection": "fa6438a2f3fded4a737c70d2b928f6b3bd673c23",
"connection_id": "con_666ec6dfffe3b44744746109930d6ebbf79b9a15",
"client_id": "ea94027ecbfde8f69fcc8eb22da4d2e3d4dd2965",
"client_name": "c72fb2ec553fc3a88404a10d59ea695b830d2ab7",
"ip": "123.123.123.123",
"user_agent": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
"details": {
"prompts": {
"0": {
"name": "coverify",
"session": true,
"stats": {
"loginsCount": 103
},
"connection": "fa6438a2f3fded4a737c70d2b928f6b3bd673c23",
"timers": {
"rules": 358
},
"elapsedTime": null
}
},
"completedAt": 1555520400817,
"elapsedTime": null,
"stats": {
"loginsCount": 103
}
},
"hostname": "login.example.com",
"user_id": "auth0|52d546e5aad4510f7ec8b856ba223a6e02ff0117c",
"user_name": "abc123@example.com",
"auth0_client": {
"name": "lock.js",
"version": "11.0.1",
"lib_version": "9.0.1"
},
"_id": "900202001014530000000000000000000000000001",
"timestamp": "20190417170000820755868406",
"tenant": "tenant-name-f5954b"
}
},{
data: {
"date": "2020-04-05T11:29:50.611Z",
"type": "sens",
"description": "",
"connection": "apple",
"connection_id": "con_HjLJnmVNx3F5T356",
"client_id": "RDVvMzpYiHGAmW4YgvZAorj8q6DunuEg",
"client_name": "iOS",
"ip": "123.123.123.123",
"user_agent": "AmazonAPIGateway_h5js6m54v8",
"details": {
"device_id": "v0:c22e4810-7730-11ea-b49b-4729bb82bf92",
"subject_token_type": "http://auth0.com/oauth/token-type/apple-authz-code"
},
"user_id": "apple|001325.6aaa3c634f3949d4bf6cbff67b20fbe8.1129",
"user_name": "abc123@example.com",
"audience": "https://audience.com/endpoint",
"scope": "openid offline_access",
"_id": "900202001014530000000000000000000000000001",
"timestamp": "20200405112950611522768114",
"tenant": "example"
},
"log_id": "900202001014530000000000000000000000000001"
}, {
data: {
date: '2020-07-15T19:30:19.383Z',
type: 'fu',
description: 'Wrong email or password.',
connection: 'Username-Password-Authentication',
connection_id: 'con_oLIdHByO0DTEPJ6u',
client_id: 'cvU2mw3uWQmpSh9oByrJOFU6kqUa0EPq',
client_name: 'All Applications',
ip: '2607:f2c0:e009:e705:2c35:f970:7b4f:84c3',
user_agent: 'Chrome 83.0.4103 / Mac OS X 10.14.5',
details: {
error: {
message: 'Wrong email or password.'
}
},
user_id: '',
user_name: 'link',
strategy: 'auth0',
strategy_type: 'database',
log_id: '90020200715193021289000966699109317894885324014974140418',
_id: '90020200715193021289000966699109317894885324014974140418',
isMobile: false
},
log_id: '90020200715193021289000966699109317894885324014974140418',
},
{
data: {date: '2019-04-17T17:00:02.962Z',
type: 'ss',
connection: 'e6c3d528dc2bf8e2c6c9fd9e40d7aabdbb146e5c',
connection_id: 'con_f8a5a56b1f4e73b25de96eed2fb6760c87d77eff',
client_id: 'db213f14de8d8401ecc373fedcdfd77b7d2acc0a',
client_name: '75d13fec3243ac04b4923f397ae53cb6c640d4a8',
ip: '123.123.123.123',
user_agent:
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36',
details: {
prompts: {
'0': {
name: 'oauth2-authenticate',
initiatedAt: 1555519972507,
completedAt: 1555520184914,
connection: 'e6c3d528dc2bf8e2c6c9fd9e40d7aabdbb146e5c',
connection_id: 'con_f8a5a56b1f4e73b25de96eed2fb6760c87d77eff',
strategy: 'oauth2',
identity: 'NVIDIA|229912136289092063',
stats: {
loginsCount: 1
},
elapsedTime: 212407
},
'1': {
name: 'login',
flow: 'login',
initiatedAt: 1555519957453,
completedAt: 1555520184923,
timers: {
rules: 741
},
user_id: 'oauth2|N1031858594861f1418699df94cc4ece8f1a2e23a',
user_name: 'abc123@example.com',
elapsedTime: 227470
},
'2': {
name: 'redirect',
flow: 'redirect',
initiatedAt: 1555520185684,
completedAt: 1555520402888,
timers: {
rules: 45
},
url: 'https://example.com/37dbd3',
elapsedTime: 217204
}
},
initiatedAt: 1555519957451,
completedAt: 1555520402960,
elapsedTime: 445509,
session_id: '197a6a67c6fd9ad4dc56045d0f51a3afb67930ec'
},
hostname: 'login.example.com',
user_id: 'oauth2|N1031858594861f1418699df94cc4ece8f1a2e23a',
user_name: 'abc123@example.com',
strategy: 'oauth2',
strategy_type: 'social',
log_id: '900202001014970000000000000000000000000001',
timestamp: '20190417170002963228370890',
tenant: 'tenant-name-4f6fb6',
eventType: 'user.signup'
},
log_id: '900202001014970000000000000000000000000001'
}, {
data: {
"date": "2019-04-17T17:00:08.729Z",
"type": "limit_wc",
"description": "User (abc123@example.com) attempted 10 consecutive logins unsuccessfully. Brute force protection is enabled for this connection, further attempts are blocked from this IP address for this user",
"connection": "fa6438a2f3fded4a737c70d2b928f6b3bd673c23",
"connection_id": "con_c64d8a69328ea4f9a6aaed313fc77594861a02c6",
"client_id": "646624fef630d10cc62aed29b985501641d375ed",
"ip": "123.123.123.123",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15",
"hostname": "login.example.com",
"user_id": "",
"user_name": "abc123@example.com",
"strategy": "auth0",
"strategy_type": "database",
"auth0_client": {
"name": "lock.js",
"version": "11.12.1",
"lib_version": {
"raw": "9.8.2"
}
},
"_id": "900202001014010000000000000000000000000001",
"timestamp": "20190417170008730866332119",
"tenant": "tenant-name-33e11f"
},
log_id: "900202001014010000000000000000000000000001"
}, {
data: {
"date": "2019-04-17T17:00:02.977Z",
"type": "limit_mu",
"description": "Someone behind the IP address: 123.123.123.123 attempted too many consecutive logins with different usernames. A shield to prevent this attack is enabled, further attempts are blocked from this IP address.",
"connection": "fa6438a2f3fded4a737c70d2b928f6b3bd673c23",
"connection_id": "con_f8eff3c2197688edcef9a4bce4bda933c8fcdff8",
"client_id": "213d12db4f44f39d627d60ac07fe27eb48f4b659",
"ip": "123.123.123.123",
"user_agent": "okhttp/2.7.5",
"hostname": "login.example.com",
"user_id": "",
"user_name": "abc123@example.com",
"strategy": "auth0",
"strategy_type": "database",
"_id": "900202001015900000000000000000000000000001",
"timestamp": "20190417170002977913144913",
"tenant": "tenant-name-232edd"
},
log_id: "900202001015900000000000000000000000000001"
}, {
data: {
"date": "2019-04-17T17:00:03.649Z",
"type": "pwd_leak",
"description": "Someone behind the IP address: 123.123.123.123 attempted to login with a leaked password. Turn on the \"block\" action for \"Breached Password Detection\" in the Anomaly Detection section.",
"connection": "fa6438a2f3fded4a737c70d2b928f6b3bd673c23",
"connection_id": "con_f8eff3c2197688edcef9a4bce4bda933c8fcdff8",
"client_id": "213d12db4f44f39d627d60ac07fe27eb48f4b659",
"ip": "123.123.123.123",
"user_agent": "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00",
"hostname": "login.example.com",
"user_id": "",
"user_name": "abc123@example.com",
"strategy": "auth0",
"strategy_type": "database",
"_id": "900202001012100000000000000000000000000001",
"timestamp": "20190417170003650206156663",
"tenant": "tenant-name-232edd"
},
log_id: "900202001015900000000000000000000000000001"
}]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment