├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── feature_request.md │ └── question.md ├── 00_create_instance.sh ├── 01_deploy.sh ├── 02_update_rules.sh ├── 99_cleanup_all.sh ├── Licence ├── README.md ├── S1EM-promiscuous.service ├── arkime ├── config-multi.ini ├── config-single.ini └── scripts │ ├── add-user.sh │ ├── capture.sh │ ├── config.sh │ ├── flags │ ├── conf_arkime │ └── init_db │ ├── import.sh │ ├── init-db-multi.sh │ ├── init-db-single.sh │ └── viewer.sh ├── auditbeat ├── auditbeat-multi.yml ├── auditbeat-single.yml └── ilm.json ├── cortex ├── Capa.json ├── Elasticsearch_Domain.json ├── Elasticsearch_Hash.json ├── Elasticsearch_IP.json ├── MISP.json ├── Mwdb.json ├── OTXQuery.json ├── OpenCTI_SearchObservables.json ├── Yara.json ├── application-multi.conf ├── application-single.conf └── cacerts ├── docker-compose-multi.yml ├── docker-compose-single.yml ├── elastalert └── elastalert.yaml ├── env.sample ├── filebeat ├── filebeat-multi.yml ├── filebeat-single.yml ├── ilm.json └── modules.d │ ├── osquery.yml │ ├── suricata.yml │ ├── system.yml │ ├── threatintel.yml │ ├── traefik.yml │ └── zeek.yml ├── heartbeat ├── heartbeat-multi.yml ├── heartbeat-single.yml ├── ilm.json └── monitors.d │ ├── arkime.yml │ ├── auditbeat.yml │ ├── cassandra.yml │ ├── codimd.yml │ ├── cortex.yml │ ├── cyberchef.yml │ ├── es01.yml │ ├── es02.yml │ ├── es03.yml │ ├── filebeat.yml │ ├── homer.yml │ ├── internet.yml │ ├── logstash.yml │ ├── metricbeat.yml │ ├── minio.yml │ ├── misp-modules.yml │ ├── misp.yml │ ├── mwdb.yml │ ├── mysql.yml │ ├── n8n.yml │ ├── opencti.yml │ ├── postgres.yml │ ├── rabbitmq.yml │ ├── redis.yml │ ├── spiderfoot.yml │ ├── thehive.yml │ ├── upload.yml │ ├── velociraptor-upload.yml │ ├── velociraptor.yml │ └── zircolite.yml ├── homer ├── additional-page.yml.dist ├── config.yml ├── config.yml.dist ├── config.yml.dist.sample-sui ├── custom.css.sample ├── icons │ ├── arkime.png │ ├── assemblyline.png │ ├── attck.png │ ├── codimd.jpg │ ├── cortex.png │ ├── cyberchef.jpg │ ├── evtx.png │ ├── favicon-16x16.png │ ├── favicon-32x32.png │ ├── icon-any.png │ ├── icon-any.svg │ ├── icon-maskable.png │ ├── kibana-security.png │ ├── kibana.png │ ├── misp.png │ ├── mwdb.png │ ├── n8n.png │ ├── opencti.png │ ├── pcap.png │ ├── s1em.ico │ ├── s1em.png │ ├── safari-pinned-tab.svg │ ├── spiderfoot.png │ ├── startme.png │ ├── thehive.png │ ├── velociraptor.png │ ├── zip.png │ └── zircolite.png ├── manifest.json └── tools │ ├── sample.png │ └── sample2.png ├── instances-multi.yml ├── instances-single.yml ├── kibana ├── dashboard │ ├── elastic-siem.ndjson │ ├── suricata-ecs.ndjson │ ├── winlogbeat-ecs.ndjson │ └── zircolite.ndjson ├── index │ ├── cortex.ndjson │ ├── signal.ndjson │ └── zircolite.ndjson ├── kibana.yml └── node.options ├── logstash ├── config │ ├── jvm.options │ ├── logstash.yml │ └── pipelines.yml ├── pipeline │ ├── beats │ │ ├── 100_input_beats.conf │ │ └── 300_output_beats.conf │ └── zircolite │ │ ├── 100_input_zircolite.conf │ │ ├── 200_filter_zircolite.conf │ │ └── 300_output_zircolite.conf └── templates │ └── winlogbeat ├── metricbeat ├── ilm.json ├── metricbeat-multi.yml ├── metricbeat-single.yml └── modules.d │ ├── beats-xpack.yml │ ├── docker.yml │ ├── elasticsearch-xpack.yml │ ├── kibana-xpack.yml │ ├── logstash-xpack.yml │ ├── rabbitmq.yml │ └── redis.yml ├── misp └── config.php ├── mwdb ├── gen_vars.sh └── karton.ini ├── mysql └── databases.sql ├── n8n ├── S1EM_TheHive.json └── user.json ├── postgres └── databases.sh ├── redis └── redis.conf ├── replay └── replay.sh ├── rules ├── elastalert │ ├── endpoint.yml │ ├── filebeat.yml │ ├── suricata.yml │ ├── winlogbeat.yml │ └── zeek.yml ├── elastic │ └── suricata-rules.ndjson ├── suricata │ ├── 3coresec.rules │ ├── BSD-License.txt │ ├── LICENSE │ ├── botcc.portgrouped.rules │ ├── botcc.rules │ ├── ciarmy.rules │ ├── classification.config │ ├── compromised-ips.txt │ ├── compromised.rules │ ├── drop.rules │ ├── dshield.rules │ ├── emerging-activex.rules │ ├── emerging-adware_pup.rules │ ├── emerging-attack_response.rules │ ├── emerging-chat.rules │ ├── emerging-coinminer.rules │ ├── emerging-current_events.rules │ ├── emerging-deleted.rules │ ├── emerging-dns.rules │ ├── emerging-dos.rules │ ├── emerging-exploit.rules │ ├── emerging-exploit_kit.rules │ ├── emerging-ftp.rules │ ├── emerging-games.rules │ ├── emerging-hunting.rules │ ├── emerging-icmp.rules │ ├── emerging-icmp_info.rules │ ├── emerging-imap.rules │ ├── emerging-inappropriate.rules │ ├── emerging-info.rules │ ├── emerging-ja3.rules │ ├── emerging-malware.rules │ ├── emerging-misc.rules │ ├── emerging-mobile_malware.rules │ ├── emerging-netbios.rules │ ├── emerging-p2p.rules │ ├── emerging-phishing.rules │ ├── emerging-policy.rules │ ├── emerging-pop3.rules │ ├── emerging-rpc.rules │ ├── emerging-scada.rules │ ├── emerging-scan.rules │ ├── emerging-shellcode.rules │ ├── emerging-smtp.rules │ ├── emerging-snmp.rules │ ├── emerging-sql.rules │ ├── emerging-telnet.rules │ ├── emerging-tftp.rules │ ├── emerging-user_agents.rules │ ├── emerging-voip.rules │ ├── emerging-web_client.rules │ ├── emerging-web_server.rules │ ├── emerging-web_specific_apps.rules │ ├── emerging-worm.rules │ ├── gpl-2.0.txt │ ├── local.rules │ ├── sid-msg.map │ ├── suricata-5.0-enhanced-open.txt │ ├── threatview_CS_c2.rules │ └── tor.rules └── yara │ └── index_gen.sh ├── sigma.yml ├── sigma ├── backend.yml └── dockerfile ├── suricata ├── suricata.yaml └── threshold.config ├── thehive ├── Dashboards │ ├── alerts.json │ ├── case.json │ ├── jobs.json │ └── observable.json ├── Imports │ ├── Alert_statistics.json │ ├── Case_statistics.json │ ├── Job_statistics.json │ └── Observable_statistics.json └── application.conf ├── traefik ├── dyn.toml └── traefik.toml └── zeek └── config.zeek /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a bug report to help us improve S1EM 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Description 11 | 12 | 13 | 14 | ## Environment 15 | 16 | 1. OS (where S1EM server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. } 17 | 2. S1EM version: { e.g. S1EM 1.0.2 } 18 | 4. Other environment details: 19 | 20 | ## Reproducible Steps 21 | 22 | Steps to create the smallest reproducible scenario: 23 | 1. { e.g. Run ... } 24 | 2. { e.g. Click ... } 25 | 3. { e.g. Error ... } 26 | 27 | ## Expected Output 28 | 29 | 30 | 31 | ## Actual Output 32 | 33 | 34 | 35 | ## Additional information 36 | 37 | 38 | 39 | ## Screenshots (optional) -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Ask for a new feature to be implemented in S1EM 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Use case 11 | 12 | 13 | 14 | ## Current Workaround 15 | 16 | 17 | 18 | ## Proposed Solution 19 | 20 | 21 | 22 | ## Additional Information 23 | 24 | 25 | 26 | ## If the feature request is approved, would you be willing to submit a PR? 27 | 28 | Yes / No (Help can be provided if you need assistance submitting a PR) -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: Ask a question concerning S1EM 4 | title: '' 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Prerequisites 11 | 12 | - [ ] I read the [S1EM WIKI](https://github.com/V1D1AN/S1EM/wiki) S1EM documentation as well as the [Troubleshooting](https://github.com/V1D1AN/S1EM/wiki/Troubleshooting-Guide) page and didn't find anything relevant to my problem. 13 | - [ ] I went through old GitHub issues and couldn't find anything relevant 14 | - [ ] I googled the issue and didn't find anything relevant 15 | 16 | ## Description 17 | 18 | 19 | 20 | ## Environment 21 | 22 | 1. OS (where S1EM server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. } 23 | 2. S1EM version: { e.g. S1EM 1.0.2 } 24 | 4. Other environment details: 25 | 26 | ## Reproducible Steps 27 | 28 | Steps to create the smallest reproducible scenario: 29 | 1. { e.g. Run ... } 30 | 2. { e.g. Click ... } 31 | 3. { e.g. Error ... } 32 | 33 | ## Additional information 34 | 35 | -------------------------------------------------------------------------------- /00_create_instance.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$EUID" -ne 0 ] 4 | then echo "Please run as root" 5 | exit 6 | fi 7 | echo "##########################################" 8 | echo "########## CHECK PREREQUISITE ############" 9 | echo "##########################################" 10 | echo 11 | echo 12 | command_exists () { 13 | command -v $1 >/dev/null 2>&1; 14 | } 15 | if ! command_exists docker; 16 | then 17 | echo "Please install docker" 18 | exit 19 | else 20 | echo "docker installed" 21 | fi 22 | if ! command_exists curl 23 | then 24 | echo "Please install curl" 25 | exit 26 | else 27 | echo "curl installed" 28 | fi 29 | if ! command_exists jq 30 | then 31 | echo "Please install jq" 32 | exit 33 | else 34 | echo "jq installed" 35 | fi 36 | if ! command_exists ifconfig 37 | then 38 | echo "Please install ifconfig" 39 | exit 40 | else 41 | echo "ifconfig installed" 42 | fi 43 | if ! command_exists netstat 44 | then 45 | echo "Please install netstat" 46 | exit 47 | else 48 | echo "netstat installed" 49 | fi 50 | if ! command_exists openssl 51 | then 52 | echo "Please install openssl" 53 | exit 54 | else 55 | echo "openssl installed" 56 | fi 57 | if ! command_exists rsync 58 | then 59 | echo "Please install rsync" 60 | exit 61 | else 62 | echo "rsync installed" 63 | fi 64 | motif="vm.max_map_count" 65 | file="/etc/sysctl.conf" 66 | for file in "${file[@]}" 67 | do 68 | if grep -q "$motif" "$file"; then 69 | echo "The pattern '$motif' is present in the $file." 70 | else 71 | echo "The pattern '$motif' is not present in the $file." 72 | exit 1 73 | fi 74 | done 75 | echo 76 | echo 77 | echo "##########################################" 78 | echo "######### CONFIGURING INSTANCE ###########" 79 | echo "##########################################" 80 | echo 81 | echo 82 | read -p "Enter instance name (no subdirectory name) [ex: production]: " name 83 | name=${name:-production} 84 | 85 | 86 | SCRIPTDIR="$(pwd)" 87 | # set WORKDIR 88 | WORKDIR="${SCRIPTDIR}/$name" 89 | if [[ ! -d $WORKDIR ]] 90 | then 91 | sudo echo "###### DEPLOY INSTANCE #######" 92 | rsync -r ./ $WORKDIR 93 | sleep 5 94 | cd $WORKDIR 95 | echo "INSTANCE=$name" >> env.sample 96 | sudo bash 01_deploy.sh 97 | cd .. 98 | else 99 | echo "directory/instance name found, deployment stopped" 100 | fi -------------------------------------------------------------------------------- /02_update_rules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ "$EUID" -ne 0 ] 3 | then echo "Please run as root" 4 | exit 5 | fi 6 | echo "##########################################" 7 | echo "######## UPDATE SURICATA RULES ###########" 8 | echo "##########################################" 9 | echo 10 | docker exec -ti suricata suricata-update update-sources 11 | docker exec -ti suricata suricata-update --no-test 12 | echo 13 | echo "##########################################" 14 | echo "########## UPDATE YARA RULES #############" 15 | echo "##########################################" 16 | echo 17 | mkdir tmp 18 | git clone https://github.com/malpedia/signator-rules tmp 19 | rm rules/yara/*.yar 20 | mv tmp/rules/* rules/yara/ 21 | rm -fr tmp 22 | cd rules/yara 23 | bash index_gen.sh 24 | rm index_w_mobile.yar 25 | cd - 26 | docker restart cortex 27 | echo 28 | echo "##########################################" 29 | echo "########## UPDATE SIGMA RULES ############" 30 | echo "##########################################" 31 | echo 32 | docker image rm -f sigma:1.0 33 | docker container prune -f 34 | docker compose -f sigma.yml build 35 | docker compose -f sigma.yml up -d 36 | 37 | 38 | -------------------------------------------------------------------------------- /99_cleanup_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$EUID" -ne 0 ] 4 | then echo "Please run as root" 5 | exit 6 | fi 7 | 8 | read -p "Enter instance name (no subdirectory name) [ex: production]: " name 9 | name=${name:-production} 10 | 11 | 12 | SCRIPTDIR="$(pwd)" 13 | # set WORKDIR 14 | WORKDIR="${SCRIPTDIR}/$name" 15 | if [[ ! -d $WORKDIR ]] 16 | then 17 | echo "$WORKDIR not exists on your filesystem." 18 | else 19 | cd $WORKDIR 20 | sudo echo "#### DELETE INSTANCE #### " 21 | docker compose kill 22 | echo y | docker compose rm 23 | echo y | docker network prune 24 | echo y | docker system prune 25 | echo y | docker volume rm $(docker volume ls -q --filter dangling=true) 26 | cd .. 27 | sudo rm -rf $WORKDIR 28 | fi 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Licence: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 V1D1AN 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![20210518_v1d1an_bg1--white](https://user-images.githubusercontent.com/18678787/119020235-49428680-b99e-11eb-8621-935a62b966e1.png) 2 |
3 |

4 | Discord 5 | 6 | 7 | 8 |

9 |
10 | 11 | # Objectives 12 | Today, cyber attacks are more numerous and cause damage in companies. Nevertheless, many software products exist to detect cyber threats. The S1EM solution is based on the principle of bringing together the best products in their field, free of charge, and making them quickly interoperable. 13 | 14 | S1EM is a SIEM with SIRP and Threat Intel, a full packet capture, all in one. 15 | 16 | Inside the solution: 17 | 18 | * Elasticsearch ( 1 node or Cluster ) 19 | * Kibana 20 | * Filebeat 21 | * Logstash 22 | * Metricbeat 23 | * Heartbeat 24 | * Auditbeat 25 | * Fleet 26 | * N8n 27 | * Zircolite 28 | * Velociraptor 29 | * Spiderfoot 30 | * Syslog-ng 31 | * Elastalert 32 | * TheHive 33 | * Cortex ( With Mwdb, Capa, Yara, FileInfo, AssemblyLine ) 34 | * MISP 35 | * OpenCTI 36 | * Arkime 37 | * Suricata 38 | * Zeek 39 | * Mwdb 40 | * Traefik 41 | * Codimd 42 | * Watchtower 43 | * Homer 44 | 45 | ![S1EM](https://user-images.githubusercontent.com/18678787/226611253-91a9f2d5-748f-4900-a3e2-0b38f22e7218.png) 46 | 47 | # Guides 48 | - :exclamation:[Installation Guide](https://github.com/V1D1AN/S1EM/wiki/Installation-Guide) 49 | - [Access Guide](https://github.com/V1D1AN/S1EM/wiki/Access-guide) 50 | - [Configuration Guide](https://github.com/V1D1AN/S1EM/wiki/Configuration-guide) 51 | - [Upgrade guide](https://github.com/V1D1AN/S1EM/wiki/Upgrade-guide) 52 | - [Detection Guide](https://github.com/V1D1AN/S1EM/wiki/Detection-guide) 53 | - [Incident Response Guide](https://github.com/V1D1AN/S1EM/wiki/Incident-response-guide) 54 | - [Threat Intel Guide](https://github.com/V1D1AN/S1EM/wiki/Threat-intel-guide) 55 | - [Agent Guide](https://github.com/V1D1AN/S1EM/wiki/agent-guide) 56 | - [Architecture Guide](https://github.com/V1D1AN/S1EM/wiki/Architecture-guide) 57 | - [Troubleshooting Guide](https://github.com/V1D1AN/S1EM/wiki/Troubleshooting-guide) 58 | - [SOAR](https://github.com/V1D1AN/S1EM/wiki/Soar-guide) 59 | - [Use EDR Elastic with S1EM](https://github.com/V1D1AN/S1EM/wiki/Edr-guide) 60 | - [Use TPOT with S1EM](https://github.com/V1D1AN/S1EM/wiki/Tpot-guide) 61 | - [Screenshot of S1EM](https://github.com/V1D1AN/S1EM/wiki/Screenshot-of-S1EM) 62 | 63 | # Try S1EM 64 | 65 | For EVTX File, you can try S1EM (Zircolite) with [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES).
66 | For Pcap File, you can try S1EM (Suricata/Zeek/Mwdb) with [MALWARE-TRAFFIC-ANALYSIS](https://www.malware-traffic-analysis.net/index.html). 67 | 68 | # Discord 69 | 70 | The serveur discord of S1EM : https://discord.gg/uFBzr8fWmC 71 | 72 | # Roadmap 73 | 74 | - [ ] Add OpenCVE 75 | - [ ] The complete documentation 76 | - [ ] SSO 77 | - [ ] Interact with Lab-DFIR-SOC (https://github.com/StevenDias33/Lab-DFIR-SOC) 78 | - [x] Add Capa ( In cortex ) 79 | - [x] Add Zircolite 80 | - [x] Add Velociraptor 81 | - [ ] Installation of S1EM with Ansible 82 | - [ ] Integration in Secubian (https://github.com/kidrek/secubian) 83 | - [ ] Integration of T-POT (https://github.com/telekom-security/tpotce) 84 | 85 | # Related project 86 | 87 | https://www.elastic.co
88 | https://github.com/TheHive-Project/Docker-Templates
89 | https://github.com/jasonish/docker-suricata
90 | https://github.com/blacktop/docker-zeek
91 | https://github.com/rskntroot/arkime
92 | https://github.com/coolacid/docker-misp
93 | https://github.com/m0ns7er/ElasticXDR
94 | https://github.com/jertel/elastalert-docker
95 | https://github.com/OpenCTI-Platform/docker
96 | https://github.com/CERT-Polska/mwdb-core
97 | https://github.com/SigmaHQ/sigma
98 | https://github.com/Yara-Rules/rules
99 | https://traefik.io/
100 | https://docs.linuxserver.io/images/docker-heimdall
101 | https://github.com/cisagov/Malcolm
102 | https://github.com/blueimp/jQuery-File-Upload
103 | https://gchq.github.io/CyberChef/
104 | https://www.syslog-ng.com/
105 | https://github.com/bastienwirtz/homer
106 | https://github.com/wagga40/zircolite
107 | https://github.com/weslambert
108 | https://github.com/Velocidex/velociraptor
109 | 110 | 111 | 112 | # Special thanks 113 | En français cette fois.
114 | Merci à mes amis et collègues qui m´ont inspiré toutes ces années, qui m´ont aidé, et corrigé des bugs. 115 | Je pense à Kidrek, Juju, mlp1515, Wagga40, Xophidia, StevenDias33, Frak113, HiPizzaa,et tous ceux qui n´ont pas forcement de compte github.
116 | Merci à vous :) 117 | 118 | Liens github:
119 | https://github.com/kidrek
120 | https://github.com/mlp1515
121 | https://github.com/frack113
122 | https://github.com/StevenDias33
123 | https://github.com/wagga40
124 | https://github.com/xophidia
125 | 126 | # Special thanks in english 127 | Thanks to @Mcdave2k1 for your pull requests 128 | 129 | # Donate 130 | If this project help you reduce time to develop, you can give me a cup of coffee :)
131 | 132 | [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/donate/?business=DUEQFS9Z2E9XW&no_recurring=0&item_name=If+this+project+help+you+reduce+time+to+develop%2C+you+can+give+me+a+cup+of+coffee+%3A%29¤cy_code=EUR) 133 | -------------------------------------------------------------------------------- /S1EM-promiscuous.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Bring up network interfaces in promiscuous mode upon boot 3 | After=network.target 4 | 5 | [Service] 6 | Type=oneshot 7 | ExecStart=/bin/bash -c "ip link set dev promisc on" 8 | ExecStart=/bin/bash -c "ip link set dev up" 9 | ExecStop=/bin/bash -c "ip link set dev promisc off" 10 | ExecStop=/bin/bash -c "ip link set dev down" 11 | TimeoutStartSec=0 12 | RemainAfterExit=yes 13 | 14 | [Install] 15 | WantedBy=default.target -------------------------------------------------------------------------------- /arkime/scripts/add-user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | info_msg "An Arkime Admin is being created..."; 8 | 9 | # SET DEFAULT CREDS IF NONE PASSED ## 10 | # 11 | if [ -z $ARKIME_USER ]; then ARKIME_USER="root"; fi; 12 | if [ -z $ARKIME_PSWD ]; then ARKIME_PSWD="arkime_password"; fi; 13 | 14 | ## CREATE ADMIN USER ## 15 | # 16 | $ARKIME_DIR/bin/moloch_add_user.sh --insecure $ARKIME_USER "Arkime Admin" $ARKIME_PSWD --admin | tee -a /arkime/log/$(hostname).log > /dev/null; 17 | 18 | info_msg "Admin User was created:\t"$ARKIME_USER; 19 | 20 | #'lost'21jn 21 | -------------------------------------------------------------------------------- /arkime/scripts/capture.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | FLAG="/arkime/bin/flags" 8 | 9 | info_msg "[ Arkime Capture ] has been started." 10 | info_msg "TODO - Explain running on specified interface..." 11 | 12 | ## WAIT FOR ELASTICSEARCH TO COME ONLINE ## 13 | # 14 | while [ "$(curl -k https://elastic:changeme@es01:9200/_cluster/health?pretty 2> /dev/null | grep status | awk -F '"' '{print $4}')" != "green" ]; do 15 | warn_msg "Waiting for ElasticSearch to come online."; 16 | sleep 5; 17 | done 18 | 19 | info_msg "ElasticSearch is online." 20 | 21 | ## CONFIGURE ARKIME & CREATE USER ## 22 | # 23 | if [ -e "$FLAG/conf_arkime" ]; then 24 | 25 | /arkime/bin/config.sh; 26 | 27 | ## WAIT FOR INIT-DB ## 28 | # 29 | while [ "$(curl arkime:8005 2> /dev/null)" != "Unauthorized" ]; do 30 | warn_msg "Waiting for [ Arkime Viewer ] to come online."; 31 | sleep 5; 32 | done; 33 | 34 | info_msg "[ Arkime Viewer ] is online!"; 35 | 36 | ## CREATE USER ## 37 | # 38 | /arkime/bin/add-user.sh; 39 | 40 | rm $FLAG/conf_arkime; 41 | fi 42 | 43 | ## ENABLE PCAP DOWNLOAD FROM VIEWER ## 44 | # 45 | info_msg "Enabling access to imported .pcap files for [ Arkime Viewer ] over port 8005." 46 | cd $ARKIME_DIR/viewer && ../bin/node ./viewer.js -c ../etc/config.ini | tee -a /arkime/log/import.log 2>&1 & 47 | 48 | ## RUN ARKIME CAPTURE ## 49 | # 50 | 51 | err_msg "Powering down [ Arkime Capture ]..." 52 | 53 | #'lost'21jn 54 | -------------------------------------------------------------------------------- /arkime/scripts/config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | ## SET DEFAULT VALUES ## 8 | # 9 | if [ -z "$CAP_INTERFACE" ]; then CAP_INTERFACE='eth1'; fi 10 | if [ -z "$ARKIME_S2S" ]; then ARKIME_S2S=$(echo deeznuts | sha256sum | cut -d' ' -f1); fi 11 | if [ -z "$ES_HOST" ]; then ES_HOST='https://elastic:changeme@es01:9200'; fi 12 | 13 | info_msg "Generating [ Arkime $(hostname) ] configuration file..." 14 | mkdir /arkime/etc 15 | sed -r -e "s,\w+_INSTALL_DIR,$ARKIME_DIR,g" -e "s,\w+_PASSWORD,$ARKIME_S2S," -e "s,\w+_INTERFACE,$CAP_INTERFACE," -e "s,\w+_ELASTICSEARCH,$ES_HOST," < $ARKIME_DIR/etc/config.ini.sample > /arkime/etc/config.ini 16 | ln -s /arkime/etc/config.ini $ARKIME_DIR/etc/config.ini 17 | info_msg "Configuration file generated." 18 | 19 | info_msg "Setting log rotation for 7 days." 20 | 21 | ## SETUP LOGROTATE ## 22 | # 23 | cat << EOF > /etc/logrotate.d/$(hostname) 24 | $ARKIME_DIR/logs/$(hostname).log { 25 | daily 26 | rotate 7 27 | compressl 28 | notifempty 29 | copytruncate 30 | } 31 | EOF 32 | 33 | ## CREATE PCAP DATASTORE ## 34 | # 35 | info_msg "Creating datastore at /arkime/data." 36 | mkdir -p /arkime/data; 37 | ln -s /arkime/data $ARKIME_DIR/raw 38 | 39 | ## DEFINE INTERFACE CONFIG SCRIPT ## 40 | # 41 | info_msg "Generating capture prerequesties for:\t"$CAP_INTERFACE 42 | cat << EOF > $ARKIME_DIR/bin/moloch_config_interfaces.sh 43 | #!/bin/sh 44 | /sbin/ethtool -G \$CAP_INTERFACE rx 4096 tx 4096 || true 45 | for i in rx tx sg tso ufo gso gro lro; do 46 | /sbin/ethtool -K \$CAP_INTERFACE \$i off || true 47 | done 48 | EOF 49 | 50 | chmod a+x $ARKIME_DIR/bin/moloch_config_interfaces.sh 51 | 52 | ## UNLOCK CORE AND MEMLOCK ## 53 | # 54 | info_msg "Removing core and memlock limits." 55 | cat << EOF > /etc/security/limits.d/99-moloch.conf 56 | nobody - core unlimited 57 | root - core unlimited 58 | nobody - memlock unlimited 59 | root - memlock unlimited 60 | EOF 61 | 62 | info_msg "Configuration has completed." 63 | 64 | #'lost'21jn 65 | -------------------------------------------------------------------------------- /arkime/scripts/flags/conf_arkime: -------------------------------------------------------------------------------- 1 | # Configure Arkime Flag 2 | # capture.sh 3 | # import.sh 4 | # viewer.sh 5 | # 6 | #'lost'21jn 7 | -------------------------------------------------------------------------------- /arkime/scripts/flags/init_db: -------------------------------------------------------------------------------- 1 | # Initialize Database - Flag 2 | # viewer.sh - (working) 3 | -------------------------------------------------------------------------------- /arkime/scripts/import.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | FLAG="/arkime/bin/flags" 8 | 9 | info_msg "[ Arkime Import ] has been started." 10 | 11 | ## WAIT FOR ELASTICSEARCH TO COME ONLINE ## 12 | # 13 | while [ "$(curl -k https://elastic:changeme@es01:9200/_cluster/health?pretty 2> /dev/null | grep status | awk -F '"' '{print $4}')" != "green" ]; do 14 | warn_msg "Waiting for ElasticSearch to come online..."; 15 | sleep 5; 16 | done 17 | 18 | info_msg "ElasticSearch is online." 19 | 20 | ## CONFIGURE ARKIME & CREATE USER ## 21 | # 22 | if [ -e "$FLAG/conf_arkime" ]; then 23 | 24 | /arkime/bin/config.sh; 25 | 26 | ## WAIT FOR INIT-DB ## 27 | # 28 | while [ "$(curl arkime:8005 2> /dev/null)" != "Unauthorized" ]; do 29 | warn_msg "Waiting for [ Arkime Viewer ] to come online..."; 30 | sleep 5; 31 | done; 32 | 33 | info_msg "[ Arkime Viewer ] is online."; 34 | 35 | ## CREATE USER ## 36 | # 37 | /arkime/bin/add-user.sh; 38 | 39 | rm $FLAG/conf_arkime; 40 | fi 41 | 42 | ## ENABLE PCAP DOWNLOAD FROM VIEWER ## 43 | # 44 | info_msg "Enabling access to imported .pcap files for [ Arkime Viewer ] over port 8005." 45 | cd $ARKIME_DIR/viewer && ../bin/node ./viewer.js -c ../etc/config.ini | tee -a /arkime/log/$(hostname).log > /dev/null & 46 | 47 | info_msg "[ Arkime Import ] is now watching %root%/import/ for .pcap files." 48 | 49 | inotifywait -m --format '%f' -e close_write /import/ | while read FILE 50 | do 51 | cp /import/$FILE /arkime/data 52 | chmod +r /arkime/data/$FILE; 53 | $ARKIME_DIR/bin/moloch-capture -r /arkime/data/$FILE | tee -a /arkime/log/$(hostname).log > /dev/null; 54 | done; 55 | 56 | 57 | err_msg "Powering down [ Arkime Import ]..." 58 | 59 | #'lost'21jn 60 | -------------------------------------------------------------------------------- /arkime/scripts/init-db-multi.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | ## INITIALIZE DATABASE ## 8 | # 9 | info_msg "Initializing ElasticSearch database..."; 10 | 11 | echo INIT | /data/moloch/db/db.pl --insecure https://elastic:changeme@es01:9200 init --shards 1 --replicas 1 --refresh 30| tee -a /arkime/log/$(hostname).log > /dev/null; 12 | 13 | info_msg "ElasticSearch database was initialized." 14 | 15 | #'lost'21jn 16 | -------------------------------------------------------------------------------- /arkime/scripts/init-db-single.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | ## INITIALIZE DATABASE ## 8 | # 9 | info_msg "Initializing ElasticSearch database..."; 10 | 11 | echo INIT | /data/moloch/db/db.pl --insecure https://elastic:changeme@es01:9200 init --shards 1 --replicas 0 --refresh 30| tee -a /arkime/log/$(hostname).log > /dev/null; 12 | 13 | info_msg "ElasticSearch database was initialized." 14 | 15 | #'lost'21jn 16 | -------------------------------------------------------------------------------- /arkime/scripts/viewer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | err_msg () { printf '\033[0;31m[ ERROR ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 4 | warn_msg () { printf '\033[1;33m[ WARN ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 5 | info_msg () { printf '\033[0;36m[ INFO ]\033[0m' && echo -e "\t"$(date)"\t"$BASH_SOURCE"\t"$1; } 6 | 7 | FLAG="/arkime/bin/flags" 8 | 9 | info_msg "[ Arkime Viewer ] has been started." 10 | 11 | ## WAIT FOR ELASTICSEARCH TO COME ONLINE ## 12 | # 13 | while [ "$(curl -k https://elastic:changeme@es01:9200/_cluster/health?pretty 2> /dev/null | grep status | awk -F '"' '{print $4}')" != "green" ]; do 14 | warn_msg "Waiting for Elasticsearch to come online."; 15 | sleep 5; 16 | done 17 | 18 | info_msg "ElasticSearch is online."; 19 | 20 | ## CONFIGURE ARKIME ## 21 | # 22 | if [ -e "$FLAG/conf_arkime" ]; then 23 | /arkime/bin/config.sh; 24 | fi 25 | 26 | ## INITIALIZE DATABASE AND CREATE ADMIN USER ## 27 | # 28 | if [ -e "$FLAG/init_db" ]; then 29 | /arkime/bin/init-db.sh; 30 | # rm $FLAG/init_db; 31 | fi 32 | 33 | ## CREATE USER ## 34 | # 35 | if [ -e "$FLAG/conf_viewer" ]; then 36 | /arkime/bin/add-user.sh; 37 | # rm $FLAG/conf_arkime; 38 | fi 39 | 40 | ## START [ ARKIME VIEWER ] WITH LOGGING ## 41 | # 42 | info_msg "Starting [ Arkime Viewer ] webserver on port 8005..." 43 | 44 | cd $ARKIME_DIR/viewer && ../bin/node ./viewer.js -c ../etc/config.ini | tee -a /arkime/log/$(hostname).log 2>&1 45 | 46 | err_msg "Powering down [ Arkime Viewer ]..." 47 | #'lost'21jn 48 | -------------------------------------------------------------------------------- /auditbeat/auditbeat-multi.yml: -------------------------------------------------------------------------------- 1 | auditbeat.modules: 2 | 3 | - module: file_integrity 4 | paths: 5 | - /bin 6 | - /usr/bin 7 | - /sbin 8 | - /usr/sbin 9 | - /etc 10 | 11 | - module: system 12 | datasets: 13 | - host 14 | - login 15 | - package 16 | - process 17 | - socket 18 | - user 19 | period: 30s 20 | state.period: 12h 21 | socket.include_localhost: false 22 | user.detect_password_changes: true 23 | 24 | processors: 25 | - add_docker_metadata: ~ 26 | 27 | 28 | http.enabled: true 29 | http.host: 0.0.0.0 30 | monitoring.enabled: false 31 | setup.template.overwrite: true 32 | setup.kibana.host: "https://kibana:5601/kibana" 33 | setup.kibana.ssl.enabled: true 34 | setup.kibana.ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 35 | setup.kibana.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 36 | setup.kibana.ssl.key: "/usr/share/certificates/kibana/kibana.key" 37 | setup.ilm.enabled: true 38 | setup.ilm.policy_name: "ILM" 39 | setup.ilm.policy_file: "/usr/share/auditbeat/ilm.json" 40 | setup.ilm_pattern: "{now/d}-000001" 41 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 42 | setup.dashboards.enabled: true 43 | setup.template.settings: 44 | index: 45 | refresh_interval: 30s 46 | mapping: 47 | total_fields: 48 | limit: 8192 49 | 50 | output.elasticsearch: 51 | hosts: ["https://es01:9200"] 52 | username: "elastic" 53 | password: "changeme" 54 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 55 | ssl.certificate: "/usr/share/certificates/auditbeat/auditbeat.crt" 56 | ssl.key: "/usr/share/certificates/auditbeat/auditbeat.key" 57 | 58 | -------------------------------------------------------------------------------- /auditbeat/auditbeat-single.yml: -------------------------------------------------------------------------------- 1 | auditbeat.modules: 2 | 3 | - module: file_integrity 4 | paths: 5 | - /bin 6 | - /usr/bin 7 | - /sbin 8 | - /usr/sbin 9 | - /etc 10 | 11 | - module: system 12 | datasets: 13 | - host 14 | - login 15 | - package 16 | - process 17 | - socket 18 | - user 19 | period: 30s 20 | state.period: 12h 21 | socket.include_localhost: false 22 | user.detect_password_changes: true 23 | 24 | processors: 25 | - add_docker_metadata: ~ 26 | 27 | 28 | http.enabled: true 29 | http.host: 0.0.0.0 30 | monitoring.enabled: false 31 | setup.template.overwrite: true 32 | setup.kibana.host: "https://kibana:5601/kibana" 33 | setup.kibana.ssl.enabled: true 34 | setup.kibana.ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 35 | setup.kibana.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 36 | setup.kibana.ssl.key: "/usr/share/certificates/kibana/kibana.key" 37 | setup.ilm.enabled: true 38 | setup.ilm.policy_name: "ILM" 39 | setup.ilm.policy_file: "/usr/share/auditbeat/ilm.json" 40 | setup.ilm_pattern: "{now/d}-000001" 41 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 42 | setup.dashboards.enabled: true 43 | setup.template.settings: 44 | index: 45 | number_of_replicas: 0 46 | refresh_interval: 30s 47 | mapping: 48 | total_fields: 49 | limit: 8192 50 | 51 | output.elasticsearch: 52 | hosts: ["https://es01:9200"] 53 | username: "elastic" 54 | password: "changeme" 55 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 56 | ssl.certificate: "/usr/share/certificates/auditbeat/auditbeat.crt" 57 | ssl.key: "/usr/share/certificates/auditbeat/auditbeat.key" 58 | 59 | -------------------------------------------------------------------------------- /auditbeat/ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "phases": { 4 | "hot": { 5 | "min_age": "0ms", 6 | "actions": { 7 | "rollover": { 8 | "max_primary_shard_size": "50gb", 9 | "max_age": "1d" 10 | }, 11 | "set_priority": { 12 | "priority": 100 13 | } 14 | } 15 | }, 16 | "warm": { 17 | "min_age": "1d", 18 | "actions": { 19 | "readonly": {}, 20 | "set_priority": { 21 | "priority": 50 22 | } 23 | } 24 | }, 25 | "cold": { 26 | "min_age": "15d", 27 | "actions": { 28 | "readonly": {}, 29 | "set_priority": { 30 | "priority": 0 31 | } 32 | } 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /cortex/Capa.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Capa", 3 | "version": "1.0", 4 | "author": "Wes Lambert", 5 | "url": "https://github.com/TheHive-Project/Cortex-Analyzers", 6 | "license": "AGPL-V3", 7 | "description": "Analyze files with Capa", 8 | "dataTypeList": ["file"], 9 | "baseConfig": "Capa", 10 | "config": { 11 | "service": "CapaAnalyze" 12 | }, 13 | "command": "Capa/CapaAnalyze.py", 14 | "configurationItems": [ 15 | { 16 | "name": "capa_path", 17 | "description": "Path to Capa binary", 18 | "type": "string", 19 | "multi": false, 20 | "required": true, 21 | "defaultValue": "/opt/Cortex-Analyzers/analyzers/Capa/capa" 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /cortex/Elasticsearch_Domain.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Elasticsearch_Domain_Analysis", 3 | "author": "V1D1AN", 4 | "license": "AGPL-V3", 5 | "url": "https://github.com/V1D1AN/S1EM", 6 | "version": "1.0", 7 | "description": "Search for IoCs in a Elasticsearch Instance", 8 | "dataTypeList": ["domain"], 9 | "command": "Elasticsearch/elk.py", 10 | "config": { 11 | "service": "domain" 12 | }, 13 | "baseConfig": "Elasticsearch", 14 | "configurationItems": [ 15 | { 16 | "name": "endpoint", 17 | "description": "Define the Elasticsearch endpoint", 18 | "type": "string", 19 | "multi": false, 20 | "required": false, 21 | "defaultValue": "https://elastic:changeme@es01:9200" 22 | }, 23 | { 24 | "name": "index", 25 | "description": "Define the Elasticsearch index to use", 26 | "type": "string", 27 | "multi": true, 28 | "required": true, 29 | "defaultValue": [ "filebeat-*","winlogbeat-*","logs-*","auditbeat-*" ] 30 | }, 31 | { 32 | "name": "domain", 33 | "description": "Define the field to query for Domain IoCs", 34 | "type": "string", 35 | "multi": true, 36 | "required": true, 37 | "defaultValue": [ "dns.question.name" ] 38 | }, 39 | { 40 | "name": "verifyssl", 41 | "description": "Verify SSL certificate", 42 | "type": "boolean", 43 | "multi": false, 44 | "required": true, 45 | "defaultValue": false 46 | }, 47 | { 48 | "name": "cert_path", 49 | "description": "Path to the CA on the system used to check server certificate", 50 | "type": "string", 51 | "multi": true, 52 | "required": false 53 | } 54 | ] 55 | } 56 | 57 | -------------------------------------------------------------------------------- /cortex/Elasticsearch_Hash.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Elasticsearch_Hash_Analysis", 3 | "author": "V1D1AN", 4 | "license": "AGPL-V3", 5 | "url": "https://gitlab.cyber.fr", 6 | "version": "1.0", 7 | "description": "Search for IoCs in a Elasticsearch Instance", 8 | "dataTypeList": ["hash"], 9 | "command": "Elasticsearch/elk.py", 10 | "config": { 11 | "service": "hash" 12 | }, 13 | "baseConfig": "Elasticsearch", 14 | "configurationItems": [ 15 | { 16 | "name": "endpoint", 17 | "description": "Define the Elasticsearch endpoint", 18 | "type": "string", 19 | "multi": false, 20 | "required": false, 21 | "defaultValue": "https://elastic:changeme@es01:9200" 22 | }, 23 | { 24 | "name": "index", 25 | "description": "Define the Elasticsearch index to use", 26 | "type": "string", 27 | "multi": true, 28 | "required": true, 29 | "defaultValue": [ "filebeat-*","winlogbeat-*","logs-*","auditbeat-*" ] 30 | }, 31 | { 32 | "name": "hash", 33 | "description": "Define the field to query for Hash IoCs", 34 | "type": "string", 35 | "multi": true, 36 | "required": true, 37 | "defaultValue": [ "file.hash.md5","file.hash.sha1","file.hash.sha256" ] 38 | }, 39 | { 40 | "name": "verifyssl", 41 | "description": "Verify SSL certificate", 42 | "type": "boolean", 43 | "multi": false, 44 | "required": true, 45 | "defaultValue": false 46 | }, 47 | { 48 | "name": "cert_path", 49 | "description": "Path to the CA on the system used to check server certificate", 50 | "type": "string", 51 | "multi": true, 52 | "required": false 53 | } 54 | ] 55 | } 56 | 57 | -------------------------------------------------------------------------------- /cortex/Elasticsearch_IP.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Elasticsearch_IP_Analysis", 3 | "author": "V1D1AN", 4 | "license": "AGPL-V3", 5 | "url": "https://github.com/V1D1AN/S1EM", 6 | "version": "1.0", 7 | "description": "Search for IoCs in a Elasticsearch Instance", 8 | "dataTypeList": ["ip"], 9 | "command": "Elasticsearch/elk.py", 10 | "config": { 11 | "service": "ip" 12 | }, 13 | "baseConfig": "Elasticsearch", 14 | "configurationItems": [ 15 | { 16 | "name": "endpoint", 17 | "description": "Define the Elasticsearch endpoint", 18 | "type": "string", 19 | "multi": false, 20 | "required": false, 21 | "defaultValue": "https://elastic:changeme@es01:9200" 22 | }, 23 | { 24 | "name": "index", 25 | "description": "Define the Elasticsearch index to use", 26 | "type": "string", 27 | "multi": true, 28 | "required": true, 29 | "defaultValue": [ "filebeat-*","winlogbeat-*","logs-*","auditbeat-*" ] 30 | }, 31 | { 32 | "name": "ip", 33 | "description": "Define the field to query for IP IoCs", 34 | "type": "string", 35 | "multi": true, 36 | "required": true, 37 | "defaultValue": [ "source.ip","destination.ip" ] 38 | }, 39 | { 40 | "name": "verifyssl", 41 | "description": "Verify SSL certificate", 42 | "type": "boolean", 43 | "multi": false, 44 | "required": true, 45 | "defaultValue": false 46 | }, 47 | { 48 | "name": "cert_path", 49 | "description": "Path to the CA on the system used to check server certificate", 50 | "type": "string", 51 | "multi": true, 52 | "required": false 53 | } 54 | ] 55 | } 56 | 57 | -------------------------------------------------------------------------------- /cortex/MISP.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "MISP", 3 | "author": "Nils Kuhnert, CERT-Bund", 4 | "license": "AGPL-V3", 5 | "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", 6 | "version": "2.1", 7 | "description": "Query multiple MISP instances for events containing an observable.", 8 | "dataTypeList": [ 9 | "domain", 10 | "ip", 11 | "url", 12 | "fqdn", 13 | "uri_path", 14 | "user-agent", 15 | "hash", 16 | "mail", 17 | "mail_subject", 18 | "registry", 19 | "regexp", 20 | "other", 21 | "filename" 22 | ], 23 | "baseConfig": "MISP", 24 | "command": "MISP/misp.py", 25 | "configurationItems": [ 26 | { 27 | "name": "name", 28 | "description": "Name of MISP servers", 29 | "defaultValue": [ "MISP" ], 30 | "multi": true, 31 | "required": false, 32 | "type": "string" 33 | }, 34 | { 35 | "name": "url", 36 | "description": "URL of MISP servers", 37 | "defaultValue": [ "https://s1em_hostname/misp/" ], 38 | "type": "string", 39 | "multi": true, 40 | "required": true 41 | }, 42 | { 43 | "name": "key", 44 | "description": "API key for each server", 45 | "defaultValue": [ "misp_api_key" ], 46 | "type": "string", 47 | "multi": true, 48 | "required": true 49 | }, 50 | { 51 | "name": "cert_check", 52 | "description": "Verify server certificate", 53 | "type": "boolean", 54 | "multi": false, 55 | "required": true, 56 | "defaultValue": false 57 | }, 58 | { 59 | "name": "cert_path", 60 | "description": "Path to the CA on the system used to check server certificate", 61 | "type": "string", 62 | "multi": true, 63 | "required": false 64 | } 65 | ] 66 | } 67 | -------------------------------------------------------------------------------- /cortex/Mwdb.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Mwdb", 3 | "version": "1.0", 4 | "author": "@V1D1AN", 5 | "url": "https://github.com/V1D1AN/S1EM", 6 | "license": "AGPL-V3", 7 | "description": "Send Malware to Mwdb", 8 | "dataTypeList": ["file"], 9 | "command": "Mwdb/mwdb.py", 10 | "baseConfig": "Mwdb", 11 | "config": { 12 | "service": "file" 13 | }, 14 | "configurationItems": [ 15 | { 16 | "name": "mwdb_url", 17 | "description": "The URL to your mwdb instance", 18 | "type": "string", 19 | "multi": false, 20 | "required": true, 21 | "defaultValue": "http://mwdb-web" 22 | }, 23 | { 24 | "name": "mwdb_apikey", 25 | "description": "The API key to your Mwdb user", 26 | "type": "string", 27 | "multi": false, 28 | "required": true, 29 | "defaultValue": "mwdb_api_key" 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /cortex/OTXQuery.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "OTXQuery", 3 | "version": "2.0", 4 | "author": "Eric Capuano", 5 | "url": "https://github.com/TheHive-Project/Cortex-Analyzers", 6 | "license": "AGPL-V3", 7 | "description": "Query AlienVault OTX for IPs, domains, URLs, or file hashes.", 8 | "dataTypeList": ["url", "domain", "file", "hash", "ip"], 9 | "baseConfig": "OTXQuery", 10 | "command": "OTXQuery/otxquery.py", 11 | "configurationItems": [ 12 | { 13 | "name": "key", 14 | "description": "Define the API key to use to connect the service", 15 | "type": "string", 16 | "defaultValue": "766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad", 17 | "multi": false, 18 | "required": true 19 | } 20 | ], 21 | "registration_required": true, 22 | "subscription_required": true, 23 | "free_subscription": true, 24 | "service_homepage": "https://otx.alienvault.com/", 25 | "service_logo": { 26 | "path": "assets/OTX.png", 27 | "caption": "logo" 28 | }, 29 | "screenshots": [ 30 | { 31 | "path": "assets/long_report.png", 32 | "caption": "OTX Alienvault: long report" 33 | } 34 | ] 35 | } -------------------------------------------------------------------------------- /cortex/OpenCTI_SearchObservables.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "OpenCTI_SearchObservables", 3 | "author": "ANSSI", 4 | "license": "AGPL-V3", 5 | "url": "https://github.com/TheHive-Project/Cortex-Analyzers/", 6 | "version": "2.0", 7 | "description": "Query multiple OpenCTI instances for a list of observables matching a pattern.", 8 | "dataTypeList": [ 9 | "domain", 10 | "ip", 11 | "url", 12 | "fqdn", 13 | "uri_path", 14 | "user-agent", 15 | "hash", 16 | "mail", 17 | "mail_subject", 18 | "registry", 19 | "regexp", 20 | "other", 21 | "filename" 22 | ], 23 | "config": { 24 | "service": "search_observables" 25 | }, 26 | "baseConfig": "OpenCTI", 27 | "command": "OpenCTI/opencti.py", 28 | "configurationItems": [ 29 | { 30 | "name": "name", 31 | "description": "Name of OpenCTI servers", 32 | "defaultValue": [ "OpenCTI" ], 33 | "multi": true, 34 | "required": false, 35 | "type": "string" 36 | }, 37 | { 38 | "name": "url", 39 | "description": "URL of OpenCTI servers", 40 | "defaultValue": [ "http://opencti:8080/opencti" ], 41 | "type": "string", 42 | "multi": true, 43 | "required": true 44 | }, 45 | { 46 | "name": "key", 47 | "description": "API key for each server", 48 | "defaultValue": [ "9b12e9e8-5987-4811-84f7-a3d7897b17fd" ], 49 | "type": "string", 50 | "multi": true, 51 | "required": true 52 | }, 53 | { 54 | "name": "cert_check", 55 | "description": "Verify server certificate", 56 | "type": "boolean", 57 | "multi": false, 58 | "required": true, 59 | "defaultValue": false 60 | } 61 | ], 62 | "registration_required": true, 63 | "subscription_required": false, 64 | "free_subscription": false, 65 | "service_homepage": "https://www.opencti.io", 66 | "service_logo": {"path":"assets/logo_opencti.png", "caption": "logo"}, 67 | "screenshots": [] 68 | } 69 | -------------------------------------------------------------------------------- /cortex/Yara.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Yara", 3 | "author": "Nils Kuhnert, CERT-Bund", 4 | "license": "AGPL-V3", 5 | "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", 6 | "version": "2.0", 7 | "description": "Check files against YARA rules.", 8 | "dataTypeList": ["file"], 9 | "command": "Yara/yara_analyzer.py", 10 | "baseConfig": "Yara", 11 | "configurationItems": [ 12 | { 13 | "name": "rules", 14 | "description": "Define the path rules folder", 15 | "type": "string", 16 | "multi": true, 17 | "required": true, 18 | "defaultValue": [ "/opt/rules/yara/index.yar" ] 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /cortex/application-multi.conf: -------------------------------------------------------------------------------- 1 | # Sample Cortex application.conf file 2 | 3 | ## SECRET KEY 4 | 5 | # The secret key is used to secure cryptographic functions. 6 | # 7 | # IMPORTANT: If you deploy your application to several instances, make 8 | # sure to use the same key. 9 | play.http.secret.key="msd3232fdn3ofgfbki83ihtzHSD" 10 | play.http.context="/cortex" 11 | 12 | ## ElasticSearch 13 | search { 14 | # Name of the index 15 | #index = cortex 16 | # ElasticSearch instance address. 17 | # For cluster, join address:port with ',': "http://ip1:9200,ip2:9200,ip3:9200" 18 | uri = "https://es01:9200" 19 | 20 | ## Advanced configuration 21 | # Scroll keepalive. 22 | #keepalive = 1m 23 | # Scroll page size. 24 | #pagesize = 50 25 | # Number of shards 26 | #nbshards = 5 27 | # Number of replicas 28 | #nbreplicas = 0 29 | # Arbitrary settings 30 | settings { 31 | # # Maximum number of nested fields 32 | mapping.nested_fields.limit = 100 33 | } 34 | 35 | ## Authentication configuration 36 | user = "elastic" 37 | password = "changeme" 38 | 39 | ## SSL configuration 40 | #search.keyStore { 41 | # path = "/path/to/keystore" 42 | # type = "JKS" # or PKCS12 43 | # password = "keystore-password" 44 | #} 45 | #search.trustStore { 46 | # path = "/path/to/trustStore" 47 | # type = "JKS" # or PKCS12 48 | # password = "trustStore-password" 49 | #} 50 | } 51 | 52 | ## Cache 53 | # 54 | # If an analyzer is executed against the same observable, the previous report can be returned without re-executing the 55 | # analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes). 56 | cache.job = 10 minutes 57 | 58 | ## Authentication 59 | auth { 60 | # "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful 61 | # for migration. 62 | # The available auth types are: 63 | # - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No 64 | # configuration are required. 65 | # - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in 66 | # the "ad" section below. 67 | # - ldap : use LDAP to authenticate users. The associated configuration shall be done in the 68 | # "ldap" section below. 69 | # - oauth2 : use OAuth/OIDC to authenticate users. Configuration is under "auth.oauth2" and "auth.sso" keys 70 | provider = [local] 71 | 72 | ad { 73 | # The Windows domain name in DNS format. This parameter is required if you do not use 74 | # 'serverNames' below. 75 | #domainFQDN = "mydomain.local" 76 | 77 | # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN 78 | # above. If this parameter is not set, TheHive uses 'domainFQDN'. 79 | #serverNames = [ad1.mydomain.local, ad2.mydomain.local] 80 | 81 | # The Windows domain name using short format. This parameter is required. 82 | #domainName = "MYDOMAIN" 83 | 84 | # If 'true', use SSL to connect to the domain controller. 85 | #useSSL = true 86 | } 87 | 88 | ldap { 89 | # The LDAP server name or address. The port can be specified using the 'host:port' 90 | # syntax. This parameter is required if you don't use 'serverNames' below. 91 | #serverName = "ldap.mydomain.local:389" 92 | 93 | # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. 94 | #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] 95 | 96 | # Account to use to bind to the LDAP server. This parameter is required. 97 | #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" 98 | 99 | # Password of the binding account. This parameter is required. 100 | #bindPW = "***secret*password***" 101 | 102 | # Base DN to search users. This parameter is required. 103 | #baseDN = "ou=users,dc=mydomain,dc=local" 104 | 105 | # Filter to search user in the directory server. Please note that {0} is replaced 106 | # by the actual user name. This parameter is required. 107 | #filter = "(cn={0})" 108 | 109 | # If 'true', use SSL to connect to the LDAP directory server. 110 | #useSSL = true 111 | } 112 | 113 | oauth2 { 114 | # URL of the authorization server 115 | #clientId = "client-id" 116 | #clientSecret = "client-secret" 117 | #redirectUri = "https://my-thehive-instance.example/index.html#!/login" 118 | #responseType = "code" 119 | #grantType = "authorization_code" 120 | 121 | # URL from where to get the access token 122 | #authorizationUrl = "https://auth-site.com/OAuth/Authorize" 123 | #tokenUrl = "https://auth-site.com/OAuth/Token" 124 | 125 | # The endpoint from which to obtain user details using the OAuth token, after successful login 126 | #userUrl = "https://auth-site.com/api/User" 127 | #scope = "openid profile" 128 | # Type of authorization header 129 | #authorizationHeader = "Bearer" # or token 130 | } 131 | 132 | # Single-Sign On 133 | sso { 134 | # Autocreate user in database? 135 | #autocreate = false 136 | 137 | # Autoupdate its profile and roles? 138 | #autoupdate = false 139 | 140 | # Autologin user using SSO? 141 | #autologin = false 142 | 143 | # Attributes mappings 144 | #attributes { 145 | # login = "login" 146 | # name = "name" 147 | # groups = "groups" 148 | # roles = "roles" # list of roles, separated with comma 149 | # organisation = "org" 150 | #} 151 | 152 | # Name of mapping class from user resource to backend user ('simple' or 'group') 153 | #mapper = group 154 | # Default roles for users with no groups mapped ("read", "analyze", "orgadmin") 155 | #defaultRoles = [] 156 | # Default organization 157 | #defaultOrganization = "MyOrga" 158 | 159 | #groups { 160 | # # URL to retreive groups (leave empty if you are using OIDC) 161 | # #url = "https://auth-site.com/api/Groups" 162 | # # Group mappings, you can have multiple roles for each group: they are merged 163 | # mappings { 164 | # admin-profile-name = ["admin"] 165 | # editor-profile-name = ["write"] 166 | # reader-profile-name = ["read"] 167 | # } 168 | #} 169 | } 170 | } 171 | 172 | job { 173 | runners = [process] 174 | } 175 | 176 | # HTTP filters 177 | play.filters { 178 | # # name of cookie in which the CSRF token is transmitted to client 179 | csrf.cookie.name = CORTEX-XSRF-TOKEN 180 | # # name of header in which the client should send CSRD token 181 | csrf.header.name = X-CORTEX-XSRF-TOKEN 182 | # 183 | enabled = [ 184 | org.thp.cortex.services.StreamFilter, 185 | org.elastic4play.services.TempFilter, 186 | org.thp.cortex.services.CSRFFilter 187 | ] 188 | } 189 | play.http.session.cookieName = CORTEX_SESSION 190 | # 191 | # 192 | ## ANALYZERS 193 | # 194 | analyzer { 195 | # analyzer location 196 | # url can be point to: 197 | # - directory where analyzers are installed 198 | # - json file containing the list of analyzer descriptions 199 | urls = [ 200 | #"https://download.thehive-project.org/analyzers.json" 201 | "/opt/Cortex-Analyzers/analyzers" 202 | #"/absolute/path/of/analyzers" 203 | ] 204 | 205 | # Sane defaults. Do not change unless you know what you are doing. 206 | fork-join-executor { 207 | # Min number of threads available for analysis. 208 | parallelism-min = 2 209 | # Parallelism (threads) ... ceil(available processors * factor). 210 | parallelism-factor = 2.0 211 | # Max number of threads available for analysis. 212 | parallelism-max = 4 213 | } 214 | } 215 | 216 | # RESPONDERS 217 | # 218 | responder { 219 | # responder location (same format as analyzer.urls) 220 | urls = [ 221 | #"https://download.thehive-project.org/responders.json" 222 | "/opt/Cortex-Analyzers/responders" 223 | #"/absolute/path/of/responders" 224 | ] 225 | 226 | # Sane defaults. Do not change unless you know what you are doing. 227 | fork-join-executor { 228 | # Min number of threads available for analysis. 229 | parallelism-min = 2 230 | # Parallelism (threads) ... ceil(available processors * factor). 231 | parallelism-factor = 2.0 232 | # Max number of threads available for analysis. 233 | parallelism-max = 4 234 | } 235 | } 236 | 237 | # It's the end my friend. Happy hunting! 238 | -------------------------------------------------------------------------------- /cortex/application-single.conf: -------------------------------------------------------------------------------- 1 | # Sample Cortex application.conf file 2 | 3 | ## SECRET KEY 4 | 5 | # The secret key is used to secure cryptographic functions. 6 | # 7 | # IMPORTANT: If you deploy your application to several instances, make 8 | # sure to use the same key. 9 | play.http.secret.key="msd3232fdn3ofgfbki83ihtzHSD" 10 | play.http.context="/cortex" 11 | 12 | ## ElasticSearch 13 | search { 14 | # Name of the index 15 | #index = cortex 16 | # ElasticSearch instance address. 17 | # For cluster, join address:port with ',': "http://ip1:9200,ip2:9200,ip3:9200" 18 | uri = "https://es01:9200" 19 | 20 | ## Advanced configuration 21 | # Scroll keepalive. 22 | #keepalive = 1m 23 | # Scroll page size. 24 | #pagesize = 50 25 | # Number of shards 26 | nbshards = 1 27 | # Number of replicas 28 | nbreplicas = 0 29 | # Arbitrary settings 30 | settings { 31 | # # Maximum number of nested fields 32 | mapping.nested_fields.limit = 100 33 | } 34 | 35 | ## Authentication configuration 36 | user = "elastic" 37 | password = "changeme" 38 | 39 | ## SSL configuration 40 | #search.keyStore { 41 | # path = "/path/to/keystore" 42 | # type = "JKS" # or PKCS12 43 | # password = "keystore-password" 44 | #} 45 | #search.trustStore { 46 | # path = "/path/to/trustStore" 47 | # type = "JKS" # or PKCS12 48 | # password = "trustStore-password" 49 | #} 50 | } 51 | 52 | ## Cache 53 | # 54 | # If an analyzer is executed against the same observable, the previous report can be returned without re-executing the 55 | # analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes). 56 | cache.job = 10 minutes 57 | 58 | ## Authentication 59 | auth { 60 | # "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful 61 | # for migration. 62 | # The available auth types are: 63 | # - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No 64 | # configuration are required. 65 | # - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in 66 | # the "ad" section below. 67 | # - ldap : use LDAP to authenticate users. The associated configuration shall be done in the 68 | # "ldap" section below. 69 | # - oauth2 : use OAuth/OIDC to authenticate users. Configuration is under "auth.oauth2" and "auth.sso" keys 70 | provider = [local] 71 | 72 | ad { 73 | # The Windows domain name in DNS format. This parameter is required if you do not use 74 | # 'serverNames' below. 75 | #domainFQDN = "mydomain.local" 76 | 77 | # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN 78 | # above. If this parameter is not set, TheHive uses 'domainFQDN'. 79 | #serverNames = [ad1.mydomain.local, ad2.mydomain.local] 80 | 81 | # The Windows domain name using short format. This parameter is required. 82 | #domainName = "MYDOMAIN" 83 | 84 | # If 'true', use SSL to connect to the domain controller. 85 | #useSSL = true 86 | } 87 | 88 | ldap { 89 | # The LDAP server name or address. The port can be specified using the 'host:port' 90 | # syntax. This parameter is required if you don't use 'serverNames' below. 91 | #serverName = "ldap.mydomain.local:389" 92 | 93 | # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead. 94 | #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local] 95 | 96 | # Account to use to bind to the LDAP server. This parameter is required. 97 | #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local" 98 | 99 | # Password of the binding account. This parameter is required. 100 | #bindPW = "***secret*password***" 101 | 102 | # Base DN to search users. This parameter is required. 103 | #baseDN = "ou=users,dc=mydomain,dc=local" 104 | 105 | # Filter to search user in the directory server. Please note that {0} is replaced 106 | # by the actual user name. This parameter is required. 107 | #filter = "(cn={0})" 108 | 109 | # If 'true', use SSL to connect to the LDAP directory server. 110 | #useSSL = true 111 | } 112 | 113 | oauth2 { 114 | # URL of the authorization server 115 | #clientId = "client-id" 116 | #clientSecret = "client-secret" 117 | #redirectUri = "https://my-thehive-instance.example/index.html#!/login" 118 | #responseType = "code" 119 | #grantType = "authorization_code" 120 | 121 | # URL from where to get the access token 122 | #authorizationUrl = "https://auth-site.com/OAuth/Authorize" 123 | #tokenUrl = "https://auth-site.com/OAuth/Token" 124 | 125 | # The endpoint from which to obtain user details using the OAuth token, after successful login 126 | #userUrl = "https://auth-site.com/api/User" 127 | #scope = "openid profile" 128 | # Type of authorization header 129 | #authorizationHeader = "Bearer" # or token 130 | } 131 | 132 | # Single-Sign On 133 | sso { 134 | # Autocreate user in database? 135 | #autocreate = false 136 | 137 | # Autoupdate its profile and roles? 138 | #autoupdate = false 139 | 140 | # Autologin user using SSO? 141 | #autologin = false 142 | 143 | # Attributes mappings 144 | #attributes { 145 | # login = "login" 146 | # name = "name" 147 | # groups = "groups" 148 | # roles = "roles" # list of roles, separated with comma 149 | # organisation = "org" 150 | #} 151 | 152 | # Name of mapping class from user resource to backend user ('simple' or 'group') 153 | #mapper = group 154 | # Default roles for users with no groups mapped ("read", "analyze", "orgadmin") 155 | #defaultRoles = [] 156 | # Default organization 157 | #defaultOrganization = "MyOrga" 158 | 159 | #groups { 160 | # # URL to retreive groups (leave empty if you are using OIDC) 161 | # #url = "https://auth-site.com/api/Groups" 162 | # # Group mappings, you can have multiple roles for each group: they are merged 163 | # mappings { 164 | # admin-profile-name = ["admin"] 165 | # editor-profile-name = ["write"] 166 | # reader-profile-name = ["read"] 167 | # } 168 | #} 169 | } 170 | } 171 | 172 | job { 173 | runners = [process] 174 | } 175 | 176 | # HTTP filters 177 | play.filters { 178 | # # name of cookie in which the CSRF token is transmitted to client 179 | csrf.cookie.name = CORTEX-XSRF-TOKEN 180 | # # name of header in which the client should send CSRD token 181 | csrf.header.name = X-CORTEX-XSRF-TOKEN 182 | # 183 | enabled = [ 184 | org.thp.cortex.services.StreamFilter, 185 | org.elastic4play.services.TempFilter, 186 | org.thp.cortex.services.CSRFFilter 187 | ] 188 | } 189 | play.http.session.cookieName = CORTEX_SESSION 190 | # 191 | # 192 | ## ANALYZERS 193 | # 194 | analyzer { 195 | # analyzer location 196 | # url can be point to: 197 | # - directory where analyzers are installed 198 | # - json file containing the list of analyzer descriptions 199 | urls = [ 200 | #"https://download.thehive-project.org/analyzers.json" 201 | "/opt/Cortex-Analyzers/analyzers" 202 | #"/absolute/path/of/analyzers" 203 | ] 204 | 205 | # Sane defaults. Do not change unless you know what you are doing. 206 | fork-join-executor { 207 | # Min number of threads available for analysis. 208 | parallelism-min = 2 209 | # Parallelism (threads) ... ceil(available processors * factor). 210 | parallelism-factor = 2.0 211 | # Max number of threads available for analysis. 212 | parallelism-max = 4 213 | } 214 | } 215 | 216 | # RESPONDERS 217 | # 218 | responder { 219 | # responder location (same format as analyzer.urls) 220 | urls = [ 221 | #"https://download.thehive-project.org/responders.json" 222 | "/opt/Cortex-Analyzers/responders" 223 | #"/absolute/path/of/responders" 224 | ] 225 | 226 | # Sane defaults. Do not change unless you know what you are doing. 227 | fork-join-executor { 228 | # Min number of threads available for analysis. 229 | parallelism-min = 2 230 | # Parallelism (threads) ... ceil(available processors * factor). 231 | parallelism-factor = 2.0 232 | # Max number of threads available for analysis. 233 | parallelism-max = 4 234 | } 235 | } 236 | 237 | # It's the end my friend. Happy hunting! 238 | -------------------------------------------------------------------------------- /cortex/cacerts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/cortex/cacerts -------------------------------------------------------------------------------- /elastalert/elastalert.yaml: -------------------------------------------------------------------------------- 1 | es_host: es01 2 | es_port: 9200 3 | use_ssl: true 4 | ca_certs: /usr/share/certificates/ca/ca.crt 5 | client_cert: /usr/share/certificates/elastalert/elastalert.crt 6 | client_key: /usr/share/certificates/elastalert/elastalert.key 7 | es_username: elastic 8 | es_password: changeme 9 | rules_folder: /opt/elastalert/rules 10 | scan_subdirectories: true 11 | disable_rules_on_error: false 12 | show_disabled_rules: true 13 | add_metadata_alert: True 14 | es_conn_timeout: 60 15 | hive_connection: 16 | hive_host: http://thehive 17 | hive_port: 9000/thehive 18 | hive_apikey: thehive_api_key 19 | run_every: 20 | minutes: 1 21 | buffer_time: 22 | days : 1 23 | writeback_index: elastalert_status 24 | alert_time_limit: 25 | days: 1 26 | -------------------------------------------------------------------------------- /env.sample: -------------------------------------------------------------------------------- 1 | ELK=7.17.16 2 | ELASTIC_PASSWORD=changeme 3 | KIBANA_PASSWORD=kibana_changeme 4 | HOSTNAME=s1em_hostname 5 | ORGANIZATION=organization_name 6 | CERTS_DIR=/usr/share/elasticsearch/config/certificates 7 | OPENCTI_ADMIN_EMAIL=opencti_account 8 | OPENCTI_ADMIN_PASSWORD=opencti_password 9 | OPENCTI_ADMIN_TOKEN=9b12e9e8-5987-4811-84f7-a3d7897b17fd 10 | MINIO_ACCESS_KEY=ChangeMeAccess 11 | MINIO_SECRET_KEY=ChangeMeKey 12 | MYSQL_ROOT_PASSWORD=mysql_password 13 | RABBITMQ_DEFAULT_USER=guest 14 | RABBITMQ_DEFAULT_PASS=guest 15 | CONNECTOR_EXPORT_FILE_STIX_ID=874a08cb-eb03-4611-853a-d7646ff678e5 16 | CONNECTOR_EXPORT_FILE_CSV_ID=37035170-f2c6-4dff-a129-84fbe41704fd 17 | CONNECTOR_IMPORT_FILE_STIX_ID=8f03d117-d81f-48a3-a2eb-d950b8bbe4d3 18 | CONNECTOR_IMPORT_DOCUMENT_ID=4e154e0d-b393-459e-87e4-009b768a2c34 19 | CONNECTOR_MISP_ID=4e154e0d-b393-459e-87e4-009b768a2c35 20 | CONNECTOR_MITRE_ID=4e154e0d-b393-459e-87e4-009b768a2c36 21 | CONNECTOR_CVE_ID=4e154e0d-b393-459e-87e4-009b768a2c37 22 | CONNECTOR_AMITT_ID=4e154e0d-b393-459e-87e4-009b768a2c38 23 | CONNECTOR_ALIENVAULT_ID=4e154e0d-b393-459e-87e4-009b768a2c39 24 | CONNECTOR_OPENCTI_ID=4e154e0d-b393-459e-87e4-009b768a2c40 25 | CONNECTOR_MWDB_ID=4e154e0d-b393-459e-87e4-009b768a2c41 26 | CONNECTOR_DISARM_ID=4e154e0d-b393-459e-87e4-009b768a2c42 27 | ARKIME_USER=arkime_account 28 | ARKIME_PSWD=arkime_password 29 | COMPOSE_HTTP_TIMEOUT=180 30 | COMPOSE_PARALLEL_LIMIT=50 31 | ALIENVAULT_API_KEY=766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad 32 | MISP_KEY=misp_api_key 33 | MWDB_API=mwdb_api_key 34 | SUBFOLDER=n8n 35 | N8N_PATH=/n8n/ 36 | N8N_BASIC_AUTH_USER=n8n_account 37 | N8N_BASIC_AUTH_PASSWORD=n8n_password 38 | GENERIC_TIMEZONE=Europe/Berlin 39 | FLEET_SERVICETOKEN=fleettoken 40 | FLEET_ENROLLTOKEN=fleetenroll 41 | ADMINISTRATION_IP=administrationip 42 | ZIRCOLITE_USER=zircolite_account 43 | ZIRCOLITE_PASSWORD=zircolite_password 44 | EXCLUDE=\.tmp$ 45 | MONITOR_FILE=close_write 46 | THE_HIVE_KEY=thehive_api_key 47 | THE_HIVE_HOST=https://s1em_hostname/thehive 48 | VELOX_SERVER_URL=https:://s1em_hostname:8000/ 49 | -------------------------------------------------------------------------------- /filebeat/filebeat-multi.yml: -------------------------------------------------------------------------------- 1 | filebeat.config: 2 | modules: 3 | path: ${path.config}/modules.d/*.yml 4 | reload.enabled: false 5 | 6 | processors: 7 | - add_docker_metadata: ~ 8 | 9 | http.enabled: true 10 | http.host: 0.0.0.0 11 | monitoring.enabled: false 12 | setup.kibana.host: "https://kibana:5601/kibana" 13 | setup.kibana.ssl.enabled: true 14 | setup.kibana.ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 15 | setup.kibana.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 16 | setup.kibana.ssl.key: "/usr/share/certificates/kibana/kibana.key" 17 | setup.ilm.enabled: true 18 | setup.ilm.policy_name: "ILM" 19 | setup.ilm.policy_file: "/usr/share/filebeat/ilm.json" 20 | setup.ilm.check_exists: true 21 | setup.ilm_pattern: "{now/d}-000001" 22 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 23 | setup.dashboards.enabled: true 24 | setup.template.overwrite: true 25 | setup.template.settings: 26 | index: 27 | refresh_interval: 30s 28 | mapping: 29 | total_fields: 30 | limit: 8192 31 | 32 | output.elasticsearch: 33 | hosts: ["https://es01:9200"] 34 | username: "elastic" 35 | password: "changeme" 36 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 37 | ssl.certificate: "/usr/share/certificates/filebeat/filebeat.crt" 38 | ssl.key: "/usr/share/certificates/filebeat/filebeat.key" 39 | -------------------------------------------------------------------------------- /filebeat/filebeat-single.yml: -------------------------------------------------------------------------------- 1 | filebeat.config: 2 | modules: 3 | path: ${path.config}/modules.d/*.yml 4 | reload.enabled: false 5 | 6 | processors: 7 | - add_docker_metadata: ~ 8 | 9 | http.enabled: true 10 | http.host: 0.0.0.0 11 | monitoring.enabled: false 12 | setup.kibana.host: "https://kibana:5601/kibana" 13 | setup.kibana.ssl.enabled: true 14 | setup.kibana.ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 15 | setup.kibana.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 16 | setup.kibana.ssl.key: "/usr/share/certificates/kibana/kibana.key" 17 | setup.ilm.enabled: true 18 | setup.ilm.policy_name: "ILM" 19 | setup.ilm.policy_file: "/usr/share/filebeat/ilm.json" 20 | setup.ilm.check_exists: true 21 | setup.ilm_pattern: "{now/d}-000001" 22 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 23 | setup.dashboards.enabled: true 24 | setup.template.overwrite: true 25 | setup.template.settings: 26 | index: 27 | number_of_replicas: 0 28 | refresh_interval: 30s 29 | mapping: 30 | total_fields: 31 | limit: 8192 32 | 33 | output.elasticsearch: 34 | hosts: ["https://es01:9200"] 35 | username: "elastic" 36 | password: "changeme" 37 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 38 | ssl.certificate: "/usr/share/certificates/filebeat/filebeat.crt" 39 | ssl.key: "/usr/share/certificates/filebeat/filebeat.key" 40 | -------------------------------------------------------------------------------- /filebeat/ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "phases": { 4 | "hot": { 5 | "min_age": "0ms", 6 | "actions": { 7 | "rollover": { 8 | "max_primary_shard_size": "50gb", 9 | "max_age": "1d" 10 | }, 11 | "set_priority": { 12 | "priority": 100 13 | } 14 | } 15 | }, 16 | "warm": { 17 | "min_age": "1d", 18 | "actions": { 19 | "readonly": {}, 20 | "set_priority": { 21 | "priority": 50 22 | } 23 | } 24 | }, 25 | "cold": { 26 | "min_age": "15d", 27 | "actions": { 28 | "readonly": {}, 29 | "set_priority": { 30 | "priority": 0 31 | } 32 | } 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /filebeat/modules.d/osquery.yml: -------------------------------------------------------------------------------- 1 | # Module: osquery 2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-osquery.html 3 | 4 | - module: osquery 5 | result: 6 | enabled: true 7 | 8 | # Set custom paths for the log files. If left empty, 9 | # Filebeat will choose the paths depending on your OS. 10 | #var.paths: 11 | 12 | # If true, all fields created by this module are prefixed with 13 | # `osquery.result`. Set to false to copy the fields in the root 14 | # of the document. The default is true. 15 | #var.use_namespace: true 16 | -------------------------------------------------------------------------------- /filebeat/modules.d/suricata.yml: -------------------------------------------------------------------------------- 1 | # Module: suricata 2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.11/filebeat-module-suricata.html 3 | 4 | - module: suricata 5 | # All logs 6 | eve: 7 | enabled: true 8 | 9 | # Set custom paths for the log files. If left empty, 10 | # Filebeat will choose the paths depending on your OS. 11 | #var.paths: 12 | -------------------------------------------------------------------------------- /filebeat/modules.d/system.yml: -------------------------------------------------------------------------------- 1 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.11/filebeat-module-system.html 2 | 3 | - module: system 4 | # Syslog 5 | syslog: 6 | enabled: true 7 | 8 | # Set custom paths for the log files. If left empty, 9 | # Filebeat will choose the paths depending on your OS. 10 | var.paths: 11 | - '/var/log/*' 12 | - '/var/log/syslog-ng/*' 13 | 14 | # Authorization logs 15 | auth: 16 | enabled: true 17 | 18 | # Set custom paths for the log files. If left empty, 19 | # Filebeat will choose the paths depending on your OS. 20 | var.paths: 21 | - '/var/log/*' 22 | - '/var/log/syslog-ng/*' 23 | -------------------------------------------------------------------------------- /filebeat/modules.d/threatintel.yml: -------------------------------------------------------------------------------- 1 | # Module: threatintel 2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-threatintel.html 3 | 4 | - module: threatintel 5 | misp: 6 | enabled: true 7 | var.input: httpjson 8 | var.url: https://s1em_hostname/misp/events/restSearch 9 | var.api_token: "misp_api_key" 10 | var.first_interval: 300h 11 | var.interval: 5m 12 | var.ssl.verification_mode: none 13 | 14 | abuseurl: 15 | enabled: true 16 | var.input: httpjson 17 | var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/ 18 | var.interval: 60m 19 | 20 | abusemalware: 21 | enabled: true 22 | var.input: httpjson 23 | var.url: https://urlhaus-api.abuse.ch/v1/payloads/recent/ 24 | var.interval: 60m 25 | 26 | malwarebazaar: 27 | enabled: true 28 | var.input: httpjson 29 | var.url: https://mb-api.abuse.ch/api/v1/ 30 | var.interval: 10m 31 | 32 | otx: 33 | enabled: true 34 | var.input: httpjson 35 | var.url: https://otx.alienvault.com/api/v1/indicators/export 36 | var.api_token: 766ba1df3ab54db9c0fcbf62ef048c3a04c260e8ca65b6c25346084b7b4719ad 37 | var.first_interval: 24h 38 | var.lookback_range: 2h 39 | var.interval: 60m 40 | 41 | anomali: 42 | enabled: false 43 | var.input: httpjson 44 | var.url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects?match[type]=indicator 45 | var.username: guest 46 | var.password: guest 47 | var.interval: 60m 48 | 49 | anomalithreatstream: 50 | enabled: true 51 | # Input used for ingesting threat intel data 52 | var.input: http_endpoint 53 | # Address to bind to in order to receive HTTP requests 54 | # from the Integrator SDK. Use 0.0.0.0 to bind to all 55 | # existing interfaces. 56 | var.listen_address: localhost 57 | # Port to use to receive HTTP requests from the 58 | # Integrator SDK. 59 | var.listen_port: 8080 60 | # Secret key to authenticate requests from the SDK. 61 | var.secret: '' 62 | # Uncomment the following and set the absolute paths 63 | # to the server SSL certificate and private key to 64 | # enable HTTPS secure connections. 65 | # 66 | # var.ssl_certificate: path/to/server_ssl_cert.pem 67 | # var.ssl_key: path/to/ssl_key.pem 68 | 69 | recordedfuture: 70 | enabled: true 71 | # Input used for ingesting threat intel data 72 | var.input: httpjson 73 | # The interval to poll the API for updates 74 | var.interval: 5m 75 | # How far back in time to start fetching intelligence when run for the 76 | # first time. Value must be in hours. Default: 168h (1 week). 77 | var.first_interval: 168h 78 | # The URL used for Threat Intel API calls. 79 | # Must include the `limit` parameter and at least `entity` and `timestamps` fields. 80 | # See the Connect API Explorer for a list of possible parameters. 81 | # 82 | # For `ip` entities: 83 | var.url: "https://api.recordedfuture.com/v2/ip/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" 84 | # For `domain` entities: 85 | # var.url: "https://api.recordedfuture.com/v2/domain/search?limit=200&fields=entity,timestamps,risk,intelCard,location&metadata=false" 86 | # For `hash` entities: 87 | # var.url: "https://api.recordedfuture.com/v2/hash/search?limit=200&fields=entity,fileHashes,timestamps,risk,intelCard,location&metadata=false" 88 | # For `url` entities: 89 | # var.url: "https://api.recordedfuture.com/v2/url/search?limit=200&fields=entity,timestamps,risk&metadata=false" 90 | var.api_token: "" 91 | -------------------------------------------------------------------------------- /filebeat/modules.d/traefik.yml: -------------------------------------------------------------------------------- 1 | # Module: traefik 2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-traefik.html 3 | 4 | - module: traefik 5 | # Access logs 6 | access: 7 | enabled: true 8 | 9 | # Set custom paths for the log files. If left empty, 10 | # Filebeat will choose the paths depending on your OS. 11 | #var.paths: "/var/log/traefik" 12 | -------------------------------------------------------------------------------- /filebeat/modules.d/zeek.yml: -------------------------------------------------------------------------------- 1 | # Module: zeek 2 | # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html 3 | 4 | - module: zeek 5 | capture_loss: 6 | enabled: true 7 | connection: 8 | enabled: true 9 | dce_rpc: 10 | enabled: true 11 | dhcp: 12 | enabled: true 13 | dnp3: 14 | enabled: true 15 | dns: 16 | enabled: true 17 | dpd: 18 | enabled: true 19 | files: 20 | enabled: true 21 | ftp: 22 | enabled: true 23 | http: 24 | enabled: true 25 | intel: 26 | enabled: true 27 | irc: 28 | enabled: true 29 | kerberos: 30 | enabled: true 31 | modbus: 32 | enabled: true 33 | mysql: 34 | enabled: true 35 | notice: 36 | enabled: true 37 | ntlm: 38 | enabled: true 39 | ocsp: 40 | enabled: true 41 | pe: 42 | enabled: true 43 | radius: 44 | enabled: true 45 | rdp: 46 | enabled: true 47 | rfb: 48 | enabled: true 49 | signature: 50 | enabled: true 51 | sip: 52 | enabled: true 53 | smb_cmd: 54 | enabled: true 55 | smb_files: 56 | enabled: true 57 | smb_mapping: 58 | enabled: true 59 | smtp: 60 | enabled: true 61 | snmp: 62 | enabled: true 63 | socks: 64 | enabled: true 65 | ssh: 66 | enabled: true 67 | ssl: 68 | enabled: true 69 | stats: 70 | enabled: true 71 | syslog: 72 | enabled: true 73 | traceroute: 74 | enabled: true 75 | tunnel: 76 | enabled: true 77 | weird: 78 | enabled: true 79 | x509: 80 | enabled: true 81 | 82 | # Set custom paths for the log files. If left empty, 83 | # Filebeat will choose the paths depending on your OS. 84 | #var.paths: 85 | -------------------------------------------------------------------------------- /heartbeat/heartbeat-multi.yml: -------------------------------------------------------------------------------- 1 | heartbeat.config.monitors: 2 | path: /usr/share/heartbeat/monitors.d/*.yml 3 | reload.enabled: true 4 | reload.period: 10s 5 | 6 | processors: 7 | - add_docker_metadata: ~ 8 | - add_host_metadata: ~ 9 | 10 | http.enabled: true 11 | http.host: 0.0.0.0 12 | monitoring.enabled: false 13 | setup.template.overwrite: true 14 | setup.ilm.enabled: true 15 | setup.ilm.policy_name: "ILM" 16 | setup.ilm.policy_file: "/usr/share/heartbeat/ilm.json" 17 | setup.ilm_pattern: "{now/d}-000001" 18 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 19 | setup.template.settings: 20 | index: 21 | refresh_interval: 30s 22 | mapping: 23 | total_fields: 24 | limit: 8192 25 | 26 | output.elasticsearch: 27 | hosts: ["https://es01:9200"] 28 | username: "elastic" 29 | password: "changeme" 30 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 31 | ssl.certificate: "/usr/share/certificates/heartbeat/heartbeat.crt" 32 | ssl.key: "/usr/share/certificates/heartbeat/heartbeat.key" 33 | 34 | -------------------------------------------------------------------------------- /heartbeat/heartbeat-single.yml: -------------------------------------------------------------------------------- 1 | heartbeat.config.monitors: 2 | path: /usr/share/heartbeat/monitors.d/*.yml 3 | reload.enabled: true 4 | reload.period: 10s 5 | 6 | processors: 7 | - add_docker_metadata: ~ 8 | - add_host_metadata: ~ 9 | 10 | http.enabled: true 11 | http.host: 0.0.0.0 12 | monitoring.enabled: false 13 | setup.template.overwrite: true 14 | setup.ilm.enabled: true 15 | setup.ilm.policy_name: "ILM" 16 | setup.ilm.policy_file: "/usr/share/heartbeat/ilm.json" 17 | setup.ilm_pattern: "{now/d}-000001" 18 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 19 | setup.template.settings: 20 | index: 21 | number_of_replicas: 0 22 | refresh_interval: 30s 23 | mapping: 24 | total_fields: 25 | limit: 8192 26 | 27 | output.elasticsearch: 28 | hosts: ["https://es01:9200"] 29 | username: "elastic" 30 | password: "changeme" 31 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 32 | ssl.certificate: "/usr/share/certificates/heartbeat/heartbeat.crt" 33 | ssl.key: "/usr/share/certificates/heartbeat/heartbeat.key" 34 | 35 | -------------------------------------------------------------------------------- /heartbeat/ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "phases": { 4 | "hot": { 5 | "min_age": "0ms", 6 | "actions": { 7 | "rollover": { 8 | "max_primary_shard_size": "50gb", 9 | "max_age": "1d" 10 | }, 11 | "set_priority": { 12 | "priority": 100 13 | } 14 | } 15 | }, 16 | "warm": { 17 | "min_age": "1d", 18 | "actions": { 19 | "readonly": {}, 20 | "set_priority": { 21 | "priority": 50 22 | } 23 | } 24 | }, 25 | "cold": { 26 | "min_age": "15d", 27 | "actions": { 28 | "readonly": {}, 29 | "set_priority": { 30 | "priority": 0 31 | } 32 | } 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /heartbeat/monitors.d/arkime.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: arkime 4 | name: Arkime 5 | hosts: ["arkime"] 6 | ports: [8005] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/auditbeat.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: auditbeat 4 | name: Auditbeat 5 | hosts: ["auditbeat"] 6 | ports: [5066] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/cassandra.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: cassandra 4 | name: Cassandra 5 | hosts: ["cassandra"] 6 | ports: [7000] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/codimd.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: codimd 4 | name: Codimd 5 | hosts: ["codimd"] 6 | ports: [3000] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/cortex.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: cortex 4 | name: Cortex 5 | hosts: ["cortex"] 6 | ports: [9001] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/cyberchef.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: cyberchef 4 | name: Cyberchef 5 | hosts: ["cyberchef"] 6 | ports: [8000] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/es01.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: es01 4 | name: Es01 5 | hosts: ["es01"] 6 | ports: [9200,9300] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/es02.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: es02 4 | name: Es02 5 | hosts: ["es02"] 6 | ports: [9200,9300] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/es03.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: es03 4 | name: Es03 5 | hosts: ["es03"] 6 | ports: [9300] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/filebeat.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: filebeat 4 | name: Filebeat 5 | hosts: ["filebeat"] 6 | ports: [5066] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/homer.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: homer 4 | name: Homer 5 | hosts: ["homer"] 6 | ports: [8080] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/internet.yml: -------------------------------------------------------------------------------- 1 | - type: http 2 | id: Internet 3 | name: Internet 4 | service.name: Internet 5 | hosts: ["https://www.google.fr"] 6 | check.response.status: [200] 7 | schedule: '@every 5s' -------------------------------------------------------------------------------- /heartbeat/monitors.d/logstash.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: logstash 4 | name: Logstash 5 | hosts: ["logstash"] 6 | ports: [9600] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/metricbeat.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: metricbeat 4 | name: Metricbeat 5 | hosts: ["metricbeat"] 6 | ports: [5066] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/minio.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: minio 4 | name: Minio 5 | hosts: ["minio"] 6 | ports: [9000] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/misp-modules.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: misp-modules 4 | name: Misp modules 5 | hosts: ["misp-modules"] 6 | ports: [6666] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/misp.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: misp 4 | name: Misp 5 | hosts: ["misp"] 6 | ports: [80] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/mwdb.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: mwdb 4 | name: Mwdb 5 | hosts: ["mwdb"] 6 | ports: [8080] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/mysql.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: mysql 4 | name: Mysql 5 | hosts: ["db"] 6 | ports: [3306] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/n8n.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: n8n 4 | name: N8n 5 | hosts: ["n8n"] 6 | ports: [5678] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/opencti.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: opencti 4 | name: Opencti 5 | hosts: ["opencti"] 6 | ports: [8080] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/postgres.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: postgres 4 | name: Postgres 5 | hosts: ["postgres"] 6 | ports: [5432] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/rabbitmq.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: rabbitmq 4 | name: Rabbitmq 5 | hosts: ["rabbitmq"] 6 | ports: [5672] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/redis.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: redis 4 | name: Redis 5 | hosts: ["redis"] 6 | ports: [6379] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/spiderfoot.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: spiderfoot 4 | name: Spiderfoot 5 | hosts: ["spiderfoot"] 6 | ports: [8080] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/thehive.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: thehive 4 | name: TheHive 5 | hosts: ["thehive"] 6 | ports: [9000] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/upload.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: upload 4 | name: File upload 5 | hosts: ["file-upload"] 6 | ports: [80] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/velociraptor-upload.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: velociraptor 4 | name: Velociraptor upload 5 | hosts: ["velociraptor-upload"] 6 | ports: [80] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/velociraptor.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: velociraptor 4 | name: Velociraptor 5 | hosts: ["velociraptor"] 6 | ports: [8000,8001,8889] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /heartbeat/monitors.d/zircolite.yml: -------------------------------------------------------------------------------- 1 | - type: tcp 2 | enabled: true 3 | id: zircolite 4 | name: Zircolite upload 5 | hosts: ["zircolite-upload"] 6 | ports: [80] 7 | schedule: '@every 30s' 8 | -------------------------------------------------------------------------------- /homer/additional-page.yml.dist: -------------------------------------------------------------------------------- 1 | --- 2 | # Additional page configuration 3 | 4 | # Additional configurations are loaded using its file name, minus the extension, as an anchor (https://#). 5 | # `config.yml` is still used as a base configuration, and all values here will overwrite it, so you don't have to re-defined everything 6 | 7 | 8 | subtitle: "this is another dashboard page" 9 | 10 | # This overwrites message config. Setting it to empty to remove message from this page and keep it only in the main one: 11 | message: ~ 12 | 13 | # as we want to include a differente link here (so we can get back to home page), we need to replicate all links or they will be revome when overwriting the links field: 14 | links: 15 | - name: "Home" 16 | icon: "fas fa-home" 17 | url: "#" 18 | - name: "Contribute" 19 | icon: "fab fa-github" 20 | url: "https://github.com/bastienwirtz/homer" 21 | target: "_blank" # optional html a tag target attribute 22 | - name: "Wiki" 23 | icon: "fas fa-book" 24 | url: "https://www.wikipedia.org/" 25 | 26 | services: 27 | - name: "More applications on another page!" 28 | icon: "fas fa-cloud" 29 | items: 30 | - name: "Awesome app on a second page!" 31 | logo: "assets/tools/sample.png" 32 | subtitle: "Bookmark example" 33 | tag: "app" 34 | url: "https://www.reddit.com/r/selfhosted/" 35 | target: "_blank" 36 | -------------------------------------------------------------------------------- /homer/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Homepage configuration 3 | # See https://fontawesome.com/icons for icons options 4 | 5 | #title: "S1EM Dashboard" 6 | subtitle: "S1EM" 7 | #logo: "/assets/icons/s1em.png" 8 | icon: "/assets/icons/s1em.ico" # Optional icon 9 | 10 | header: true 11 | footer: false 12 | columns: 5 13 | # Optional theme customization 14 | theme: default 15 | colors: 16 | light: 17 | highlight-primary: "#3367d6" 18 | highlight-secondary: "#4285f4" 19 | highlight-hover: "#5a95f5" 20 | background: "#f5f5f5" 21 | card-background: "#ffffff" 22 | text: "#363636" 23 | text-header: "#ffffff" 24 | text-title: "#303030" 25 | text-subtitle: "#424242" 26 | card-shadow: rgba(0, 0, 0, 0.1) 27 | link: "#3273dc" 28 | link-hover: "#363636" 29 | dark: 30 | highlight-primary: "#3367d6" 31 | highlight-secondary: "#4285f4" 32 | highlight-hover: "#5a95f5" 33 | background: "#131313" 34 | card-background: "#2b2b2b" 35 | text: "#eaeaea" 36 | text-header: "#ffffff" 37 | text-title: "#fafafa" 38 | text-subtitle: "#f5f5f5" 39 | card-shadow: rgba(0, 0, 0, 0.4) 40 | link: "#3273dc" 41 | link-hover: "#ffdd57" 42 | 43 | # Optional navbar 44 | # links: [] # Allows for navbar (dark mode, layout, and search) without any links 45 | links: 46 | - name: "Contribute" 47 | icon: "fab fa-github" 48 | url: "https://github.com/V1D1AN/S1EM" 49 | target: "_blank" # optional html a tag target attribute 50 | - name: "Wiki" 51 | icon: "fas fa-book" 52 | url: "https://github.com/V1D1AN/S1EM/wiki" 53 | 54 | # Services 55 | # First level array represent a group. 56 | # Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). 57 | services: 58 | - name: "CTI" 59 | icon: "fas fa-globe" 60 | items: 61 | - name: "Misp" 62 | logo: "/assets/icons/misp.png" 63 | tag: "app" 64 | url: "https://s1em_hostname/misp" 65 | target: "_blank" # optional html a tag target attribute 66 | - name: "Opencti" 67 | logo: "/assets/icons/opencti.png" 68 | tag: "app" 69 | url: "https://s1em_hostname/opencti" 70 | target: "_blank" # optional html a tag target attribute 71 | 72 | - name: "SIEM" 73 | icon: "fas fa-desktop" 74 | items: 75 | - name: "Elastic SIEM" 76 | logo: "/assets/icons/kibana-security.png" 77 | tag: "app" 78 | url: "https://s1em_hostname/kibana/app/security/overview" 79 | target: "_blank" # optional html a tag target attribute 80 | - name: "Monitoring" 81 | logo: "/assets/icons/kibana.png" 82 | tag: "app" 83 | url: "https://s1em_hostname/kibana/app/uptime" 84 | target: "_blank" # optional html a tag target attribute 85 | 86 | 87 | - name: "SOAR" 88 | icon: "fas fa-project-diagram" 89 | items: 90 | - name: "n8n" 91 | logo: "/assets/icons/n8n.png" 92 | tag: "app" 93 | url: "https://s1em_hostname/n8n/signin" 94 | target: "_blank" # optional html a tag target attribute 95 | 96 | 97 | - name: "MALWARE" 98 | icon: "fas fa-radiation" 99 | items: 100 | - name: "Mwdb" 101 | logo: "/assets/icons/mwdb.png" 102 | tag: "app" 103 | url: "http://s1em_hostname:8080" 104 | target: "_blank" # optional html a tag target attribute 105 | 106 | - name: "OSINT" 107 | icon: "fas fa-fingerprint" 108 | items: 109 | - name: "Spiderfoot" 110 | logo: "/assets/icons/spiderfoot.png" 111 | tag: "app" 112 | url: "https://s1em_hostname/spiderfoot/" 113 | target: "_blank" # optional html a tag target attribute 114 | 115 | - name: "FPC" 116 | icon: "fas fa-save" 117 | items: 118 | - name: "Arkime" 119 | logo: "/assets/icons/arkime.png" 120 | tag: "app" 121 | url: "https://s1em_hostname/arkime/" 122 | target: "_blank" # optional html a tag target attribute 123 | 124 | - name: "MITRE" 125 | icon: "fas fa-cogs" 126 | items: 127 | - name: "Elastic Rules" 128 | logo: "/assets/icons/attck.png" 129 | tag: "site" 130 | tagstyle: "is-success" 131 | url: "https://ela.st/detection-rules-navigator" 132 | target: "_blank" # optional html a tag target attribute 133 | 134 | 135 | - name: "SIRP" 136 | icon: "fas fa-sitemap" 137 | items: 138 | - name: "Velociraptor" 139 | logo: "/assets/icons/velociraptor.png" 140 | tag: "app" 141 | url: "https://s1em_hostname/velociraptor/" 142 | target: "_blank" # optional html a tag target attribute 143 | - name: "Zircolite" 144 | logo: "/assets/icons/zircolite.png" 145 | tag: "app" 146 | url: "https://s1em_hostname/kibana/app/dashboards#/view/832a98e0-9ef0-11ed-bedc-f9813e7df557" 147 | target: "_blank" # optional html a tag target attribute 148 | - name: "TheHive" 149 | logo: "/assets/icons/thehive.png" 150 | tag: "app" 151 | url: "https://s1em_hostname/thehive" 152 | target: "_blank" # optional html a tag target attribute 153 | - name: "Cortex" 154 | logo: "/assets/icons/cortex.png" 155 | tag: "app" 156 | url: "https://s1em_hostname/cortex" 157 | target: "_blank" # optional html a tag target attribute 158 | 159 | - name: "TOOLS" 160 | icon: "fas fa-tools" 161 | items: 162 | - name: "CyberChef" 163 | logo: "/assets/icons/cyberchef.jpg" 164 | tag: "app" 165 | url: "https://s1em_hostname/cyberchef/" 166 | target: "_blank" # optional html a tag target attribute 167 | - name: "CodiMD" 168 | logo: "/assets/icons/codimd.jpg" 169 | tag: "app" 170 | url: "https://s1em_hostname/codimd/" 171 | target: "_blank" # optional html a tag target attribute 172 | - name: "StartMe" 173 | logo: "/assets/icons/startme.png" 174 | tag: "site" 175 | tagstyle: "is-success" 176 | url: "https://start.me/p/6r66da/cybersecurity" 177 | target: "_blank" # optional html a tag target attribute 178 | 179 | - name: "UPLOAD" 180 | icon: "fas fa-cloud-arrow-up" 181 | items: 182 | - name: "PCAP" 183 | logo: "/assets/icons/pcap.png" 184 | tag: "app" 185 | url: "https://s1em_hostname/upload/" 186 | target: "_blank" # optional html a tag target attribute 187 | - name: "Zircolite" 188 | logo: "/assets/icons/evtx.png" 189 | tag: "app" 190 | url: "https://s1em_hostname/zircolite/" 191 | target: "_blank" # optional html a tag target attribute 192 | - name: "Velociraptor" 193 | logo: "/assets/icons/zip.png" 194 | tag: "app" 195 | url: "https://s1em_hostname/velociraptor-upload/" 196 | target: "_blank" # optional html a tag target attribute 197 | -------------------------------------------------------------------------------- /homer/config.yml.dist: -------------------------------------------------------------------------------- 1 | --- 2 | # Homepage configuration 3 | # See https://fontawesome.com/icons for icons options 4 | 5 | title: "Demo dashboard" 6 | subtitle: "Homer" 7 | logo: "logo.png" 8 | # icon: "fas fa-skull-crossbones" # Optional icon 9 | 10 | header: true 11 | footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. 12 | 13 | # Optional theme customization 14 | theme: default 15 | colors: 16 | light: 17 | highlight-primary: "#3367d6" 18 | highlight-secondary: "#4285f4" 19 | highlight-hover: "#5a95f5" 20 | background: "#f5f5f5" 21 | card-background: "#ffffff" 22 | text: "#363636" 23 | text-header: "#ffffff" 24 | text-title: "#303030" 25 | text-subtitle: "#424242" 26 | card-shadow: rgba(0, 0, 0, 0.1) 27 | link: "#3273dc" 28 | link-hover: "#363636" 29 | dark: 30 | highlight-primary: "#3367d6" 31 | highlight-secondary: "#4285f4" 32 | highlight-hover: "#5a95f5" 33 | background: "#131313" 34 | card-background: "#2b2b2b" 35 | text: "#eaeaea" 36 | text-header: "#ffffff" 37 | text-title: "#fafafa" 38 | text-subtitle: "#f5f5f5" 39 | card-shadow: rgba(0, 0, 0, 0.4) 40 | link: "#3273dc" 41 | link-hover: "#ffdd57" 42 | 43 | # Optional message 44 | message: 45 | #url: https://b4bz.io 46 | style: "is-dark" # See https://bulma.io/documentation/components/message/#colors for styling options. 47 | title: "Demo !" 48 | icon: "fa fa-grin" 49 | content: "This is a dummy homepage demo.
Find more information on github.com/bastienwirtz/homer" 50 | 51 | # Optional navbar 52 | # links: [] # Allows for navbar (dark mode, layout, and search) without any links 53 | links: 54 | - name: "Contribute" 55 | icon: "fab fa-github" 56 | url: "https://github.com/bastienwirtz/homer" 57 | target: "_blank" # optional html a tag target attribute 58 | - name: "Wiki" 59 | icon: "fas fa-book" 60 | url: "https://www.wikipedia.org/" 61 | # this will link to a second homer page that will load config from additional-page.yml and keep default config values as in config.yml file 62 | # see url field and assets/additional-page.yml.dist used in this example: 63 | - name: "another page!" 64 | icon: "fas fa-file-alt" 65 | url: "#additional-page" 66 | 67 | # Services 68 | # First level array represent a group. 69 | # Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). 70 | services: 71 | - name: "Applications" 72 | icon: "fas fa-cloud" 73 | items: 74 | - name: "Awesome app" 75 | logo: "assets/tools/sample.png" 76 | subtitle: "Bookmark example" 77 | tag: "app" 78 | url: "https://www.reddit.com/r/selfhosted/" 79 | target: "_blank" # optional html a tag target attribute 80 | - name: "Another one" 81 | logo: "assets/tools/sample2.png" 82 | subtitle: "Another application" 83 | tag: "app" 84 | url: "#" 85 | -------------------------------------------------------------------------------- /homer/config.yml.dist.sample-sui: -------------------------------------------------------------------------------- 1 | --- 2 | # Homepage configuration 3 | # See https://fontawesome.com/icons for icons options 4 | 5 | title: "Hello beautiful!" 6 | subtitle: "App dashboard" 7 | logo: false 8 | # icon: "fas fa-skull-crossbones" Optional icon 9 | 10 | header: true 11 | 12 | # Optional theme customization 13 | theme: sui 14 | colors: 15 | light: 16 | highlight-primary: transparent 17 | highlight-secondary: transparent 18 | highlight-hover: "#4a4a4a" 19 | text-subtitle: "#424242" 20 | dark: 21 | background: "#2B2C56" 22 | highlight-primary: transparent 23 | highlight-secondary: transparent 24 | highlight-hover: "#200b35" 25 | text-subtitle: "#6375e8" 26 | 27 | # Optional navbar 28 | # links: [] # Allows for navbar (dark mode, layout, and search) without any links 29 | links: [] 30 | 31 | # Services 32 | # First level array represent a group. 33 | # Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). 34 | services: 35 | - name: "APPLICATIONS" 36 | items: 37 | - name: "Jenkins" 38 | logo: "assets/tools/jenkins.png" 39 | subtitle: "Continuous integration server" 40 | url: "https://jenkins.io/" 41 | - name: "RabbitMQ Management" 42 | logo: "assets/tools/rabbitmq.png" 43 | subtitle: "Manage & monitor RabbitMQ server" 44 | # Optional tagstyle 45 | # Same styling options as the optional message. 46 | tagstyle: "is-success" 47 | url: "https://www.rabbitmq.com/" 48 | - name: "M/Monit" 49 | logo: "assets/tools/monit.png" 50 | subtitle: "Monitor & manage all monit enabled hosts" 51 | url: "https://mmonit.com/monit/" 52 | - name: "Grafana" 53 | logo: "assets/tools/grafana.png" 54 | subtitle: "Metric analytics & dashboards" 55 | url: "https://grafana.com/" 56 | - name: "Kibana" 57 | logo: "assets/tools/elastic.png" 58 | subtitle: "Explore & visualize logs" 59 | url: "https://www.elastic.co/products/kibana" 60 | - name: "Website monitoring" 61 | logo: "assets/tools/pingdom.png" 62 | subtitle: "Pingdom public reports overview" 63 | tag: "CI" 64 | url: "https://www.pingdom.com/" 65 | -------------------------------------------------------------------------------- /homer/custom.css.sample: -------------------------------------------------------------------------------- 1 | @charset "UTF-8"; 2 | 3 | /* Custom card colors */ 4 | /* Use with `class:` property of services in config.yml */ 5 | body #app .card.green { 6 | background-color: #006600; 7 | color: #00ff00; 8 | } 9 | -------------------------------------------------------------------------------- /homer/icons/arkime.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/arkime.png -------------------------------------------------------------------------------- /homer/icons/assemblyline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/assemblyline.png -------------------------------------------------------------------------------- /homer/icons/attck.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/attck.png -------------------------------------------------------------------------------- /homer/icons/codimd.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/codimd.jpg -------------------------------------------------------------------------------- /homer/icons/cortex.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/cortex.png -------------------------------------------------------------------------------- /homer/icons/cyberchef.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/cyberchef.jpg -------------------------------------------------------------------------------- /homer/icons/evtx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/evtx.png -------------------------------------------------------------------------------- /homer/icons/favicon-16x16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/favicon-16x16.png -------------------------------------------------------------------------------- /homer/icons/favicon-32x32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/favicon-32x32.png -------------------------------------------------------------------------------- /homer/icons/icon-any.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/icon-any.png -------------------------------------------------------------------------------- /homer/icons/icon-any.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /homer/icons/icon-maskable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/icon-maskable.png -------------------------------------------------------------------------------- /homer/icons/kibana-security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/kibana-security.png -------------------------------------------------------------------------------- /homer/icons/kibana.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/kibana.png -------------------------------------------------------------------------------- /homer/icons/misp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/misp.png -------------------------------------------------------------------------------- /homer/icons/mwdb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/mwdb.png -------------------------------------------------------------------------------- /homer/icons/n8n.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/n8n.png -------------------------------------------------------------------------------- /homer/icons/opencti.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/opencti.png -------------------------------------------------------------------------------- /homer/icons/pcap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/pcap.png -------------------------------------------------------------------------------- /homer/icons/s1em.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/s1em.ico -------------------------------------------------------------------------------- /homer/icons/s1em.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/s1em.png -------------------------------------------------------------------------------- /homer/icons/safari-pinned-tab.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /homer/icons/spiderfoot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/spiderfoot.png -------------------------------------------------------------------------------- /homer/icons/startme.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/startme.png -------------------------------------------------------------------------------- /homer/icons/thehive.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/thehive.png -------------------------------------------------------------------------------- /homer/icons/velociraptor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/velociraptor.png -------------------------------------------------------------------------------- /homer/icons/zip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/zip.png -------------------------------------------------------------------------------- /homer/icons/zircolite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/icons/zircolite.png -------------------------------------------------------------------------------- /homer/manifest.json: -------------------------------------------------------------------------------- 1 | {"name":"Homer Dashboard","short_name":"Homer","theme_color":"#3367D6","icons":[{"src":"./icons/favicon-16x16.png","sizes":"16x16","type":"image/png"},{"src":"./icons/favicon-32x32.png","sizes":"32x32","type":"image/png"},{"src":"./icons/icon-any.png","sizes":"512x512","type":"image/png","purpose":"any"},{"src":"./icons/icon-any.svg","sizes":"any","type":"image/svg+xml","purpose":"any"},{"src":"./icons/icon-maskable.png","sizes":"512x512","type":"image/png","purpose":"maskable"},{"src":"./icons/safari-pinned-tab.svg","sizes":"any","type":"image/svg+xml","purpose":"monochrome"}],"start_url":"../","display":"standalone","background_color":"#000000"} -------------------------------------------------------------------------------- /homer/tools/sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/tools/sample.png -------------------------------------------------------------------------------- /homer/tools/sample2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/homer/tools/sample2.png -------------------------------------------------------------------------------- /instances-multi.yml: -------------------------------------------------------------------------------- 1 | instances: 2 | - name: es01 3 | dns: 4 | - es01 5 | - name: es02 6 | dns: 7 | - es02 8 | - name: es03 9 | dns: 10 | - es03 11 | - name: kibana 12 | dns: 13 | - kibana 14 | - name: metricbeat 15 | dns: 16 | - metricbeat 17 | - name: logstash 18 | dns: 19 | - logstash 20 | - name: filebeat 21 | dns: 22 | - filebeat 23 | - name: auditbeat 24 | dns: 25 | - auditbeat 26 | - name: cortex 27 | dns: 28 | - cortex 29 | - name: elastalert 30 | dns: 31 | - elastalert 32 | - name: traefik 33 | dns: 34 | - traefik 35 | - name: arkime 36 | dns: 37 | - arkime 38 | - name: opencti 39 | dns: 40 | - opencti 41 | - name: heartbeat 42 | dns: 43 | - heartbeat 44 | - name: fleet-server 45 | dns: 46 | - fleet-server 47 | ip: 48 | - administrationip 49 | - 127.0.0.1 50 | -------------------------------------------------------------------------------- /instances-single.yml: -------------------------------------------------------------------------------- 1 | instances: 2 | - name: es01 3 | dns: 4 | - es01 5 | - name: kibana 6 | dns: 7 | - kibana 8 | - name: metricbeat 9 | dns: 10 | - metricbeat 11 | - name: logstash 12 | dns: 13 | - logstash 14 | - name: filebeat 15 | dns: 16 | - filebeat 17 | - name: auditbeat 18 | dns: 19 | - auditbeat 20 | - name: cortex 21 | dns: 22 | - cortex 23 | - name: elastalert 24 | dns: 25 | - elastalert 26 | - name: traefik 27 | dns: 28 | - traefik 29 | - name: arkime 30 | dns: 31 | - arkime 32 | - name: opencti 33 | dns: 34 | - opencti 35 | - name: heartbeat 36 | dns: 37 | - heartbeat 38 | - name: fleet-server 39 | dns: 40 | - fleet-server 41 | ip: 42 | - administrationip 43 | - 127.0.0.1 44 | -------------------------------------------------------------------------------- /kibana/index/cortex.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"createdAt","title":"cortex*"},"coreMigrationVersion":"7.12.1","id":"cortex*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-05-26T15:52:39.743Z","version":"WzczNDUwNSw0XQ=="} 2 | -------------------------------------------------------------------------------- /kibana/index/signal.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":".siem-signals-default"},"coreMigrationVersion":"7.12.1","id":".siem-signals-default","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-05-26T15:55:33.183Z","version":"WzczNTk5MCw0XQ=="} 2 | {"exportedCount":1,"missingRefCount":0,"missingReferences":[]} -------------------------------------------------------------------------------- /kibana/index/zircolite.ndjson: -------------------------------------------------------------------------------- 1 | {"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"SystemTime","title":"zircolite-*","typeMeta":"{}"},"coreMigrationVersion":"7.17.8","id":"zircolite-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2023-01-27T20:54:14.611Z","version":"WzM4ODgsNF0="} 2 | {"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":1,"missingRefCount":0,"missingReferences":[]} -------------------------------------------------------------------------------- /kibana/kibana.yml: -------------------------------------------------------------------------------- 1 | server.port: 5601 2 | server.host: "0.0.0.0" 3 | server.basePath: "/kibana" 4 | server.rewriteBasePath: true 5 | elasticsearch.hosts: ["https://es01:9200"] 6 | elasticsearch.username: elastic 7 | elasticsearch.password: changeme 8 | xpack.fleet.agents.tlsCheckDisabled: true 9 | xpack.security.encryptionKey: 'kibana_api_key' 10 | xpack.reporting.encryptionKey: 'kibana_api_key' 11 | xpack.encryptedSavedObjects.encryptionKey: 'kibana_api_key' 12 | data.autocomplete.valueSuggestions.terminateAfter: 10000000 13 | elasticsearch.ssl.certificateAuthorities: "/usr/share/certificates/ca/ca.crt" 14 | server.ssl.enabled: true 15 | server.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 16 | server.ssl.key: "/usr/share/certificates/kibana/kibana.key" 17 | telemetry.enabled: false 18 | newsfeed.enabled: false 19 | monitoring.kibana.collection.enabled: true 20 | elasticsearch.requestTimeout: 180000 21 | elasticsearch.shardTimeout: 180000 22 | monitoring.ui.enabled: true 23 | 24 | 25 | -------------------------------------------------------------------------------- /kibana/node.options: -------------------------------------------------------------------------------- 1 | ## Node command line options 2 | ## See `node --help` and `node --v8-options` for available options 3 | ## Please note you should specify one option per line 4 | 5 | ## max size of old space in megabytes 6 | --max-old-space-size=2048 7 | -------------------------------------------------------------------------------- /logstash/config/jvm.options: -------------------------------------------------------------------------------- 1 | ## JVM configuration 2 | 3 | # Xms represents the initial size of total heap space 4 | # Xmx represents the maximum size of total heap space 5 | 6 | -Xms1g 7 | -Xmx1g 8 | 9 | ################################################################ 10 | ## Expert settings 11 | ################################################################ 12 | ## 13 | ## All settings below this section are considered 14 | ## expert settings. Don't tamper with them unless 15 | ## you understand what you are doing 16 | ## 17 | ################################################################ 18 | 19 | ## GC configuration 20 | #8-13:-XX:+UseConcMarkSweepGC 21 | #8-13:-XX:CMSInitiatingOccupancyFraction=75 22 | #8-13:-XX:+UseCMSInitiatingOccupancyOnly 23 | 24 | ## Locale 25 | # Set the locale language 26 | #-Duser.language=en 27 | 28 | # Set the locale country 29 | #-Duser.country=US 30 | 31 | # Set the locale variant, if any 32 | #-Duser.variant= 33 | 34 | ## basic 35 | 36 | # set the I/O temp directory 37 | #-Djava.io.tmpdir=$HOME 38 | 39 | # set to headless, just in case 40 | -Djava.awt.headless=true 41 | 42 | # ensure UTF-8 encoding by default (e.g. filenames) 43 | -Dfile.encoding=UTF-8 44 | 45 | # use our provided JNA always versus the system one 46 | #-Djna.nosys=true 47 | 48 | # Turn on JRuby invokedynamic 49 | -Djruby.compile.invokedynamic=true 50 | # Force Compilation 51 | -Djruby.jit.threshold=0 52 | # Make sure joni regexp interruptability is enabled 53 | -Djruby.regexp.interruptible=true 54 | 55 | ## heap dumps 56 | 57 | # generate a heap dump when an allocation from the Java heap fails 58 | # heap dumps are created in the working directory of the JVM 59 | #-XX:+HeapDumpOnOutOfMemoryError 60 | 61 | # specify an alternative path for heap dumps 62 | # ensure the directory exists and has sufficient space 63 | #-XX:HeapDumpPath=${LOGSTASH_HOME}/heapdump.hprof 64 | 65 | ## GC logging 66 | #-XX:+PrintGCDetails 67 | #-XX:+PrintGCTimeStamps 68 | #-XX:+PrintGCDateStamps 69 | #-XX:+PrintClassHistogram 70 | #-XX:+PrintTenuringDistribution 71 | #-XX:+PrintGCApplicationStoppedTime 72 | 73 | # log GC status to a file with time stamps 74 | # ensure the directory exists 75 | #-Xloggc:${LS_GC_LOG_FILE} 76 | 77 | # Entropy source for randomness 78 | -Djava.security.egd=file:/dev/urandom 79 | 80 | # Copy the logging context from parent threads to children 81 | -Dlog4j2.isThreadContextMapInheritable=true 82 | -------------------------------------------------------------------------------- /logstash/config/logstash.yml: -------------------------------------------------------------------------------- 1 | http.host: "0.0.0.0" 2 | xpack.monitoring.elasticsearch.hosts: ["https://es01:9200"] 3 | xpack.monitoring.elasticsearch.username: "elastic" 4 | xpack.monitoring.elasticsearch.password: "changeme" 5 | xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/certificates/ca/ca.crt 6 | xpack.monitoring.enabled: true 7 | config.reload.automatic: true 8 | config.reload.interval: 30s 9 | -------------------------------------------------------------------------------- /logstash/config/pipelines.yml: -------------------------------------------------------------------------------- 1 | - pipeline.id: beats 2 | path.config: "/usr/share/logstash/pipeline/beats/*.conf" 3 | pipeline.workers: 3 4 | - pipeline.id: zircolite 5 | path.config: "/usr/share/logstash/pipeline/zircolite/*.conf" 6 | pipeline.workers: 3 7 | -------------------------------------------------------------------------------- /logstash/pipeline/beats/100_input_beats.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | ecs_compatibility => "v1" 5 | } 6 | } 7 | 8 | -------------------------------------------------------------------------------- /logstash/pipeline/beats/300_output_beats.conf: -------------------------------------------------------------------------------- 1 | output { 2 | if [agent][type] == "winlogbeat" { 3 | elasticsearch { 4 | hosts => ["https://es01:9200"] 5 | template => "/usr/share/logstash/templates/winlogbeat" 6 | template_name => "winlogbeat" 7 | ilm_enabled => true 8 | ilm_policy => "ILM" 9 | ilm_pattern => "{now/d}-000001" 10 | ilm_rollover_alias => "%{[@metadata][beat]}-%{[@metadata][version]}" 11 | template_overwrite => true 12 | user => "elastic" 13 | password => "changeme" 14 | cacert => "/usr/share/certificates/ca/ca.crt" 15 | ssl => true 16 | } 17 | } 18 | } 19 | output { 20 | if [agent][type] == "metricbeat" { 21 | elasticsearch { 22 | hosts => ["https://es01:9200"] 23 | document_type => "%{[@metadata][type]}" 24 | manage_template => false 25 | ilm_enabled => true 26 | ilm_policy => "ILM" 27 | ilm_pattern => "{now/d}-000001" 28 | ilm_rollover_alias => "%{[@metadata][beat]}-%{[@metadata][version]}" 29 | user => "elastic" 30 | password => "changeme" 31 | cacert => "/usr/share/certificates/ca/ca.crt" 32 | ssl => true 33 | } 34 | } 35 | } 36 | output { 37 | if [agent][type] == "auditbeat" { 38 | elasticsearch { 39 | hosts => ["https://es01:9200"] 40 | document_type => "%{[@metadata][type]}" 41 | manage_template => false 42 | ilm_enabled => true 43 | ilm_policy => "ILM" 44 | ilm_pattern => "{now/d}-000001" 45 | ilm_rollover_alias => "%{[@metadata][beat]}-%{[@metadata][version]}" 46 | user => "elastic" 47 | password => "changeme" 48 | cacert => "/usr/share/certificates/ca/ca.crt" 49 | ssl => true 50 | } 51 | } 52 | } 53 | output { 54 | if [agent][type] == "filebeat" { 55 | elasticsearch { 56 | hosts => ["https://es01:9200"] 57 | document_type => "%{[@metadata][type]}" 58 | pipeline => "%{[@metadata][pipeline]}" 59 | manage_template => false 60 | ilm_enabled => true 61 | ilm_policy => "ILM" 62 | ilm_pattern => "{now/d}-000001" 63 | ilm_rollover_alias => "%{[@metadata][beat]}-%{[@metadata][version]}" 64 | user => "elastic" 65 | password => "changeme" 66 | cacert => "/usr/share/certificates/ca/ca.crt" 67 | ssl => true 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /logstash/pipeline/zircolite/100_input_zircolite.conf: -------------------------------------------------------------------------------- 1 | input { 2 | file { 3 | mode => "read" 4 | path => ["/usr/share/logstash/zircolite/*.json"] 5 | codec => "json" 6 | sincedb_path => "/dev/null" 7 | file_completed_action => "delete" 8 | file_chunk_size => "131072" 9 | } 10 | } -------------------------------------------------------------------------------- /logstash/pipeline/zircolite/200_filter_zircolite.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | } 3 | -------------------------------------------------------------------------------- /logstash/pipeline/zircolite/300_output_zircolite.conf: -------------------------------------------------------------------------------- 1 | output { 2 | elasticsearch { 3 | index => "zircolite-%{+YYYY.MM.dd}" 4 | hosts => ["https://es01:9200"] 5 | user => "elastic" 6 | password => "changeme" 7 | cacert => "/usr/share/certificates/ca/ca.crt" 8 | ssl => true 9 | } 10 | } -------------------------------------------------------------------------------- /metricbeat/ilm.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": { 3 | "phases": { 4 | "hot": { 5 | "min_age": "0ms", 6 | "actions": { 7 | "rollover": { 8 | "max_primary_shard_size": "50gb", 9 | "max_age": "1d" 10 | }, 11 | "set_priority": { 12 | "priority": 100 13 | } 14 | } 15 | }, 16 | "warm": { 17 | "min_age": "1d", 18 | "actions": { 19 | "readonly": {}, 20 | "set_priority": { 21 | "priority": 50 22 | } 23 | } 24 | }, 25 | "cold": { 26 | "min_age": "15d", 27 | "actions": { 28 | "readonly": {}, 29 | "set_priority": { 30 | "priority": 0 31 | } 32 | } 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /metricbeat/metricbeat-multi.yml: -------------------------------------------------------------------------------- 1 | metricbeat.config.modules: 2 | path: ${path.config}/modules.d/*.yml 3 | reload.enabled: true 4 | 5 | processors: 6 | - add_host_metadata: ~ 7 | 8 | http.enabled: true 9 | http.host: 0.0.0.0 10 | monitoring.enabled: false 11 | setup.kibana.host: "https://kibana:5601/kibana" 12 | setup.kibana.ssl.enabled: true 13 | setup.kibana.ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 14 | setup.kibana.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 15 | setup.kibana.ssl.key: "/usr/share/certificates/kibana/kibana.key" 16 | setup.ilm.enabled: true 17 | setup.ilm.policy_name: "ILM" 18 | setup.ilm.policy_file: "/usr/share/metricbeat/ilm.json" 19 | setup.ilm_pattern: "{now/d}-000001" 20 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 21 | setup.dashboards.enabled: true 22 | setup.template.overwrite: true 23 | setup.template.settings: 24 | index: 25 | refresh_interval: 30s 26 | mapping: 27 | total_fields: 28 | limit: 8192 29 | 30 | output.elasticsearch: 31 | hosts: ["https://es01:9200"] 32 | username: "elastic" 33 | password: "changeme" 34 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 35 | ssl.certificate: "/usr/share/certificates/metricbeat/metricbeat.crt" 36 | ssl.key: "/usr/share/certificates/metricbeat/metricbeat.key" 37 | 38 | 39 | -------------------------------------------------------------------------------- /metricbeat/metricbeat-single.yml: -------------------------------------------------------------------------------- 1 | metricbeat.config.modules: 2 | path: ${path.config}/modules.d/*.yml 3 | reload.enabled: true 4 | 5 | processors: 6 | - add_host_metadata: ~ 7 | 8 | http.enabled: true 9 | http.host: 0.0.0.0 10 | monitoring.enabled: false 11 | setup.kibana.host: "https://kibana:5601/kibana" 12 | setup.kibana.ssl.enabled: true 13 | setup.kibana.ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 14 | setup.kibana.ssl.certificate: "/usr/share/certificates/kibana/kibana.crt" 15 | setup.kibana.ssl.key: "/usr/share/certificates/kibana/kibana.key" 16 | setup.ilm.enabled: true 17 | setup.ilm.policy_name: "ILM" 18 | setup.ilm.policy_file: "/usr/share/metricbeat/ilm.json" 19 | setup.ilm_pattern: "{now/d}-000001" 20 | setup.ilm_rollover_alias: "%{[@metadata][beat]}-%{[@metadata][version]}" 21 | setup.dashboards.enabled: true 22 | setup.template.overwrite: true 23 | setup.template.settings: 24 | index: 25 | number_of_replicas: 0 26 | refresh_interval: 30s 27 | mapping: 28 | total_fields: 29 | limit: 8192 30 | 31 | output.elasticsearch: 32 | hosts: ["https://es01:9200"] 33 | username: "elastic" 34 | password: "changeme" 35 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 36 | ssl.certificate: "/usr/share/certificates/metricbeat/metricbeat.crt" 37 | ssl.key: "/usr/share/certificates/metricbeat/metricbeat.key" 38 | 39 | 40 | -------------------------------------------------------------------------------- /metricbeat/modules.d/beats-xpack.yml: -------------------------------------------------------------------------------- 1 | - module: beat 2 | metricsets: 3 | - stats 4 | - state 5 | period: 10s 6 | hosts: ["http://metricbeat:5066","http://auditbeat:5066","http://heartbeat:5066","http://filebeat:5066"] 7 | xpack.enabled: true 8 | 9 | 10 | -------------------------------------------------------------------------------- /metricbeat/modules.d/docker.yml: -------------------------------------------------------------------------------- 1 | 2 | - module: docker 3 | metricsets: 4 | - container 5 | - cpu 6 | - diskio 7 | - event 8 | - healthcheck 9 | - info 10 | - memory 11 | - network 12 | period: 60s 13 | hosts: ["unix:///var/run/docker.sock"] 14 | 15 | -------------------------------------------------------------------------------- /metricbeat/modules.d/elasticsearch-xpack.yml: -------------------------------------------------------------------------------- 1 | # Module: elasticsearch 2 | # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.x/metricbeat-module-elasticsearch.html 3 | 4 | - module: elasticsearch 5 | xpack.enabled: true 6 | period: 60s 7 | hosts: ["https://es01:9200"] 8 | username: "elastic" 9 | password: "changeme" 10 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 11 | ssl.certificate: "/usr/share/certificates/metricbeat/metricbeat.crt" 12 | ssl.key: "/usr/share/certificates/metricbeat/metricbeat.key" 13 | 14 | 15 | -------------------------------------------------------------------------------- /metricbeat/modules.d/kibana-xpack.yml: -------------------------------------------------------------------------------- 1 | # Module: kibana 2 | # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.x/metricbeat-module-kibana.html 3 | 4 | - module: kibana 5 | xpack.enabled: true 6 | period: 60s 7 | hosts: ["https://kibana:5601"] 8 | basepath: "/kibana" 9 | username: "elastic" 10 | password: "changeme" 11 | ssl.certificate_authorities: "/usr/share/certificates/ca/ca.crt" 12 | ssl.certificate: "/usr/share/certificates/metricbeat/metricbeat.crt" 13 | ssl.key: "/usr/share/certificates/metricbeat/metricbeat.key" 14 | 15 | -------------------------------------------------------------------------------- /metricbeat/modules.d/logstash-xpack.yml: -------------------------------------------------------------------------------- 1 | # Module: logstash 2 | # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.13/metricbeat-module-logstash.html 3 | 4 | - module: logstash 5 | xpack.enabled: true 6 | period: 60s 7 | hosts: ["logstash:9600"] 8 | metricsets: 9 | - node 10 | - node_stats 11 | -------------------------------------------------------------------------------- /metricbeat/modules.d/rabbitmq.yml: -------------------------------------------------------------------------------- 1 | # Module: rabbitmq 2 | # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.x/metricbeat-module-rabbitmq.html 3 | 4 | - module: rabbitmq 5 | metricsets: 6 | - node 7 | - queue 8 | - connection 9 | period: 60s 10 | hosts: ["rabbitmq:15672"] 11 | username: guest 12 | password: guest 13 | -------------------------------------------------------------------------------- /metricbeat/modules.d/redis.yml: -------------------------------------------------------------------------------- 1 | # Module: redis 2 | # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.x/metricbeat-module-redis.html 3 | 4 | - module: redis 5 | metricsets: 6 | - info 7 | - keyspace 8 | period: 60s 9 | 10 | # Redis hosts 11 | hosts: ["redis:6379"] 12 | 13 | # Network type to be used for redis connection. Default: tcp 14 | #network: tcp 15 | 16 | # Max number of concurrent connections. Default: 10 17 | #maxconn: 10 18 | 19 | # Redis AUTH password. Empty by default. 20 | #password: foobared 21 | -------------------------------------------------------------------------------- /misp/config.php: -------------------------------------------------------------------------------- 1 | 0, 4 | 'MISP' => 5 | array ( 6 | 'baseurl' => 'https://s1em_hostname/misp', 7 | 'external_baseurl' => 'https://s1em_hostname/misp', 8 | 'live' => true, 9 | 'language' => 'eng', 10 | 'footermidleft' => '', 11 | 'footermidright' => '', 12 | 'org' => 'CYBER', 13 | 'showorg' => true, 14 | 'threatlevel_in_email_subject' => true, 15 | 'email_subject_TLP_string' => 'tlp:amber', 16 | 'email_subject_tag' => 'tlp', 17 | 'email_subject_include_tag_name' => true, 18 | 'background_jobs' => true, 19 | 'cached_attachments' => true, 20 | 'osuser' => 'www-data', 21 | 'email' => 'email@address.com', 22 | 'contact' => 'email@address.com', 23 | 'cveurl' => 'https://cve.circl.lu/cve/', 24 | 'cweurl' => 'https://cve.circl.lu/cwe/', 25 | 'disablerestalert' => false, 26 | 'default_event_distribution' => '1', 27 | 'default_attribute_distribution' => 'event', 28 | 'tagging' => true, 29 | 'full_tags_on_event_index' => true, 30 | 'attribute_tagging' => true, 31 | 'full_tags_on_attribute_index' => true, 32 | 'footer_logo' => '', 33 | 'take_ownership_xml_import' => false, 34 | 'unpublishedprivate' => false, 35 | 'disable_emailing' => false, 36 | 'manage_workers' => true, 37 | 'Attributes_Values_Filter_In_Event' => 'id, uuid, value, comment, type, category, Tag.name', 38 | 'redis_host' => 'redis', 39 | 'python_bin' => '/usr/bin/python3', 40 | 'uuid' => '37427cf4-0c03-4516-81dd-af7bec85348b', 41 | 'host_org_id' => 1, 42 | 'default_event_tag_collection' => 0, 43 | 'proposals_block_attributes' => false, 44 | 'tmpdir' => '/tmp', 45 | ), 46 | 'GnuPG' => 47 | array ( 48 | 'onlyencrypted' => false, 49 | 'email' => '', 50 | 'homedir' => '', 51 | 'password' => '', 52 | 'bodyonlyencrypted' => false, 53 | 'sign' => true, 54 | 'obscure_subject' => false, 55 | ), 56 | 'SMIME' => 57 | array ( 58 | 'enabled' => false, 59 | 'email' => '', 60 | 'cert_public_sign' => '', 61 | 'key_sign' => '', 62 | 'password' => '', 63 | ), 64 | 'Proxy' => 65 | array ( 66 | 'host' => '', 67 | 'port' => '', 68 | 'method' => '', 69 | 'user' => '', 70 | 'password' => '', 71 | ), 72 | 'SecureAuth' => 73 | array ( 74 | 'amount' => 5, 75 | 'expire' => 300, 76 | ), 77 | 'Security' => 78 | array ( 79 | 'level' => 'medium', 80 | 'salt' => 'sJh2/ss7s%RkLH4LpJezMUi?#Y=4Qi3d', 81 | 'cipherSeed' => '', 82 | 'require_password_confirmation' => true, 83 | 'advanced_authkeys' => false, 84 | 'csp_enforce' => false, 85 | 'password_policy_length' => 1, 86 | 'password_policy_complexity' => '/^((?=.*\\d)|(?=.*\\W+))(?![\\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{1,}/', 87 | ), 88 | 'Session.defaults' => 'php', 89 | 'Session.timeout' => 60, 90 | 'Session.cookieTimeout' => 60, 91 | 'Session.autoRegenerate' => false, 92 | 'Session.checkAgent' => false, 93 | 'site_admin_debug' => NULL, 94 | 'Plugin' => 95 | array ( 96 | 'ZeroMQ_redis_host' => 'redis', 97 | 'ZeroMQ_enable' => true, 98 | 'Enrichment_services_enable' => true, 99 | 'Enrichment_services_url' => 'http://misp-modules', 100 | 'Import_services_enable' => true, 101 | 'Import_services_url' => 'http://misp-modules', 102 | 'Export_services_enable' => true, 103 | 'Export_services_url' => 'http://misp-modules', 104 | 'Cortex_services_enable' => false, 105 | ), 106 | 'CertAuth' => NULL, 107 | 'ApacheShibbAuth' => NULL, 108 | 'ApacheSecureAuth' => NULL, 109 | 'OidcAuth' => NULL, 110 | ); -------------------------------------------------------------------------------- /mwdb/gen_vars.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ADMIN_PASSWORD=$(od -vN 18 -An -tx1 /dev/urandom | tr -d " \n") 4 | POSTGRES_PASSWORD=$(od -vN 18 -An -tx1 /dev/urandom | tr -d " \n") 5 | SECRET_KEY=$(od -vN 18 -An -tx1 /dev/urandom | tr -d " \n") 6 | 7 | echo "MWDB_REDIS_URI=redis://redis/" > ./mwdb/mwdb-vars.env 8 | echo "MWDB_POSTGRES_URI=postgresql://mwdb:$POSTGRES_PASSWORD@postgres/mwdb" >> ./mwdb/mwdb-vars.env 9 | echo "MWDB_SECRET_KEY=$SECRET_KEY" >> ./mwdb/mwdb-vars.env 10 | echo "MWDB_ADMIN_LOGIN=admin" >> ./mwdb/mwdb-vars.env 11 | echo "MWDB_ADMIN_EMAIL=admin@localhost" >> ./mwdb/mwdb-vars.env 12 | echo "MWDB_ADMIN_PASSWORD=$ADMIN_PASSWORD" >> ./mwdb/mwdb-vars.env 13 | echo "MWDB_BASE_URL=http://127.0.0.1" >> ./mwdb/mwdb-vars.env 14 | 15 | if [ "$1" != "raw" ] 16 | then 17 | echo "Credentials for initial mwdb account:" 18 | echo "" 19 | echo "-----------------------------------------" 20 | echo "Admin login: admin" 21 | echo "Admin password: $ADMIN_PASSWORD" 22 | echo "-----------------------------------------" 23 | echo "" 24 | echo "Please be aware that initial account will be only set up on the first run. If you already have a database with at least one user, then this setting will be ignored for security reasons. You can always create an admin account manually by executing a command. See \"flask create_admin --help\" for reference." 25 | else 26 | echo -n "$ADMIN_PASSWORD" 27 | fi 28 | 29 | if [ "$1" = "test" ] 30 | then 31 | echo "MWDB_ENABLE_HOOKS=0" >> ./mwdb/mwdb-vars.env 32 | echo "MWDB_ENABLE_RATE_LIMIT=0" >> ./mwdb/mwdb-vars.env 33 | else 34 | echo "MWDB_ENABLE_RATE_LIMIT=1" >> ./mwdb/mwdb-vars.env 35 | echo "MWDB_ENABLE_REGISTRATION=0" >> ./mwdb/mwdb-vars.env 36 | fi 37 | echo "UWSGI_PROCESSES=4" >> ./mwdb/mwdb-vars.env 38 | 39 | echo "POSTGRES_USER=mwdb" > ./mwdb/postgres-vars.env 40 | echo "POSTGRES_DB=mwdb" >> ./mwdb/postgres-vars.env 41 | echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> ./mwdb/postgres-vars.env -------------------------------------------------------------------------------- /mwdb/karton.ini: -------------------------------------------------------------------------------- 1 | [redis] 2 | host=redis 3 | 4 | [minio] 5 | access_key = ChangeMeAccess 6 | secret_key = ChangeMeKey 7 | address = minio:9000 8 | bucket = karton 9 | secure = 0 10 | 11 | [mwdb] 12 | api_url = http://mwdb-web.:80/api/ 13 | username = admin 14 | password = mwdb_password 15 | -------------------------------------------------------------------------------- /mysql/databases.sql: -------------------------------------------------------------------------------- 1 | # create databases 2 | CREATE DATABASE IF NOT EXISTS `misp`; 3 | CREATE DATABASE IF NOT EXISTS `codimd`; 4 | 5 | CREATE USER IF NOT EXISTS 'misp'@'%' IDENTIFIED BY 'misppass'; 6 | GRANT ALL PRIVILEGES ON misp.* TO 'misp'@'%'; 7 | CREATE USER IF NOT EXISTS 'codiuser'@'%' IDENTIFIED BY 'codipass'; 8 | GRANT ALL PRIVILEGES ON codimd.* TO 'codiuser'@'%'; 9 | -------------------------------------------------------------------------------- /n8n/user.json: -------------------------------------------------------------------------------- 1 | [{"createdAt":"2023-02-26T13:07:03.478Z","updatedAt":"2023-02-26T13:07:03.441Z","id":"1","name":"The Hive account","data":{"ApiKey":"thehive_api_key","url":"http://thehive:9000/thehive","apiVersion":"v1","allowUnauthorizedCerts":true},"type":"theHiveApi","nodesAccess":[{"nodeType":"n8n-nodes-base.theHive","date":"2023-02-26T13:07:03.428Z"}]}] -------------------------------------------------------------------------------- /postgres/databases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | psql -v --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL 5 | CREATE DATABASE mwdb; 6 | CREATE USER mwdb WITH PASSWORD 'mwdb_postgres'; 7 | GRANT ALL PRIVILEGES ON DATABASE mwdb TO mwdb; 8 | EOSQL 9 | -------------------------------------------------------------------------------- /replay/replay.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /usr/bin/inotifywait -m --format '%f' -e close_write /pcap/ /evtx/ | while read FILE 4 | do 5 | if [[ "$FILE" == *".pcap" ]]; then 6 | docker exec suricata sh -c "suricata --runmode=autofp -c /etc/suricata/suricata.yaml -l /var/log/suricata -r /pcap/$FILE"; 7 | docker exec zeek sh -c "zeek -C local -r /pcap/$FILE"; 8 | rm -fr /pcap/$FILE; 9 | elif [[ "$FILE" == *".evtx" ]]; then 10 | docker run --rm --name zircolite --network instance_name_s1em -v instance_name_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin "${ZIRCOLITE_USER}" --espass "${ZIRCOLITE_PASSWORD}" --forwardall --remove-events --nolog; 11 | fi 12 | done; -------------------------------------------------------------------------------- /rules/elastalert/endpoint.yml: -------------------------------------------------------------------------------- 1 | alert: 2 | - debug 3 | description: Rule for thehive 4 | filter: 5 | - query_string: 6 | query: (signal.status:"acknowledged" AND agent.type:"endpoint" ) 7 | index: .siem-signals-default 8 | category: 9 | Detection 10 | Signal 11 | name: TheHive_Endpoint 12 | priority: 3 13 | realert: 14 | minutes: 0 15 | title: Rule for TheHive Endpoint 16 | type: any 17 | 18 | 19 | 20 | alert: hivealerter 21 | 22 | hive_alert_config: 23 | title: '{match[signal][rule][name]}' 24 | type: '{match[event][module]}' 25 | source: '{match[host][name]}' 26 | description: "`Rule description :` \n\n {match[signal][rule][description]} \n\n `Rule Query :` \n\n {match[signal][rule][query]} \n\n `Kibana link:` \n\n https://s1em.cyber.local/kibana/app/kibana#/discover?_g=(filters:!())&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'.siem-signals-default',key:_id,negate:!f,params:(query:'{match[_id]}'),type:phrase,value:'{match[_id]}'),query:(match:(_id:(query:'{match[_id]}',type:phrase))))),index:'.siem-signals-default',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))" 27 | severity: 3 28 | tags: ['Signal', 'Detection', 'Endpoint'] 29 | tlp: 2 30 | status: 'New' 31 | follow: True 32 | 33 | hive_observable_data_mapping: 34 | - hash: "{match[hash][sha1]}" 35 | - hash: "{match[hash][md5]}" 36 | - hash: "{match[hash][sha256]}" 37 | - hash: "{match[process][hash][sha1]}" 38 | - hash: "{match[process][hash][md5]}" 39 | - hash: "{match[process][hash][sha256]}" 40 | - hash: "{match[pe][imphash]}" 41 | - domain: "{match[dns][question][name]}" 42 | - ip: "{match[source][ip]}" 43 | - ip: "{match[destination][ip]}" 44 | - filename: "{match[process][executable]}" 45 | - registry: "{match[registry][path]}" 46 | 47 | -------------------------------------------------------------------------------- /rules/elastalert/filebeat.yml: -------------------------------------------------------------------------------- 1 | alert: 2 | - debug 3 | description: Rule for thehive 4 | filter: 5 | - query_string: 6 | query: (signal.status:"acknowledged" AND agent.type:"filebeat" AND NOT event.module:"suricata" AND NOT event.module:"zeek" ) 7 | index: .siem-signals-default 8 | category: 9 | Detection 10 | Signal 11 | name: TheHive_Filebeat 12 | priority: 3 13 | realert: 14 | minutes: 0 15 | title: Rule for TheHive Filebeat 16 | type: any 17 | 18 | 19 | 20 | alert: hivealerter 21 | 22 | hive_alert_config: 23 | title: '{match[signal][rule][name]}' 24 | type: '{match[event][module]}' 25 | source: '{match[host][name]}' 26 | description: "`Rule description :` \n\n {match[signal][rule][description]} \n\n `Rule Query :` \n\n {match[signal][rule][query]} \n\n `Kibana link:` \n\n https://s1em_hostname/kibana/app/kibana#/discover?_g=(filters:!())&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'.siem-signals-default',key:_id,negate:!f,params:(query:'{match[_id]}'),type:phrase,value:'{match[_id]}'),query:(match:(_id:(query:'{match[_id]}',type:phrase))))),index:'.siem-signals-default',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))" 27 | severity: 3 28 | tags: ['Signal', 'Detection', 'Filebeat'] 29 | tlp: 2 30 | status: 'New' 31 | follow: True 32 | 33 | hive_observable_data_mapping: 34 | - hash: "{match[hash][sha1]}" 35 | - hash: "{match[hash][md5]}" 36 | - hash: "{match[hash][sha256]}" 37 | - hash: "{match[process][hash][sha1]}" 38 | - hash: "{match[process][hash][md5]}" 39 | - hash: "{match[process][hash][sha256]}" 40 | - hash: "{match[pe][imphash]}" 41 | - domain: "{match[dns][question][name]}" 42 | - ip: "{match[source][ip]}" 43 | - ip: "{match[destination][ip]}" 44 | - filename: "{match[process][executable]}" 45 | - registry: "{match[registry][path]}" 46 | 47 | 48 | -------------------------------------------------------------------------------- /rules/elastalert/suricata.yml: -------------------------------------------------------------------------------- 1 | alert: 2 | - debug 3 | description: Rule for thehive 4 | filter: 5 | - query_string: 6 | query: (signal.status:"acknowledged" AND agent.type:"filebeat" AND event.module:"suricata") 7 | index: .siem-signals-default 8 | category: 9 | Detection 10 | Signal 11 | name: TheHive_Suricata 12 | priority: 3 13 | realert: 14 | minutes: 0 15 | title: Rule for TheHive Suricata 16 | type: any 17 | 18 | 19 | 20 | alert: hivealerter 21 | 22 | hive_alert_config: 23 | title: '{match[signal][rule][name]}' 24 | type: '{match[event][module]}' 25 | source: '{match[host][name]}' 26 | description: "`Rule description :` \n\n {match[suricata][eve][alert][category]} \n\n `Event Original :` \n\n '{match[signal][original_event][original]} \n\n `Kibana link:` \n\n https://s1em_hostname/kibana/app/kibana#/discover?_g=(filters:!())&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'.siem-signals-default',key:_id,negate:!f,params:(query:'{match[_id]}'),type:phrase,value:'{match[_id]}'),query:(match:(_id:(query:'{match[_id]}',type:phrase))))),index:'.siem-signals-default',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))" 27 | severity: 3 28 | tags: ['Signal', 'Detection', 'Suricata'] 29 | tlp: 2 30 | status: 'New' 31 | follow: True 32 | 33 | hive_observable_data_mapping: 34 | - hash: "{match[hash][sha1]}" 35 | - hash: "{match[hash][md5]}" 36 | - hash: "{match[hash][sha256]}" 37 | - domain: "{match[dns][question][name]}" 38 | - ip: "{match[source][ip]}" 39 | - ip: "{match[destination][ip]}" 40 | 41 | -------------------------------------------------------------------------------- /rules/elastalert/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | alert: 2 | - debug 3 | description: Rule for thehive 4 | filter: 5 | - query_string: 6 | query: (signal.status:"acknowledged" AND agent.type:"winlogbeat") 7 | index: .siem-signals-default 8 | category: 9 | Detection 10 | Signal 11 | name: TheHive_Winlogbeat 12 | priority: 3 13 | realert: 14 | minutes: 0 15 | title: Rule for TheHive Winlogbeat 16 | type: any 17 | 18 | 19 | 20 | alert: hivealerter 21 | 22 | hive_alert_config: 23 | title: '{match[signal][rule][name]}' 24 | type: '{match[agent][type]}' 25 | source: '{match[host][name]}' 26 | description: "`Rule description :` \n\n {match[signal][rule][description]} \n\n `Rule Query :` \n\n {match[signal][rule][query]} \n\n `Event Original :` \n\n '{match[message]} \n\n `Kibana link:` \n\n https://s1em_hostname/kibana/app/kibana#/discover?_g=(filters:!())&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'.siem-signals-default',key:_id,negate:!f,params:(query:'{match[_id]}'),type:phrase,value:'{match[_id]}'),query:(match:(_id:(query:'{match[_id]}',type:phrase))))),index:'.siem-signals-default',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))" 27 | severity: 3 28 | tags: ['Signal', 'Detection', 'Winlogbeat'] 29 | tlp: 2 30 | status: 'New' 31 | follow: True 32 | 33 | hive_observable_data_mapping: 34 | - hash: "{match[hash][sha1]}" 35 | - hash: "{match[hash][md5]}" 36 | - hash: "{match[hash][sha256]}" 37 | - hash: "{match[process][hash][sha1]}" 38 | - hash: "{match[process][hash][md5]}" 39 | - hash: "{match[process][hash][sha256]}" 40 | - hash: "{match[pe][imphash]}" 41 | - domain: "{match[dns][question][name]}" 42 | - ip: "{match[source][ip]}" 43 | - ip: "{match[destination][ip]}" 44 | - filename: "{match[process][executable]}" 45 | - registry: "{match[registry][path]}" 46 | 47 | 48 | -------------------------------------------------------------------------------- /rules/elastalert/zeek.yml: -------------------------------------------------------------------------------- 1 | alert: 2 | - debug 3 | description: Rule for thehive 4 | filter: 5 | - query_string: 6 | query: (signal.status:"acknowledged" AND agent.type:"filebeat" AND event.module:"zeek") 7 | index: .siem-signals-default 8 | category: 9 | Detection 10 | Signal 11 | name: TheHive_Zeek 12 | priority: 3 13 | realert: 14 | minutes: 0 15 | title: Rule for TheHive Zeek 16 | type: any 17 | 18 | 19 | 20 | alert: hivealerter 21 | 22 | hive_alert_config: 23 | title: '{match[signal][rule][name]}' 24 | type: '{match[event][module]}' 25 | source: '{match[host][name]}' 26 | description: "`Rule description :` \n\n {match[event][type]} \n\n `Kibana link:` \n\n https://s1em_hostname/kibana/app/kibana#/discover?_g=(filters:!())&_a=(columns:!(_source),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'.siem-signals-default',key:_id,negate:!f,params:(query:'{match[_id]}'),type:phrase,value:'{match[_id]}'),query:(match:(_id:(query:'{match[_id]}',type:phrase))))),index:'.siem-signals-default',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))" 27 | severity: 3 28 | tags: ['Signal', 'Detection', 'Zeek'] 29 | tlp: 2 30 | status: 'New' 31 | follow: True 32 | 33 | hive_observable_data_mapping: 34 | - hash: "{match[hash][sha1]}" 35 | - hash: "{match[hash][md5]}" 36 | - hash: "{match[hash][sha256]}" 37 | - domain: "{match[dns][question][name]}" 38 | - ip: "{match[source][ip]}" 39 | - ip: "{match[destination][ip]}" 40 | -------------------------------------------------------------------------------- /rules/elastic/suricata-rules.ndjson: -------------------------------------------------------------------------------- 1 | {"id":"405b8090-c64e-11ec-8b6a-1ffb2863bcc9","updated_at":"2022-04-27T17:56:42.136Z","updated_by":"admin@cyber.local","created_at":"2022-04-27T17:19:53.119Z","created_by":"admin@cyber.local","name":"Detection Suricata","tags":["Suricata"],"interval":"5m","enabled":true,"description":"Detection Suricata","risk_score":21,"severity":"low","license":"","output_index":".siem-signals-default","timeline_id":"91832785-286d-4ebe-b884-1a208d111a70","timeline_title":"Generic Network Timeline","meta":{"from":"1m","kibana_siem_app_url":"https://192.168.59.131/kibana/app/security"},"rule_name_override":"suricata.eve.alert.signature","author":[],"false_positives":[],"from":"now-360s","rule_id":"063bba5f-0970-4027-b738-bbfb92a7e8c6","max_signals":100,"risk_score_mapping":[],"severity_mapping":[{"severity":"low","field":"event.severity","value":"3","operator":"equals"},{"severity":"medium","field":"event.severity","value":"2","operator":"equals"},{"severity":"high","field":"event.severity","value":"1","operator":"equals"},{"severity":"critical","field":"event.severity","value":"0","operator":"equals"}],"threat":[],"to":"now","references":[],"version":5,"exceptions_list":[],"immutable":false,"type":"query","language":"kuery","index":["filebeat-*"],"query":"event.module:\"suricata\" AND suricata.eve.event_type:\"alert\" ","filters":[],"throttle":"no_actions","actions":[]} 2 | {"exported_count":1,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":0,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} 3 | -------------------------------------------------------------------------------- /rules/suricata/BSD-License.txt: -------------------------------------------------------------------------------- 1 | #************************************************************* 2 | # Copyright (c) 2003-2021, Emerging Threats 3 | # All rights reserved. 4 | # 5 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 6 | # following conditions are met: 7 | # 8 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 9 | # disclaimer. 10 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 11 | # following disclaimer in the documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 13 | # from this software without specific prior written permission. 14 | # 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 16 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 19 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 20 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 21 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | # 23 | #************************************************************* 24 | 25 | -------------------------------------------------------------------------------- /rules/suricata/LICENSE: -------------------------------------------------------------------------------- 1 | # Emerging Threats 2 | # 3 | # This distribution may contain rules under three different licenses. 4 | # 5 | # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. 6 | # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html 7 | # 8 | # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 9 | # as follows: 10 | # 11 | #************************************************************* 12 | # Copyright (c) 2003-2021, Emerging Threats 13 | # All rights reserved. 14 | # 15 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 16 | # following conditions are met: 17 | # 18 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 19 | # disclaimer. 20 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 21 | # following disclaimer in the documentation and/or other materials provided with the distribution. 22 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 23 | # from this software without specific prior written permission. 24 | # 25 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 26 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 27 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 29 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 30 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 31 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | # 33 | #************************************************************* 34 | # 35 | # 36 | # Rules with sids 2800000 through 2900000 are provided by Emerging Threats Pro and are covered by the license 37 | # provided in this distribution titled ETPRO-License.txt 38 | # 39 | # 40 | 41 | -------------------------------------------------------------------------------- /rules/suricata/botcc.portgrouped.rules: -------------------------------------------------------------------------------- 1 | # 2 | # Emerging Threats Botnet Command and Control drop rules. 3 | # 4 | # These are generated from the EXCELLENT work done by the abuse.ch folks. All Volunteers, we're grateful for their dedication! 5 | # 6 | # https://ransomwaretracker.abuse.ch 7 | # https://zeustracker.abuse.ch 8 | # https://feodotracker.abuse.ch/ 9 | # 10 | # 11 | # SID's are 2410000+ to avoid conflicts 12 | # 13 | # More information available at www.emergingthreats.net 14 | # 15 | # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list 16 | # 17 | #************************************************************* 18 | # 19 | # Copyright (c) 2003-2020, Emerging Threats 20 | # All rights reserved. 21 | # 22 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 23 | # following conditions are met: 24 | # 25 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 26 | # disclaimer. 27 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 28 | # following disclaimer in the documentation and/or other materials provided with the distribution. 29 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 30 | # from this software without specific prior written permission. 31 | # 32 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 33 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 34 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 35 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 36 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 37 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 38 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 | # 40 | # 41 | -------------------------------------------------------------------------------- /rules/suricata/classification.config: -------------------------------------------------------------------------------- 1 | # 2 | # config classification:shortname,short description,priority 3 | # 4 | 5 | config classification: not-suspicious,Not Suspicious Traffic,3 6 | config classification: unknown,Unknown Traffic,3 7 | config classification: bad-unknown,Potentially Bad Traffic, 2 8 | config classification: attempted-recon,Attempted Information Leak,2 9 | config classification: successful-recon-limited,Information Leak,2 10 | config classification: successful-recon-largescale,Large Scale Information Leak,2 11 | config classification: attempted-dos,Attempted Denial of Service,2 12 | config classification: successful-dos,Denial of Service,2 13 | config classification: attempted-user,Attempted User Privilege Gain,1 14 | config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 15 | config classification: successful-user,Successful User Privilege Gain,1 16 | config classification: attempted-admin,Attempted Administrator Privilege Gain,1 17 | config classification: successful-admin,Successful Administrator Privilege Gain,1 18 | 19 | # NEW CLASSIFICATIONS 20 | config classification: rpc-portmap-decode,Decode of an RPC Query,2 21 | config classification: shellcode-detect,Executable code was detected,1 22 | config classification: string-detect,A suspicious string was detected,3 23 | config classification: suspicious-filename-detect,A suspicious filename was detected,2 24 | config classification: suspicious-login,An attempted login using a suspicious username was detected,2 25 | config classification: system-call-detect,A system call was detected,2 26 | config classification: tcp-connection,A TCP connection was detected,4 27 | config classification: trojan-activity,A Network Trojan was detected, 1 28 | config classification: unusual-client-port-connection,A client was using an unusual port,2 29 | config classification: network-scan,Detection of a Network Scan,3 30 | config classification: denial-of-service,Detection of a Denial of Service Attack,2 31 | config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 32 | config classification: protocol-command-decode,Generic Protocol Command Decode,3 33 | config classification: web-application-activity,access to a potentially vulnerable web application,2 34 | config classification: web-application-attack,Web Application Attack,1 35 | config classification: misc-activity,Misc activity,3 36 | config classification: misc-attack,Misc Attack,2 37 | config classification: icmp-event,Generic ICMP event,3 38 | config classification: policy-violation,Potential Corporate Privacy Violation,1 39 | config classification: default-login-attempt,Attempt to login by a default username and password,2 40 | 41 | # Update 42 | config classification: targeted-activity,Targeted Malicious Activity was Detected,1 43 | config classification: exploit-kit,Exploit Kit Activity Detected,1 44 | config classification: external-ip-check,Device Retrieving External IP Address Detected,2 45 | config classification: domain-c2,Domain Observed Used for C2 Detected,1 46 | config classification: pup-activity,Possibly Unwanted Program Detected,2 47 | config classification: credential-theft,Successful Credential Theft Detected,1 48 | config classification: social-engineering,Possible Social Engineering Attempted,2 49 | config classification: coin-mining,Crypto Currency Mining Activity Detected,2 50 | config classification: command-and-control,Malware Command and Control Activity Detected,1 51 | -------------------------------------------------------------------------------- /rules/suricata/dshield.rules: -------------------------------------------------------------------------------- 1 | # 2 | # $Id: emerging-dshield.rules $ 3 | # Emerging Threats Dshield rules. 4 | # 5 | # Rules to block Dshield identified Top Attackers (www.dshield.org) 6 | # 7 | # More information available at www.emergingthreats.net 8 | # 9 | # Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list 10 | # 11 | #************************************************************* 12 | # 13 | # Copyright (c) 2003-2020, Emerging Threats 14 | # All rights reserved. 15 | # 16 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 17 | # following conditions are met: 18 | # 19 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 20 | # disclaimer. 21 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 22 | # following disclaimer in the documentation and/or other materials provided with the distribution. 23 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 24 | # from this software without specific prior written permission. 25 | # 26 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 27 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 28 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 30 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 31 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 32 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 | # 34 | # 35 | alert ip [89.248.165.0/24,45.134.26.0/24,45.146.166.0/24,167.248.133.0/24,45.137.23.0/24,193.163.125.0/24,185.191.34.0/24,146.88.240.0/24,138.99.216.0/24,92.63.197.0/24,45.143.203.0/24,94.232.46.0/24,185.156.73.0/24,45.146.165.0/24,89.248.163.0/24,141.98.10.0/24,45.134.144.0/24,193.27.229.0/24,170.106.115.0/24,138.199.32.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:6127; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2021_12_17;) 36 | -------------------------------------------------------------------------------- /rules/suricata/emerging-telnet.rules: -------------------------------------------------------------------------------- 1 | # Emerging Threats 2 | # 3 | # This distribution may contain rules under two different licenses. 4 | # 5 | # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. 6 | # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html 7 | # 8 | # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 9 | # as follows: 10 | # 11 | #************************************************************* 12 | # Copyright (c) 2003-2021, Emerging Threats 13 | # All rights reserved. 14 | # 15 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 16 | # following conditions are met: 17 | # 18 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 19 | # disclaimer. 20 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 21 | # following disclaimer in the documentation and/or other materials provided with the distribution. 22 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 23 | # from this software without specific prior written permission. 24 | # 25 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 26 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 27 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 29 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 30 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 31 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | # 33 | #************************************************************* 34 | # 35 | # 36 | # 37 | # 38 | 39 | # This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced. 40 | 41 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:2100492; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 42 | 43 | #alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 44 | 45 | alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 46 | 47 | #alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 48 | 49 | alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_26;) 50 | 51 | alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, created_at 2016_09_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_27;) 52 | 53 | alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_14, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2017_02_14;) 54 | 55 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;) 56 | 57 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;) 58 | 59 | alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;) 60 | 61 | -------------------------------------------------------------------------------- /rules/suricata/emerging-tftp.rules: -------------------------------------------------------------------------------- 1 | # Emerging Threats 2 | # 3 | # This distribution may contain rules under two different licenses. 4 | # 5 | # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. 6 | # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html 7 | # 8 | # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 9 | # as follows: 10 | # 11 | #************************************************************* 12 | # Copyright (c) 2003-2021, Emerging Threats 13 | # All rights reserved. 14 | # 15 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 16 | # following conditions are met: 17 | # 18 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 19 | # disclaimer. 20 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 21 | # following disclaimer in the documentation and/or other materials provided with the distribution. 22 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 23 | # from this software without specific prior written permission. 24 | # 25 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 26 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 27 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 29 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 30 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 31 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | # 33 | #************************************************************* 34 | # 35 | # 36 | # 37 | # 38 | 39 | # This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced. 40 | 41 | alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; reference:url,doc.emergingthreats.net/2008117; classtype:policy-violation; sid:2008117; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 42 | 43 | alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP ACK"; content:"|00 04|"; depth:2; reference:url,doc.emergingthreats.net/2008118; classtype:policy-violation; sid:2008118; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 44 | 45 | alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Error Message"; content:"|00 05|"; depth:2; reference:url,doc.emergingthreats.net/2008119; classtype:policy-violation; sid:2008119; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 46 | 47 | #alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 48 | 49 | #alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP root directory"; content:"|00 01|/"; depth:3; reference:cve,1999-0183; classtype:bad-unknown; sid:2100520; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 50 | 51 | #alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP parent directory"; content:".."; offset:2; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:2100519; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 52 | 53 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Put"; content:"|00 02|"; depth:2; reference:cve,1999-0183; classtype:bad-unknown; sid:2100518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 54 | 55 | #alert udp any any -> any 69 (msg:"GPL TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2102337; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 56 | 57 | #alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2102336; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 58 | 59 | alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 60 | 61 | alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 62 | 63 | #alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 64 | 65 | alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 66 | 67 | alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 68 | 69 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:2101222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 70 | 71 | #alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; distance:0; within:50; content:!"|00|"; distance:0; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:2; metadata:created_at 2010_12_14, updated_at 2020_08_20;) 72 | 73 | alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;) 74 | 75 | alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;) 76 | 77 | alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_11_01, former_category TFTP, updated_at 2017_07_19;) 78 | 79 | alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, created_at 2017_07_19, deployment Perimeter, former_category TFTP, performance_impact Moderate, signature_severity Major, updated_at 2017_07_19;) 80 | 81 | -------------------------------------------------------------------------------- /rules/suricata/suricata-5.0-enhanced-open.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/V1D1AN/S1EM/02af0556b6c8e6135a26777a06c3bbfd7b58f2d2/rules/suricata/suricata-5.0-enhanced-open.txt -------------------------------------------------------------------------------- /rules/yara/index_gen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | function get_folders { 4 | local INDECES=() 5 | AVOID="utils|deprecated" 6 | for folder in $(ls -d */ | grep -vE $AVOID); do 7 | INDECES+="$folder " 8 | done 9 | INDECES+=". " 10 | echo "$INDECES" 11 | } 12 | 13 | function gen_index { 14 | IDX_NAME=$1 15 | BASE=$2 16 | INC_MOBILE=$3 17 | > $IDX_NAME 18 | if [ x"$4" != x ]; then 19 | echo -e "/*$4*/" > $IDX_NAME 20 | fi 21 | OS=$(uname) 22 | AVOID="_?index.yara?|index_|utils|deprecated" 23 | if [ x"$BASE" == x"." ]; then 24 | if [ $INC_MOBILE == false ]; then 25 | AVOID+="|Mobile" 26 | fi 27 | if [ $OS == "Darwin" ]; then 28 | find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"" $0 "\""}' >> $IDX_NAME 29 | else 30 | # Linux version and potentialy Cygwin 31 | find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"" $0 "\""}' >> $IDX_NAME 32 | fi 33 | else 34 | if [ $OS == "Darwin" ]; then 35 | find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME 36 | else 37 | # Linux version and potentialy Cygwin 38 | find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME 39 | fi 40 | fi 41 | } 42 | 43 | ## Main 44 | 45 | echo " **************************" 46 | echo " Yara-Rules" 47 | echo " Index generator" 48 | echo " **************************" 49 | 50 | INC_MOBILE=false 51 | 52 | for folder in $(get_folders) 53 | do 54 | if [ x"$folder" == x"." ]; then 55 | BASE="." 56 | IDX_NAME="index_w_mobile.yar" 57 | echo "[+] Generating index_w_mobile..." 58 | else 59 | BASE=$(echo $folder | rev | cut -c 2- | rev) 60 | IDX_NAME="$BASE"_index.yar 61 | echo "[+] Generating $BASE index..." 62 | fi 63 | 64 | gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n" 65 | 66 | if [ x"$folder" == x"." ]; then 67 | INC_MOBILE=false 68 | IDX_NAME="index.yar" 69 | gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n" 70 | echo "[+] Generating index..." 71 | fi 72 | done 73 | -------------------------------------------------------------------------------- /sigma.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | services: 3 | sigma: 4 | build: 5 | context: . 6 | dockerfile: sigma/dockerfile 7 | image: sigma:1.0 8 | container_name: sigma 9 | user: root 10 | networks: 11 | - s1em 12 | 13 | networks: 14 | s1em: 15 | driver: bridge 16 | -------------------------------------------------------------------------------- /sigma/backend.yml: -------------------------------------------------------------------------------- 1 | keyword_base_fields: '*' 2 | put_filename_in_ref: True 3 | convert_to_url: True 4 | path_to_replace: '..\' 5 | dest_base_url: 'https://github.com/SigmaHQ/sigma/tree/master/' 6 | -------------------------------------------------------------------------------- /sigma/dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:slim 2 | 3 | MAINTAINER "V1D1AN" 4 | 5 | RUN apt-get update && apt-get -y install git curl gcc 6 | RUN pip3 install termcolor 7 | RUN git clone https://github.com/SigmaHQ/sigma.git 8 | ADD sigma/backend.yml sigma/tools/backend.yml 9 | ADD rules/elastic/* sigma/tools/ 10 | WORKDIR sigma/tools 11 | RUN python3 setup.py install 12 | RUN ./sigmac -t es-rule --filter condition!=near,status!=deprecated -I -c config/generic/sysmon.yml -c config/generic/powershell.yml -c config/winlogbeat-modules-enabled.yml --backend-config backend.yml --backend-option custom_tag="Windows" -r ../rules/windows -o windows-rules.ndjson 13 | RUN ./sigmac -t es-rule-eql --filter condition=near,status!=deprecated -I -c config/generic/sysmon.yml -c config/winlogbeat-modules-enabled.yml --backend-config backend.yml --backend-option custom_tag="Windows,EQL" -r ../rules/windows -o eql-rules.ndjson 14 | RUN ./sigmac -t es-rule -I -c config/ecs-zeek-elastic-beats-implementation.yml --backend-config backend.yml --backend-option custom_tag="Zeek" -r ../rules/network/zeek -o zeek-rules.ndjson 15 | RUN ./sigmac -t es-rule -I -c config/ecs-auditbeat-modules-enabled.yml --backend-config backend.yml --backend-option custom_tag="Linux" -r ../rules/linux/auditd -o auditbeat-rules.ndjson 16 | RUN sed -i 's/"enabled": true/"enabled": false/g' *.ndjson 17 | CMD for rule in $(find *.ndjson -type f); do curl -k -X POST "https://kibana:5601/kibana/api/detection_engine/rules/_import?overwrite=true" -u "elastic:changeme" -H "kbn-xsrf: true" -H "Content-Type: multipart/form-data" --form file=@$rule ; done 18 | -------------------------------------------------------------------------------- /suricata/threshold.config: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /thehive/Dashboards/alerts.json: -------------------------------------------------------------------------------- 1 | {"title":"Alert statistics","description":"Alert statistics","status":"Shared","definition":"{\"period\":\"last7Days\",\"items\":[{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Alerts by status\",\"entity\":\"alert\",\"field\":\"status\",\"query\":{},\"names\":{\"New\":\"New\",\"Updated\":\"Updated\",\"Ignored\":\"Ignored\",\"Imported\":\"Imported\"}},\"id\":\"cd063f98-21cc-405c-18a9-af669acae104\"},{\"type\":\"donut\",\"options\":{\"title\":\"Waiting alerts by type\",\"entity\":\"alert\",\"field\":\"type\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"New\",\"label\":\"New\"},{\"text\":\"Updated\",\"label\":\"Updated\"}]}}],\"query\":{\"_or\":[{\"_field\":\"status\",\"_value\":\"New\"},{\"_field\":\"status\",\"_value\":\"Updated\"}]},\"names\":{}},\"id\":\"8ca4226f-374e-5315-71b8-5d6a4141d886\"},{\"type\":\"donut\",\"options\":{\"title\":\"Waiting alerts by source\",\"entity\":\"alert\",\"field\":\"source\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"New\",\"label\":\"New\"},{\"text\":\"Updated\",\"label\":\"Updated\"}]}}],\"query\":{\"_or\":[{\"_field\":\"status\",\"_value\":\"New\"},{\"_field\":\"status\",\"_value\":\"Updated\"}]},\"names\":{}},\"id\":\"73a986bb-7f53-fc62-6cc8-1e099fadc4b4\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"bar\",\"options\":{\"entity\":\"alert\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"type\",\"stacked\":true,\"title\":\"Alert type history\",\"query\":{},\"names\":{}},\"id\":\"62633389-0aa0-827b-ef48-e5bedf7d5e7d\"},{\"type\":\"donut\",\"options\":{\"title\":\"Alerts by tags\",\"entity\":\"alert\",\"field\":\"tags\",\"query\":{},\"names\":{}},\"id\":\"61fadb50-aed0-d554-435b-e88d33da6588\"},{\"type\":\"bar\",\"options\":{\"title\":\"Alert source history\",\"entity\":\"alert\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"source\",\"stacked\":true,\"query\":{},\"names\":{}},\"id\":\"a513f977-e743-9862-0755-9831e9bf080a\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Alert by severity\",\"entity\":\"alert\",\"field\":\"severity\",\"query\":{},\"names\":{\"1\":\"low\",\"2\":\"medium\",\"3\":\"high\",\"4\":\"critical\"}},\"id\":\"6704b066-ae8d-2aeb-b9c1-528207115b14\"}]}],\"customPeriod\":{\"fromDate\":\"2020-06-16T22:00:00.000Z\",\"toDate\":\"2020-06-17T22:00:00.000Z\"}}"} -------------------------------------------------------------------------------- /thehive/Dashboards/case.json: -------------------------------------------------------------------------------- 1 | {"title":"Case statistics","description":"case","status":"Shared","definition":"{\"period\":\"last3Months\",\"items\":[{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Owner of open cases\",\"entity\":\"case\",\"field\":\"owner\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Open\",\"label\":\"Open\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Open\"},\"names\":{}},\"id\":\"4cb4f7d3-eb21-dd61-2a6f-85cf096a2a6e\"},{\"type\":\"donut\",\"options\":{\"title\":\"Cases by status\",\"entity\":\"case\",\"field\":\"status\",\"filters\":[],\"names\":{\"NoImpact\":\"NoImpact\",\"WithImpact\":\"WithImpact\",\"NotApplicable\":\"NotApplicable\",\"Open\":\"Open\",\"Resolved\":\"Resolved\",\"Deleted\":\"Deleted\"},\"query\":{}},\"id\":\"84b81a65-4b3c-2b26-421e-fd7453d92f3e\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Revolved cases by resolution\",\"entity\":\"case\",\"field\":\"resolutionStatus\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Resolved\",\"label\":\"Resolved\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Resolved\"},\"names\":{\"FalsePositive\":\"FalsePositive\",\"Duplicated\":\"Duplicated\",\"Indeterminate\":\"Indeterminate\",\"TruePositive\":\"TruePositive\",\"Other\":\"Other\"}},\"id\":\"ede6e87a-2e39-5556-b421-1c4cd73a74b1\"},{\"type\":\"donut\",\"options\":{\"title\":\"Case tags\",\"entity\":\"case\",\"field\":\"tags\",\"query\":{},\"names\":{}},\"id\":\"a9e47a5d-3c84-4949-b941-a60ea3c41e81\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"bar\",\"options\":{\"entity\":\"case\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"owner\",\"stacked\":true,\"query\":{},\"names\":{},\"title\":\"Case owner history\"},\"id\":\"b5bb88c6-0a76-ca85-c4b6-5096199ddf80\"},{\"type\":\"bar\",\"options\":{\"entity\":\"case\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"severity\",\"stacked\":true,\"query\":{},\"names\":{\"1\":\"low\",\"2\":\"medium\",\"3\":\"high\",\"4\":\"critical\"},\"title\":\"Case severity history\"},\"id\":\"9bdac0ad-441b-2be3-9e6e-342968be5315\"},{\"type\":\"bar\",\"options\":{\"entity\":\"case\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"tlp\",\"stacked\":true,\"title\":\"Case TLP history\",\"query\":{},\"names\":{\"0\":\"white\",\"1\":\"green\",\"2\":\"amber\",\"3\":\"red\"}},\"id\":\"72157fd6-efb4-cf0c-a281-7eacc3c32a4f\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"line\",\"options\":{\"title\":\"Case over time\",\"entity\":\"case\",\"field\":\"createdAt\",\"interval\":\"1d\",\"series\":[{\"agg\":\"avg\",\"field\":\"computed.handlingDurationInHours\",\"type\":\"line\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Resolved\",\"label\":\"Resolved\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Resolved\"}},{\"agg\":\"count\",\"field\":null,\"type\":\"bar\"}],\"query\":{}},\"id\":\"377784a7-49c2-50aa-2eba-acc862a0b841\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Severity of open cases\",\"entity\":\"case\",\"field\":\"severity\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Open\",\"label\":\"Open\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Open\"},\"names\":{\"1\":\"low\",\"2\":\"medium\",\"3\":\"high\",\"4\":\"critical\"}},\"id\":\"d943c6f4-61d8-b4dd-7a3a-56067829727a\"},{\"type\":\"donut\",\"options\":{\"title\":\"TLP of open cases\",\"entity\":\"case\",\"field\":\"tlp\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Open\",\"label\":\"Open\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Open\"},\"names\":{\"0\":\"white\",\"1\":\"green\",\"2\":\"amber\",\"3\":\"red\"}},\"id\":\"4c7bb013-c87f-7f17-0892-e20af2a0dcac\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"severity of close cases\",\"entity\":\"case\",\"field\":\"severity\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Resolved\",\"label\":\"Resolved\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Resolved\"},\"names\":{\"1\":\"low\",\"2\":\"medium\",\"3\":\"high\",\"4\":\"critical\"}},\"id\":\"e77cdda7-de93-a5ff-e0f3-280c0a1b4e75\"},{\"type\":\"donut\",\"options\":{\"title\":\"TLP of close cases\",\"entity\":\"case\",\"field\":\"tlp\",\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"Resolved\",\"label\":\"Resolved\"}]}}],\"query\":{\"_field\":\"status\",\"_value\":\"Resolved\"},\"names\":{\"0\":\"white\",\"1\":\"green\",\"2\":\"amber\",\"3\":\"red\"}},\"id\":\"d8c16304-36f9-faad-e1bd-7ac919bb1c77\"}]}],\"customPeriod\":{\"fromDate\":null,\"toDate\":null}}"} -------------------------------------------------------------------------------- /thehive/Dashboards/jobs.json: -------------------------------------------------------------------------------- 1 | {"title":"Job statistics","description":"Job statistics","status":"Shared","definition":"{\"period\":\"last3Months\",\"items\":[{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Top analyzers\",\"entity\":\"case_artifact_job\",\"field\":\"analyzerId\",\"query\":{},\"names\":{}},\"id\":\"1eaa4dfa-5b14-50b6-e442-8729363f6f66\"},{\"type\":\"donut\",\"options\":{\"title\":\"Cortex instance use\",\"entity\":\"case_artifact_job\",\"field\":\"cortexId\",\"query\":{},\"names\":{}},\"id\":\"c501c2d3-9779-1d2a-6d85-bb2bd68260f5\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"bar\",\"options\":{\"title\":\"Job owners\",\"entity\":\"case_artifact_job\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"createdBy\",\"stacked\":true,\"query\":{},\"names\":{}},\"id\":\"bc10b554-aa4c-6fce-c4bb-b906b9b0e398\"},{\"type\":\"bar\",\"options\":{\"title\":\"Analyzer history\",\"entity\":\"case_artifact_job\",\"dateField\":\"createdAt\",\"interval\":\"1d\",\"field\":\"analyzerId\",\"stacked\":true,\"query\":{},\"names\":{}},\"id\":\"cd6d0dc1-a77d-be9d-e7dd-c6a8c79b0898\"}]}],\"customPeriod\":{\"fromDate\":null,\"toDate\":null}}"} -------------------------------------------------------------------------------- /thehive/Dashboards/observable.json: -------------------------------------------------------------------------------- 1 | {"title":"Observable statistics","description":"Observable statistics","status":"Shared","definition":"{\"period\":\"last30Days\",\"items\":[{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Observables by type\",\"entity\":\"case_artifact\",\"field\":\"dataType\",\"query\":{\"_not\":{\"_field\":\"status\",\"_value\":\"Deleted\"}},\"names\":{\"fqdn\":\"fqdn\",\"url\":\"url\",\"regexp\":\"regexp\",\"mail\":\"mail\",\"hash\":\"hash\",\"registry\":\"registry\",\"uri_path\":\"uri_path\",\"truc\":\"truc\",\"ip\":\"ip\",\"user-agent\":\"user-agent\",\"autonomous-system\":\"autonomous-system\",\"file\":\"file\",\"mail_subject\":\"mail_subject\",\"filename\":\"filename\",\"other\":\"other\",\"domain\":\"domain\",\"md5\":\"md5\",\"sha256\":\"sha256\",\"sha1\":\"sha1\"},\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"operator\":\"none\",\"list\":[{\"text\":\"Deleted\",\"label\":\"Deleted\"}]}}]},\"id\":\"6ee86a99-3f40-1960-fd4d-398a1da5b76e\"},{\"type\":\"donut\",\"options\":{\"title\":\"Observables by data\",\"entity\":\"case_artifact\",\"field\":\"data\",\"query\":{},\"names\":{}},\"id\":\"72471d6c-a42d-4261-b205-6614428785c6\"},{\"type\":\"donut\",\"options\":{\"title\":\"Observables by attachment content type\",\"entity\":\"case_artifact\",\"field\":\"attachment.contentType\",\"query\":{\"_and\":[{\"_field\":\"dataType\",\"_value\":\"file\"},{\"_not\":{\"_field\":\"status\",\"_value\":\"Deleted\"}}]},\"names\":{},\"filters\":[{\"field\":\"dataType\",\"type\":\"enumeration\",\"value\":{\"list\":[{\"text\":\"file\",\"label\":\"file\"}]}},{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"operator\":\"none\",\"list\":[{\"text\":\"Deleted\",\"label\":\"Deleted\"}]}}]},\"id\":\"b6110238-3074-4e85-674f-4bc56829e68a\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Observable tags\",\"entity\":\"case_artifact\",\"field\":\"tags\",\"query\":{\"_not\":{\"_field\":\"status\",\"_value\":\"Deleted\"}},\"names\":{},\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"operator\":\"none\",\"list\":[{\"text\":\"Deleted\",\"label\":\"Deleted\"}]}}]},\"id\":\"70bbc0a5-1692-4e46-ebac-8769952ad9c0\"},{\"type\":\"donut\",\"options\":{\"title\":\"Observables by TLP\",\"entity\":\"case_artifact\",\"field\":\"tlp\",\"query\":{\"_not\":{\"_field\":\"status\",\"_value\":\"Deleted\"}},\"names\":{\"0\":\"white\",\"1\":\"green\",\"2\":\"amber\",\"3\":\"red\"},\"colors\":{\"0\":\"#bdf0ea\",\"1\":\"#48e80f\",\"2\":\"#e0a91a\",\"3\":\"#f02626\"},\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"operator\":\"none\",\"list\":[{\"text\":\"Deleted\",\"label\":\"Deleted\"}]}}]},\"id\":\"633fbe97-805e-6123-3330-29f5c8f45f13\"}]},{\"type\":\"container\",\"items\":[{\"type\":\"donut\",\"options\":{\"title\":\"Observables by IOC flag\",\"entity\":\"case_artifact\",\"field\":\"ioc\",\"query\":{\"_not\":{\"_field\":\"status\",\"_value\":\"Deleted\"}},\"names\":{},\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"operator\":\"none\",\"list\":[{\"text\":\"Deleted\",\"label\":\"Deleted\"}]}}]},\"id\":\"771a3bdf-e437-ac3a-384d-23be91a25b07\"},{\"type\":\"line\",\"options\":{\"title\":\"Observables over time\",\"entity\":\"case_artifact\",\"field\":\"createdAt\",\"interval\":\"1d\",\"series\":[{\"agg\":\"count\",\"field\":null,\"type\":\"area-spline\",\"filters\":[{\"field\":\"ioc\",\"type\":\"boolean\",\"value\":true}],\"label\":\"IOC\",\"query\":{\"_field\":\"ioc\",\"_value\":true}},{\"agg\":\"count\",\"field\":null,\"type\":\"area-spline\",\"label\":\"non-IOC\",\"filters\":[{\"field\":\"ioc\",\"type\":\"boolean\",\"value\":false}],\"query\":{\"_field\":\"ioc\",\"_value\":false}}],\"stacked\":true,\"query\":{\"_not\":{\"_field\":\"status\",\"_value\":\"Deleted\"}},\"filters\":[{\"field\":\"status\",\"type\":\"enumeration\",\"value\":{\"operator\":\"none\",\"list\":[{\"text\":\"Deleted\",\"label\":\"Deleted\"}]}}]},\"id\":\"e5ed24a6-51ed-ecc4-9db0-ce837fd84214\"}]}],\"customPeriod\":{\"fromDate\":\"2020-06-02T22:00:00.000Z\",\"toDate\":\"2020-06-03T22:00:00.000Z\"}}"} -------------------------------------------------------------------------------- /thehive/Imports/Alert_statistics.json: -------------------------------------------------------------------------------- 1 | {"_routing":"shZWJ3IBgeD6-82nLuD7","description":"Alert statistics","title":"Alert statistics","_parent":null,"definition":{"period":"last7Days","items":[{"type":"container","items":[{"type":"donut","options":{"title":"Alerts by status","entity":"alert","field":"status","query":{},"names":{"New":"New","Updated":"Updated","Ignored":"Ignored","Imported":"Imported"}},"id":"cd063f98-21cc-405c-18a9-af669acae104"},{"type":"donut","options":{"title":"Waiting alerts by type","entity":"alert","field":"type","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"New","label":"New"},{"text":"Updated","label":"Updated"}]}}],"query":{"_or":[{"_field":"status","_value":"New"},{"_field":"status","_value":"Updated"}]},"names":{}},"id":"8ca4226f-374e-5315-71b8-5d6a4141d886"},{"type":"donut","options":{"title":"Waiting alerts by source","entity":"alert","field":"source","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"New","label":"New"},{"text":"Updated","label":"Updated"}]}}],"query":{"_or":[{"_field":"status","_value":"New"},{"_field":"status","_value":"Updated"}]},"names":{}},"id":"73a986bb-7f53-fc62-6cc8-1e099fadc4b4"}]},{"type":"container","items":[{"type":"bar","options":{"entity":"alert","dateField":"createdAt","interval":"1d","field":"type","stacked":true,"title":"Alert type history","query":{},"names":{}},"id":"62633389-0aa0-827b-ef48-e5bedf7d5e7d"},{"type":"donut","options":{"title":"Alerts by tags","entity":"alert","field":"tags","query":{},"names":{}},"id":"61fadb50-aed0-d554-435b-e88d33da6588"},{"type":"bar","options":{"title":"Alert source history","entity":"alert","dateField":"createdAt","interval":"1d","field":"source","stacked":true,"query":{},"names":{}},"id":"a513f977-e743-9862-0755-9831e9bf080a"}]},{"type":"container","items":[{"type":"donut","options":{"title":"Alert by severity","entity":"alert","field":"severity","query":{},"names":{"1":"low","2":"medium","3":"high","4":"critical"}},"id":"6704b066-ae8d-2aeb-b9c1-528207115b14"}]}],"customPeriod":{"fromDate":"2020-06-16T22:00:00.000Z","toDate":"2020-06-17T22:00:00.000Z"}},"_id":"shZWJ3IBgeD6-82nLuD7","_version":4,"status":"Shared"} -------------------------------------------------------------------------------- /thehive/Imports/Case_statistics.json: -------------------------------------------------------------------------------- 1 | {"_routing":"sBZWJ3IBgeD6-82nLuDq","description":"case","title":"Case statistics","_parent":null,"definition":{"period":"last3Months","items":[{"type":"container","items":[{"type":"donut","options":{"title":"Owner of open cases","entity":"case","field":"owner","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Open","label":"Open"}]}}],"query":{"_field":"status","_value":"Open"},"names":{}},"id":"4cb4f7d3-eb21-dd61-2a6f-85cf096a2a6e"},{"type":"donut","options":{"title":"Cases by status","entity":"case","field":"status","filters":[],"names":{"NoImpact":"NoImpact","WithImpact":"WithImpact","NotApplicable":"NotApplicable","Open":"Open","Resolved":"Resolved","Deleted":"Deleted"},"query":{}},"id":"84b81a65-4b3c-2b26-421e-fd7453d92f3e"}]},{"type":"container","items":[{"type":"donut","options":{"title":"Revolved cases by resolution","entity":"case","field":"resolutionStatus","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Resolved","label":"Resolved"}]}}],"query":{"_field":"status","_value":"Resolved"},"names":{"FalsePositive":"FalsePositive","Duplicated":"Duplicated","Indeterminate":"Indeterminate","TruePositive":"TruePositive","Other":"Other"}},"id":"ede6e87a-2e39-5556-b421-1c4cd73a74b1"},{"type":"donut","options":{"title":"Case tags","entity":"case","field":"tags","query":{},"names":{}},"id":"a9e47a5d-3c84-4949-b941-a60ea3c41e81"}]},{"type":"container","items":[{"type":"bar","options":{"entity":"case","dateField":"createdAt","interval":"1d","field":"owner","stacked":true,"query":{},"names":{},"title":"Case owner history"},"id":"b5bb88c6-0a76-ca85-c4b6-5096199ddf80"},{"type":"bar","options":{"entity":"case","dateField":"createdAt","interval":"1d","field":"severity","stacked":true,"query":{},"names":{"1":"low","2":"medium","3":"high","4":"critical"},"title":"Case severity history"},"id":"9bdac0ad-441b-2be3-9e6e-342968be5315"},{"type":"bar","options":{"entity":"case","dateField":"createdAt","interval":"1d","field":"tlp","stacked":true,"title":"Case TLP history","query":{},"names":{"0":"white","1":"green","2":"amber","3":"red"}},"id":"72157fd6-efb4-cf0c-a281-7eacc3c32a4f"}]},{"type":"container","items":[{"type":"line","options":{"title":"Case over time","entity":"case","field":"createdAt","interval":"1d","series":[{"agg":"avg","field":"computed.handlingDurationInHours","type":"line","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Resolved","label":"Resolved"}]}}],"query":{"_field":"status","_value":"Resolved"}},{"agg":"count","field":null,"type":"bar"}],"query":{}},"id":"377784a7-49c2-50aa-2eba-acc862a0b841"}]},{"type":"container","items":[{"type":"donut","options":{"title":"Severity of open cases","entity":"case","field":"severity","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Open","label":"Open"}]}}],"query":{"_field":"status","_value":"Open"},"names":{"1":"low","2":"medium","3":"high","4":"critical"}},"id":"d943c6f4-61d8-b4dd-7a3a-56067829727a"},{"type":"donut","options":{"title":"TLP of open cases","entity":"case","field":"tlp","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Open","label":"Open"}]}}],"query":{"_field":"status","_value":"Open"},"names":{"0":"white","1":"green","2":"amber","3":"red"}},"id":"4c7bb013-c87f-7f17-0892-e20af2a0dcac"}]},{"type":"container","items":[{"type":"donut","options":{"title":"severity of close cases","entity":"case","field":"severity","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Resolved","label":"Resolved"}]}}],"query":{"_field":"status","_value":"Resolved"},"names":{"1":"low","2":"medium","3":"high","4":"critical"}},"id":"e77cdda7-de93-a5ff-e0f3-280c0a1b4e75"},{"type":"donut","options":{"title":"TLP of close cases","entity":"case","field":"tlp","filters":[{"field":"status","type":"enumeration","value":{"list":[{"text":"Resolved","label":"Resolved"}]}}],"query":{"_field":"status","_value":"Resolved"},"names":{"0":"white","1":"green","2":"amber","3":"red"}},"id":"d8c16304-36f9-faad-e1bd-7ac919bb1c77"}]}],"customPeriod":{"fromDate":null,"toDate":null}},"_id":"sBZWJ3IBgeD6-82nLuDq","_version":3,"status":"Shared"} -------------------------------------------------------------------------------- /thehive/Imports/Job_statistics.json: -------------------------------------------------------------------------------- 1 | {"_routing":"sxZWJ3IBgeD6-82nL-AF","description":"Job statistics","title":"Job statistics","_parent":null,"definition":{"period":"last3Months","items":[{"type":"container","items":[{"type":"donut","options":{"title":"Top analyzers","entity":"case_artifact_job","field":"analyzerId","query":{},"names":{}},"id":"1eaa4dfa-5b14-50b6-e442-8729363f6f66"},{"type":"donut","options":{"title":"Cortex instance use","entity":"case_artifact_job","field":"cortexId","query":{},"names":{}},"id":"c501c2d3-9779-1d2a-6d85-bb2bd68260f5"}]},{"type":"container","items":[{"type":"bar","options":{"title":"Job owners","entity":"case_artifact_job","dateField":"createdAt","interval":"1d","field":"createdBy","stacked":true,"query":{},"names":{}},"id":"bc10b554-aa4c-6fce-c4bb-b906b9b0e398"},{"type":"bar","options":{"title":"Analyzer history","entity":"case_artifact_job","dateField":"createdAt","interval":"1d","field":"analyzerId","stacked":true,"query":{},"names":{}},"id":"cd6d0dc1-a77d-be9d-e7dd-c6a8c79b0898"}]}],"customPeriod":{"fromDate":null,"toDate":null}},"_id":"sxZWJ3IBgeD6-82nL-AF","_version":2,"status":"Shared"} -------------------------------------------------------------------------------- /thehive/Imports/Observable_statistics.json: -------------------------------------------------------------------------------- 1 | {"_routing":"sRZWJ3IBgeD6-82nLuDz","description":"Observable statistics","title":"Observable statistics","_parent":null,"definition":{"period":"last30Days","items":[{"type":"container","items":[{"type":"donut","options":{"title":"Observables by type","entity":"case_artifact","field":"dataType","query":{"_not":{"_field":"status","_value":"Deleted"}},"names":{"fqdn":"fqdn","url":"url","regexp":"regexp","mail":"mail","hash":"hash","registry":"registry","uri_path":"uri_path","truc":"truc","ip":"ip","user-agent":"user-agent","autonomous-system":"autonomous-system","file":"file","mail_subject":"mail_subject","filename":"filename","other":"other","domain":"domain","md5":"md5","sha256":"sha256","sha1":"sha1"},"filters":[{"field":"status","type":"enumeration","value":{"operator":"none","list":[{"text":"Deleted","label":"Deleted"}]}}]},"id":"6ee86a99-3f40-1960-fd4d-398a1da5b76e"},{"type":"donut","options":{"title":"Observables by data","entity":"case_artifact","field":"data","query":{},"names":{}},"id":"72471d6c-a42d-4261-b205-6614428785c6"},{"type":"donut","options":{"title":"Observables by attachment content type","entity":"case_artifact","field":"attachment.contentType","query":{"_and":[{"_field":"dataType","_value":"file"},{"_not":{"_field":"status","_value":"Deleted"}}]},"names":{},"filters":[{"field":"dataType","type":"enumeration","value":{"list":[{"text":"file","label":"file"}]}},{"field":"status","type":"enumeration","value":{"operator":"none","list":[{"text":"Deleted","label":"Deleted"}]}}]},"id":"b6110238-3074-4e85-674f-4bc56829e68a"}]},{"type":"container","items":[{"type":"donut","options":{"title":"Observable tags","entity":"case_artifact","field":"tags","query":{"_not":{"_field":"status","_value":"Deleted"}},"names":{},"filters":[{"field":"status","type":"enumeration","value":{"operator":"none","list":[{"text":"Deleted","label":"Deleted"}]}}]},"id":"70bbc0a5-1692-4e46-ebac-8769952ad9c0"},{"type":"donut","options":{"title":"Observables by TLP","entity":"case_artifact","field":"tlp","query":{"_not":{"_field":"status","_value":"Deleted"}},"names":{"0":"white","1":"green","2":"amber","3":"red"},"colors":{"0":"#bdf0ea","1":"#48e80f","2":"#e0a91a","3":"#f02626"},"filters":[{"field":"status","type":"enumeration","value":{"operator":"none","list":[{"text":"Deleted","label":"Deleted"}]}}]},"id":"633fbe97-805e-6123-3330-29f5c8f45f13"}]},{"type":"container","items":[{"type":"donut","options":{"title":"Observables by IOC flag","entity":"case_artifact","field":"ioc","query":{"_not":{"_field":"status","_value":"Deleted"}},"names":{},"filters":[{"field":"status","type":"enumeration","value":{"operator":"none","list":[{"text":"Deleted","label":"Deleted"}]}}]},"id":"771a3bdf-e437-ac3a-384d-23be91a25b07"},{"type":"line","options":{"title":"Observables over time","entity":"case_artifact","field":"createdAt","interval":"1d","series":[{"agg":"count","field":null,"type":"area-spline","filters":[{"field":"ioc","type":"boolean","value":true}],"label":"IOC","query":{"_field":"ioc","_value":true}},{"agg":"count","field":null,"type":"area-spline","label":"non-IOC","filters":[{"field":"ioc","type":"boolean","value":false}],"query":{"_field":"ioc","_value":false}}],"stacked":true,"query":{"_not":{"_field":"status","_value":"Deleted"}},"filters":[{"field":"status","type":"enumeration","value":{"operator":"none","list":[{"text":"Deleted","label":"Deleted"}]}}]},"id":"e5ed24a6-51ed-ecc4-9db0-ce837fd84214"}]}],"customPeriod":{"fromDate":"2020-06-02T22:00:00.000Z","toDate":"2020-06-03T22:00:00.000Z"}},"_id":"sRZWJ3IBgeD6-82nLuDz","_version":5,"status":"Shared"} -------------------------------------------------------------------------------- /thehive/application.conf: -------------------------------------------------------------------------------- 1 | play.http.secret.key="t5EeDXh2dEtJxohh" 2 | play.http.context="/thehive" 3 | auth.method.basic=true 4 | 5 | # JanusGraph 6 | db { 7 | provider: janusgraph 8 | janusgraph { 9 | storage { 10 | backend: cql 11 | hostname: ["cassandra"] 12 | 13 | cql { 14 | cluster-name: thp # cluster name 15 | keyspace: thehive # name of the keyspace 16 | read-consistency-level: ONE 17 | write-consistency-level: ONE 18 | } 19 | } 20 | 21 | ## Index configuration 22 | index { 23 | search { 24 | backend: elasticsearch 25 | hostname: ["es01"] 26 | index-name: thehive 27 | elasticsearch { 28 | http { 29 | auth { 30 | type: basic 31 | basic { 32 | username: elastic 33 | password: changeme 34 | } 35 | } 36 | } 37 | ssl { 38 | enabled: true 39 | disable-hostname-verification: true 40 | allow-self-signed-certificates: true 41 | } 42 | } 43 | } 44 | } 45 | } 46 | } 47 | 48 | storage { 49 | provider: localfs 50 | localfs.location: /opt/data 51 | } 52 | 53 | datastore { 54 | name = data 55 | # Size of stored data chunks 56 | chunksize = 50k 57 | hash { 58 | # Main hash algorithm /!\ Don't change this value 59 | main = "SHA-256" 60 | # Additional hash algorithms (used in attachments) 61 | extra = ["SHA-1", "MD5"] 62 | } 63 | attachment.password = "infected" 64 | } 65 | 66 | play.http.parser.maxDiskBuffer: 50MB 67 | play.http.parser.maxMemoryBuffer: 10MB 68 | 69 | 70 | play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule 71 | cortex { 72 | servers = [ 73 | { 74 | name = CORTEX 75 | url = "http://cortex:9001/cortex" 76 | auth { 77 | type = "bearer" 78 | key = "cortex_api_key" 79 | } 80 | # HTTP client configuration (SSL and proxy) 81 | # wsConfig {} 82 | # List TheHive organisation which can use this Cortex server. All ("*") by default 83 | # includedTheHiveOrganisations = ["*"] 84 | # List TheHive organisation which cannot use this Cortex server. None by default 85 | # excludedTheHiveOrganisations = [] 86 | } 87 | ] 88 | # Check job update time intervalcortex 89 | refreshDelay = 5 seconds 90 | # Maximum number of successive errors before give up 91 | maxRetryOnError = 3 92 | # Check remote Cortex status time interval 93 | statusCheckInterval = 1 minute 94 | } 95 | # MISP configuration 96 | play.modules.enabled += org.thp.thehive.connector.misp.MispModule 97 | misp { 98 | syncInterval = "5 min" 99 | servers: [ 100 | { 101 | name = "MISP" # MISP name 102 | url = "https://s1em_hostname/misp" # URL or MISP 103 | auth { 104 | type = key 105 | key = "misp_api_key" # MISP API key 106 | } 107 | wsConfig { ssl { loose { acceptAnyCertificate: true } } } 108 | purpose = ImportAndExport 109 | } 110 | ] 111 | } 112 | notification.webhook.endpoints = [ 113 | { 114 | name: n8n 115 | url: "https://s1em_hostname/n8n/prod/e6787464-22ab-43a0-a049-2dd41ff42b11/webhook" 116 | version: 0 117 | wsConfig: {} 118 | auth: {type:"none"} 119 | wsConfig { ssl { loose { acceptAnyCertificate: true } } } 120 | includedTheHiveOrganisations: ["*"] 121 | excludedTheHiveOrganisations: [] 122 | } 123 | ] 124 | -------------------------------------------------------------------------------- /traefik/dyn.toml: -------------------------------------------------------------------------------- 1 | [tls] 2 | [[tls.certificates]] 3 | certFile = "/etc/ssl/traefik/traefik.crt" 4 | keyFile = "/etc/ssl/traefik/traefik.key" 5 | stores = ["default"] 6 | 7 | 8 | [tls.stores] 9 | [tls.stores.default] 10 | [tls.stores.default.defaultCertificate] 11 | certFile = "/etc/ssl/traefik/traefik.crt" 12 | keyFile = "/etc/ssl/traefik/traefik.key" 13 | 14 | -------------------------------------------------------------------------------- /traefik/traefik.toml: -------------------------------------------------------------------------------- 1 | [global] 2 | sendAnonymousUsage = false 3 | 4 | [serversTransport] 5 | InsecureSkipVerify = true 6 | 7 | [log] 8 | level = "INFO" 9 | format = "common" 10 | 11 | [providers] 12 | [providers.docker] 13 | endpoint = "unix:///var/run/docker.sock" 14 | watch = true 15 | exposedByDefault = false 16 | swarmMode = false 17 | [providers.file] 18 | filename = "/etc/traefik/dyn.toml" 19 | 20 | 21 | [accessLog] 22 | filePath = "/tmp/access.log" 23 | 24 | [api] 25 | dashboard = false 26 | debug = false 27 | 28 | [entryPoints] 29 | [entryPoints.secure] 30 | address = ":443" 31 | 32 | -------------------------------------------------------------------------------- /zeek/config.zeek: -------------------------------------------------------------------------------- 1 | # All configuration must occur within this file. 2 | # All other files may be overwritten during upgrade 3 | module FileExtraction; 4 | 5 | # Configure where extracted files will be stored 6 | redef path = "/extract_files/"; 7 | 8 | # Configure 'plugins' that can be loaded 9 | # these are shortcut modules to specify common 10 | # file extraction policies. Example: 11 | # @load ./plugins/extract-pe.bro 12 | @load ./plugins/extract-common-exploit-types --------------------------------------------------------------------------------