├── .github └── workflows │ ├── main.yml │ └── ta_build.yml ├── .gitignore ├── CONTRIBUTING.md ├── Canonical_Data_Model.md ├── Covenant_Code_of_Conduct.md ├── LICENSE.txt ├── PULL_REQUEST_TEMPLATE.md ├── README.md ├── img ├── CSNFpix.png ├── branch-create.png ├── branch-select.png ├── demo-flow.svg └── git-flow.svg ├── mappings ├── README.md ├── provider.csv ├── schema.yml └── test │ ├── requirements.txt │ └── test_csv_valid.py ├── ta-csnf ├── README.md ├── SECURITY.md ├── app.manifest ├── default │ ├── app.conf │ └── props.conf ├── metadata │ └── default.meta └── static │ ├── appIcon.png │ ├── appIconAlt.png │ ├── appIconAlt_2x.png │ ├── appIcon_2x.png │ ├── appLogo.png │ └── appLogo_2x.png └── tools ├── README.md ├── onug_decorator_python ├── README.md └── onug.py ├── provider_csv_to_provider_json_script ├── .gitignore ├── README.md ├── __init__.py ├── output.conf ├── output.json ├── provider_csv_to_provider_json.py ├── pyproject.toml ├── requirements.txt └── test │ └── resources │ ├── aws_guardduty_csnf_output.json │ ├── aws_guardduty_input.csv │ ├── sample_provider_input.csv │ └── sample_provider_output.json └── sample_findings ├── aws_gd_s3_malicousIP.json ├── aws_gd_s3_torexitnode.json ├── azure_security_center_2.json ├── falco_syscall.json ├── microsoft_defender_center_1.json ├── oci_cg_SUSPICIOUS_IP_ACTIVITY.json ├── oci_cg_VCN_Security_list.json ├── oci_cg_dhcp_option.json ├── oci_cg_public_bucket.json └── oci_cg_vss.json /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Unit Testing 2 | 3 | on: [push] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v4 10 | - name: Set up Python 11 | uses: actions/setup-python@v5 12 | with: 13 | python-version: "3.10" 14 | - name: Lint and format tools 15 | run: | 16 | cd tools/provider_csv_to_provider_json_script/ 17 | python -m pip install --upgrade pip 18 | pip install -r requirements.txt 19 | black ./ 20 | pylint ./ 21 | - name: Test provider CSV 22 | run: | 23 | pip install -r mappings/test/requirements.txt 24 | python mappings/test/test_csv_valid.py 25 | -------------------------------------------------------------------------------- /.github/workflows/ta_build.yml: -------------------------------------------------------------------------------- 1 | name: Splunk TA Builder 2 | 3 | on: 4 | push: 5 | paths: 6 | - 'ta-csnf/**' 7 | 8 | jobs: 9 | build: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | - name: tar package files 14 | run: | 15 | COPYFILE_DISABLE=1 tar --format ustar -cvzf ta-csnf.tar.gz ta-csnf/ 16 | tar -tvf ./ta-csnf.tar.gz 17 | # curl -X POST \ 18 | # -H "Authorization: bearer " \ 19 | # -H "Cache-Control: no-cache" \ 20 | # -F "app_package=@\"/<./ta-csnf.tar.gz>\"" \ 21 | # -F "included_tags=cloud" \ 22 | # --url "https://appinspect.splunk.com/v1/app/validate" 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | .DS_Store 3 | # Byte-compiled / optimized / DLL files 4 | __pycache__/ 5 | *.py[cod] 6 | *$py.class 7 | 8 | # C extensions 9 | *.so 10 | 11 | # Distribution / packaging 12 | .Python 13 | build/ 14 | develop-eggs/ 15 | dist/ 16 | downloads/ 17 | eggs/ 18 | .eggs/ 19 | lib/ 20 | lib64/ 21 | parts/ 22 | sdist/ 23 | var/ 24 | wheels/ 25 | share/python-wheels/ 26 | *.egg-info/ 27 | .installed.cfg 28 | *.egg 29 | 30 | # Installer logs 31 | pip-log.txt 32 | pip-delete-this-directory.txt 33 | 34 | # Unit test / coverage reports 35 | htmlcov/ 36 | .tox/ 37 | .nox/ 38 | .coverage 39 | .coverage.* 40 | .cache 41 | nosetests.xml 42 | coverage.xml 43 | *.cover 44 | *.py,cover 45 | .hypothesis/ 46 | .pytest_cache/ 47 | cover/ 48 | 49 | # Translations 50 | *.mo 51 | *.pot 52 | 53 | # Django stuff: 54 | *.log 55 | local_settings.py 56 | db.sqlite3 57 | db.sqlite3-journal 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | .pybuilder/ 71 | target/ 72 | 73 | # Jupyter Notebook 74 | .ipynb_checkpoints 75 | 76 | # IPython 77 | profile_default/ 78 | ipython_config.py 79 | 80 | # pyenv 81 | # For a library or package, you might want to ignore these files since the code is 82 | # intended to run in multiple environments; otherwise, check them in: 83 | # .python-version 84 | 85 | # pipenv 86 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 87 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 88 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 89 | # install all needed dependencies. 90 | #Pipfile.lock 91 | 92 | # poetry 93 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 94 | # This is especially recommended for binary packages to ensure reproducibility, and is more 95 | # commonly ignored for libraries. 96 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 97 | #poetry.lock 98 | 99 | # pdm 100 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 101 | #pdm.lock 102 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 103 | # in version control. 104 | # https://pdm.fming.dev/#use-with-ide 105 | .pdm.toml 106 | 107 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 108 | __pypackages__/ 109 | 110 | # Celery stuff 111 | celerybeat-schedule 112 | celerybeat.pid 113 | 114 | # SageMath parsed files 115 | *.sage.py 116 | 117 | # Environments 118 | .env 119 | .venv 120 | env/ 121 | venv/ 122 | ENV/ 123 | env.bak/ 124 | venv.bak/ 125 | 126 | # Spyder project settings 127 | .spyderproject 128 | .spyproject 129 | 130 | # Rope project settings 131 | .ropeproject 132 | 133 | # mkdocs documentation 134 | /site 135 | 136 | # mypy 137 | .mypy_cache/ 138 | .dmypy.json 139 | dmypy.json 140 | 141 | # Pyre type checker 142 | .pyre/ 143 | 144 | # pytype static type analyzer 145 | .pytype/ 146 | 147 | # Cython debug symbols 148 | cython_debug/ 149 | 150 | *.swp 151 | # PyCharm 152 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 153 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 154 | # and can be added to the global gitignore or merged into this file. For a more nuclear 155 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 156 | #.idea/ 157 | *.bkp 158 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to ONUG CSNF 2 | 3 | ## Intro 4 | 5 | The CSNF repo is managed in Github, and the repository is maintained by Peter Campbell (pcampbe@gmail.com) and Michael Clark (mclark@renaissancetech.media). All contributions must be made via a git pull request. 6 | 7 | We use a fairly typical feature branching approach to collaborative development. 8 | 9 | ![Git Flow Diagram](img/git-flow.svg) 10 | 11 | ## Git Setup 12 | ### GitHub Access 13 | n order to contribute, you’ll need a github.com ID - go to [https://github.com/](https://github.com/), click on “sign up”, and create an account. Once you’ve created your account, associate an SSH key with it. See the [github docs](https://docs.github.com/en/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account) for details on doing that. 14 | 15 | Once you’ve got an account set up, and an ssh key added to it, send [@Peter Campbell](mailto:pcampbe@gmail.com) or [@Michael Clark](mailto:mclark@renaissancetech.media) a note to add you to the repository. You’ll be added with write access to the repo. 16 | 17 | ### Cloning to Local 18 | Once you’ve got an account and an ssh key, you can clone the repo via ssh (you just won’t be able to do anything other than read until your account is enabled for the repo). If you already have the repo cloned via https, it's recommended to delete it and reclone using ssh. To do this, just run: 19 | 20 | git clone git@github.com:onug/CSNF.git 21 | This will create a “CSNF” directory in your current working directory, and copy all of the contents of the repo to it. 22 | 23 | ### Creating a Feature Branch 24 | Direct writing to the master branch should not be done (and in fact is disallowed by rule). Instead, you should create a branch, based off of the main branch. There are a few ways to create a branch, but the easiest way is to go to the github repo’s page at: 25 | 26 | https://github.com/onug/CSNF 27 | 28 | Once there, ensure that the master branch is selected (see the below image). 29 | ![Branch Selection](img/branch-select.png) 30 | 31 | Click on the branch selector again, and start typing the name of the branch you want to create. If you’ve been enabled for write access, you should see something like this: 32 | 33 | ![Branch Creation](img/branch-create.png) 34 | 35 | Go ahead and select “Create branch”. At this point, you’ve created the branch on the github server. Now, you need to pull it locally. In your local shell, in the CSNF directory, type: 36 | 37 | ```bash 38 | git fetch && git checkout 39 | ``` 40 | 41 | replacing `` with the name of the branch you just created. The `git fetch` reaches out to the repo for updates (which will include the new branch you just created), and then the `git checkout` pulls down the metadata locally, and switches your local to the newly created branch. Once you’ve done this, any git commands you issue will be operating on that branch. 42 | 43 | ## Exploring the Repository’s Structure 44 | 45 | The directory structure looks something like this: 46 | * [CSNF](README.md) 47 | * [csnf](README.md) 48 | * [demo-service](README.md) -------------------------------------------------------------------------------- /Canonical_Data_Model.md: -------------------------------------------------------------------------------- 1 | # Canonical Data Model 2 | ## Table of Contents 3 | 4 | 1. [Overview](#overview) 5 | 1. [Scope](#csnf-scope) 6 | 1. [Out of Scope](#csnf-out-of-scope) 7 | 1. [Canonical Data Model Entities](#canonical-data-model) 8 | 1. [Namespaces](#csnf-namespaces) 9 | 1. [Providers](#csnf-provider) 10 | 1. [Event](#csnf-event) 11 | 1. [Resource](#csnf-resource) 12 | 1. [Service](#csnf-service) 13 | 1. [Threat Actor](#csnf-threat-actor) 14 | 1. [Decorator](#csnf-decorator) 15 | 16 | ## Overview 17 | 18 | What is the Cloud Security Notification Framework (CSNF)? CSNF is an Open Source initiative tackling the difficulty of providing security assurance for Cloud at scale caused by the large volume of events and security state messaging. The problem is compounded when using multiple Cloud Service Providers (CSP’s) due to the the lack of standardized events and alerts amongst CSP’s. 19 | 20 | CSNF defines a Canonical Data Model as well as interpretation and decoration patterns that can be used to reduce toil, drive consistency and allow enterprises to apply a context-aware approach to security by correlating and acting upon security events across multiple providers at scale. 21 | 22 | ### Scope 23 | - The focus of initial iterations is on data in the Security space. Other domains (e.g., operational monitoring) may be addressed in the future. 24 | - CSNF does not only include Cloud Providers like Azure, Amazon, Google, Oracle, but also security solutions / services from Symantec, Fortinet, Splunk, etc. 25 | - Format of the taxonomy is scoped to CSV, JSON, and YAML. 26 | 27 | ### Out of Scope 28 | - The specific technology as to how do these CSPs protect security perimeter. 29 | - Security Solutions not protecting cloud workloads. 30 | 31 | 32 | ## Canonical Data Model Entities 33 | 34 | ### CSNF Namespaces 35 | 36 | The CSNF namespaces are used to help categorize and standardize events across multiple providers. The namespace provides a high level categorization for event data, so that customers can better analyze, visualize, and correlate the data represented in their events. 37 | 38 | CSNF improvements are released following [Semantic Versioning](https://semver.org/). 39 | 40 | ### Provider 41 | 42 | Fields related to the cloud (Iaas, SaaS or PasS) infrastructure the events are coming from. 43 | 44 | | Element details** | CSNF Element Type | CSNF Namespace | Required? | CSNF Description | 45 | | ------------------ | ----------------- | -------------- | --------- | ------------------------------------------------------------------------------------------------------------------ | 46 | | provider.guid | guid | .provider | Yes | Identifier | 47 | | provider.type | type | .provider | No | IaaS, SaaS or PaaS | 48 | | provider.product | product | .provider | Yes | Source product service name from the vendor to indicate the origin (e.g. Azure Defender, Oracle Cloud Guard, etc.) | 49 | | provider.name | name | .provider | Yes | The cloud account name or alias used to identify different entities in a multi-tenant environment. | 50 | | provider.accountId | accountId | .provider | Yes | The cloud account or organization id used to identify different entities in a multi-tenant environment. | 51 | 52 | ### Event 53 | 54 | Any observable occurrence in the operations of an information technology service is an event. 55 | 56 | Note: A security event is an observable occurrence that could affect your security posture. Each organization has its own threshold for designating an event as a security event 57 | 58 | | Element details | CSNF Element Type | CSNF Namespace | Required? | CSNF Description | 59 | | ---------------------------- | ----------------------- | -------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 60 | | event.guid | guid | .event | Yes | Identifier | 61 | | event.relatedEvent | array | .event | No | | 62 | | event.accountId | ResourceId | .event | No | The cloud account or organization id used to identify different entities in a multi-tenant environment. | 63 | | event.time | time | .event | Yes | Time - The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | 64 | | event.timezone | timezone | .event | No | | 65 | | event.geolocation.country | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 66 | | event.geolocation.postalcode | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 67 | | event.geolocation.state | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 68 | | event.geolocation.city | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 69 | | event.geolocation.ipv4 | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 70 | | event.geolocation.ipv6 | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 71 | | event.geolocation.latitude | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 72 | | event.geolocation.longitude | geolocation | .event | No | Geolocation includes country, state, city, zip and latitude, longitude information | 73 | | event.severity | Severity | .event | Yes | Event severity set by the provider | 74 | | event.state | State | .event | No | Event state whether active or resolved | 75 | | event.url | URL | .event | Yes | Direct URL link to the event for details | 76 | | event.name | Name | .event | Yes | Name of event | 77 | | event.shortDescription | shortDescription | .event | No | Brief description of event | 78 | | event.longDescription | longDescription | .event | No | Detailed description of event | 79 | | event.additionalProperties | additionalProperties | .event | No | Key-Value pairs or property bag for additional missing but critical event properties. Includes labels. | 80 | | event.timeStart | Event start time | .event | Yes | Time at which the event ocurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | 81 | | event.timeEnd | Event end time | .event | No | Time at which the event ended. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | 82 | | event.timeUpdated | Event update time (NEW) | .event | Yes | Time - The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | 83 | | event.type | String | .event | No | Enumeration of Event type - for e.g., Threat, WAF, etc. for security namespace (NEED A STAND LIST) | 84 | | event.recommendation | Recommendations | .event | No | 85 | 86 | ### Resource 87 | 88 | A resource types describes the resources that the finding refers to. 89 | 90 | | Element details | CSNF Element Type | CSNF Namespace | Required? | CSNF Description | 91 | | ----------------------------- | --------------------- | -------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | 92 | | resource.accountId | ResourceId | .resource | No | The cloud account or organization id used to identify different entities in a multi-tenant environment. | 93 | | resource.group | ResourceGroup | .resource | No | Group this resource belongs to | 94 | | resource.guid | Guid | .resource | No | Resource identifier | 95 | | resource.type | Type | .resource | No | Resource type | 96 | | resource.name | Name | .resource | No | Resource name | 97 | | resource.region | Region | .resource | No | Resource geolocation includes country, state, city, zip and latitude, longitude information --> update this to make this region for the resource only | 98 | | resource.zone | Zone | .resource | No | Resource zone | 99 | | resource.url | URL | .resource | No | Resource URL / URI | 100 | | resource.criticality | Criticality | .resource | No | If the resource is critcial or not | 101 | | resource.additionalProperties | Additional Properties | .resource | No | Key-Value pairs or property bag for additional missing but critical event properties | 102 | 103 | 104 | ### Service 105 | ### Service 106 | 107 | 108 | The service type describes the service for or from which the data was collected. The cloud service name is intended to distinguish services running on different platforms within a provider 109 | 110 | | Element details | CSNF Element Type | CSNF Namespace | Required? | CSNF Description | 111 | | --------------------------- | --------------------- | -------------- | --------- | ------------------------------------------------------------------------------------------ | 112 | | service.guid | Guid | .service | No | Service being monitored - identifier | 113 | | service.type | Type | .service | No | Service type | 114 | | service.name | Name | .service | No | Service name | 115 | | service.region | Region | .service | No | Service geolocation includes country, state, city, zip and latitude, longitude information | 116 | | service.zone | Zone | .service | No | Service zone | 117 | | service.url | URL | .service | No | | 118 | | service.addtionalProperties | Additional Properties | .service | No | Key-Value pairs or property bag for additional missing but critical event properties | 119 | 120 | ### Threat Actor 121 | 122 | 123 | The threat actor is the entity that initiated the event 124 | 125 | | Element details | CSNF Element Type | CSNF Namespace | Required? | CSNF Description | 126 | | -------------------------------- | --------------------- | -------------- | --------- | ------------------------------------------------------------------------------------ | 127 | | threatactor.guid | guid | .threatactor | No | Threat actor identifier | 128 | | threatactor.type | Type | .threatactor | No | Threat actor type | 129 | | threatactor.name | Name | .threatactor | No | Threat actor name | 130 | | threatactor.additionalProperties | Additional Properties | .threatactor | No | Key-Value pairs or property bag for additional missing but critical event properties | 131 | 132 | ### Decorator 133 | 134 | The CSNF decorator provides context awareness for security events in terms of risk, threat, compliance, asset value. The Cloud consumer can also apply a custom decorator to the event based on their own unique business context, for example a custom decoration based on asset value based on criticality, cost or sensitivity could be applied to the event in order to better contextualize and prioritize response based on business context. 135 | 136 | The decorator type allows additional context to be added to an individual event from a trusted source without mutating the base event. There can be multiple decorators applied to the base event. The combination of standardized security events along with correlated knowledge and analytics processing provide new capabilities for the organizations security team to develop and apply fine-grained secuirty policy based on contextual awareness that was previously unknown. 137 | 138 | 139 | | Element details | CSNF Element Type | CSNF Namespace | Required? | CSNF Description | 140 | | ---------------------------- | ------------------- | -------------- | --------- | ----------------------------------------------------- | 141 | | decorator.references | References | .decorator | No | The source of enrichment information | 142 | | decorator.compliance | Compliance | .decorator | No | Compliance status of enrichment source | 143 | | decorator.risk | Risk | .decorator | No | Risk of the event | 144 | | decorator.dataClassification | Data Classification | .decorator | No | Event classification | 145 | | decorator.behavior | Behavior | .decorator | No | Behavior of entity associated with the event | 146 | | decorator.vulnerability | Vulnerability | .decorator | No | Vulnerability information pertaining to the event | 147 | | decorator.threat | Threat | .decorator | No | Threat information pertaining to the event | 148 | | decorator.custom1 | Custom1 | .decorator | No | Additional custom information pertaining to the event | 149 | | decorator.custom2 | Custom2 | .decorator | No | Additional custom information pertaining to the event | -------------------------------------------------------------------------------- /Covenant_Code_of_Conduct.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributor Covenant Code of Conduct 3 | 4 | ## Our Pledge 5 | 6 | We as members, contributors, and leaders pledge to make participation in our 7 | community a harassment-free experience for everyone, regardless of age, body 8 | size, visible or invisible disability, ethnicity, sex characteristics, gender 9 | identity and expression, level of experience, education, socio-economic status, 10 | nationality, personal appearance, race, religion, or sexual identity 11 | and orientation. 12 | 13 | We pledge to act and interact in ways that contribute to an open, welcoming, 14 | diverse, inclusive, and healthy community. 15 | 16 | ## Our Standards 17 | 18 | Examples of behavior that contributes to a positive environment for our 19 | community include: 20 | 21 | * Demonstrating empathy and kindness toward other people 22 | * Being respectful of differing opinions, viewpoints, and experiences 23 | * Giving and gracefully accepting constructive feedback 24 | * Accepting responsibility and apologizing to those affected by our mistakes, 25 | and learning from the experience 26 | * Focusing on what is best not just for us as individuals, but for the 27 | overall community 28 | 29 | Examples of unacceptable behavior include: 30 | 31 | * The use of sexualized language or imagery, and sexual attention or 32 | advances of any kind 33 | * Trolling, insulting or derogatory comments, and personal or political attacks 34 | * Public or private harassment 35 | * Publishing others' private information, such as a physical or email 36 | address, without their explicit permission 37 | * Other conduct which could reasonably be considered inappropriate in a 38 | professional setting 39 | 40 | ## Enforcement Responsibilities 41 | 42 | Community leaders are responsible for clarifying and enforcing our standards of 43 | acceptable behavior and will take appropriate and fair corrective action in 44 | response to any behavior that they deem inappropriate, threatening, offensive, 45 | or harmful. 46 | 47 | Community leaders have the right and responsibility to remove, edit, or reject 48 | comments, commits, code, wiki edits, issues, and other contributions that are 49 | not aligned to this Code of Conduct, and will communicate reasons for moderation 50 | decisions when appropriate. 51 | 52 | ## Scope 53 | 54 | This Code of Conduct applies within all community spaces, and also applies when 55 | an individual is officially representing the community in public spaces. 56 | Examples of representing our community include using an official e-mail address, 57 | posting via an official social media account, or acting as an appointed 58 | representative at an online or offline event. 59 | 60 | ## Enforcement 61 | 62 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 63 | reported to the community leaders responsible for enforcement at 64 | [INSERT CONTACT METHOD]. 65 | All complaints will be reviewed and investigated promptly and fairly. 66 | 67 | All community leaders are obligated to respect the privacy and security of the 68 | reporter of any incident. 69 | 70 | ## Enforcement Guidelines 71 | 72 | Community leaders will follow these Community Impact Guidelines in determining 73 | the consequences for any action they deem in violation of this Code of Conduct: 74 | 75 | ### 1. Correction 76 | 77 | **Community Impact**: Use of inappropriate language or other behavior deemed 78 | unprofessional or unwelcome in the community. 79 | 80 | **Consequence**: A private, written warning from community leaders, providing 81 | clarity around the nature of the violation and an explanation of why the 82 | behavior was inappropriate. A public apology may be requested. 83 | 84 | ### 2. Warning 85 | 86 | **Community Impact**: A violation through a single incident or series 87 | of actions. 88 | 89 | **Consequence**: A warning with consequences for continued behavior. No 90 | interaction with the people involved, including unsolicited interaction with 91 | those enforcing the Code of Conduct, for a specified period of time. This 92 | includes avoiding interactions in community spaces as well as external channels 93 | like social media. Violating these terms may lead to a temporary or 94 | permanent ban. 95 | 96 | ### 3. Temporary Ban 97 | 98 | **Community Impact**: A serious violation of community standards, including 99 | sustained inappropriate behavior. 100 | 101 | **Consequence**: A temporary ban from any sort of interaction or public 102 | communication with the community for a specified period of time. No public or 103 | private interaction with the people involved, including unsolicited interaction 104 | with those enforcing the Code of Conduct, is allowed during this period. 105 | Violating these terms may lead to a permanent ban. 106 | 107 | ### 4. Permanent Ban 108 | 109 | **Community Impact**: Demonstrating a pattern of violation of community 110 | standards, including sustained inappropriate behavior, harassment of an 111 | individual, or aggression toward or disparagement of classes of individuals. 112 | 113 | **Consequence**: A permanent ban from any sort of public interaction within 114 | the community. 115 | 116 | ## Attribution 117 | 118 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 119 | version 2.0, available at 120 | [https://www.contributor-covenant.org/version/2/0/code_of_conduct.html][v2.0]. 121 | 122 | Community Impact Guidelines were inspired by 123 | [Mozilla's code of conduct enforcement ladder][Mozilla CoC]. 124 | 125 | For answers to common questions about this code of conduct, see the FAQ at 126 | [https://www.contributor-covenant.org/faq][FAQ]. Translations are available 127 | at [https://www.contributor-covenant.org/translations][translations]. 128 | 129 | [homepage]: https://www.contributor-covenant.org 130 | [v2.0]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html 131 | [Mozilla CoC]: https://github.com/mozilla/diversity 132 | [FAQ]: https://www.contributor-covenant.org/faq 133 | [translations]: https://www.contributor-covenant.org/translations 134 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2021 Open Networking User Group 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. -------------------------------------------------------------------------------- /PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ### Description 2 | 3 | Please describe your pull request if unclear. 4 | 5 | ### Your checklist for this pull request 6 | 🚨Please review the [guidelines for contributing](CONTRIBUTING.md) to this repository. 7 | 8 | - Take a minute to review the [code of conduct](Covenant_Code_of_Conduct.md). 9 | 10 | 💔Thank you from the Automated Cloud Governance Working Group at ONUG! 11 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # CSNF Cloud Security Notifications Framework 3 | 4 | ![Unit Testing](https://github.com/onug/csnf/actions/workflows/main.yml/badge.svg) 5 | 6 | ## Table of Contents 7 | 8 | 1. [Overview](#overview) 9 | 1. [Getting Started](#getting-started) 10 | 1. [Splunk Plugin](#splunk) 11 | 1. [Canonical Data Model](./Canonical_Data_Model.md) 12 | 1. [Contributing Mappings to CSNF](#contributing-mappings-csnf) 13 | 1. [Event Producers](#producers) 14 | 1. [Producers Getting Started](#provider-getting-started) 15 | 1. [Contributing](#contributing) 16 | 1. [License](#license) 17 | 18 | ## Overview 19 | 20 | Tired of the mental gymnastics of understanding bespoke security log message formats? **CSNF** provides a common data model for security notifications from all cloud providers and related vendor tools. 21 | 22 | Ideal for incident response teams, where every second counts in an investigation, but flexible enough to help all security engineering teams working across multiple clouds and platforms to better understand and build automation around observability data. 23 | 24 | Our goal is to produce a standardized mapping of security log fields that simplifies the numerous systems present in a modern organization. 25 | 26 | ## Getting Started 27 | 28 | ### Splunk 29 | If you or your organization uses Splunk, getting started with CSNF should be as easy as [installing the CSNF Splunk Technology Add-on (TA)](https://splunkbase.splunk.com/app/6880). 30 | 31 | With the installation of the Splunk TA, your organization will be able to access and visualize the existing mappings as metadata fields across your cloud indices. 32 | 33 | ## Contributing Mappings to CSNF 34 | 35 | ### Event Providers 36 | If you manage a tool or product expected to output logs ingested by security teams, check out [the CSNF Schema](./mappings/schema.yml) and leverage our fields for your log outputs. 37 | 38 | To learn what fields are available and their meaning please see the [Canonical Data Model](./Canonical_Data_Model.md). 39 | 40 | ### Producer – Getting started 41 | Producers can get started to connect their information with CSNF with the following steps: 42 | 1. **Map security findings and alerts to CSNF CDM**: 43 | [Provider CSV Readme](./mappings/README.md) is a for mapping Cloud Service Providers (CSPs) or security provider alerts to the ONUG CSF format. Map your security findings to [Provider CSV](./mappings/provider.csv). 44 | Map your common properties across your findings using the `__default__` in `Alert Id` column. For additional information see the [Provider CSV Readme](.//README.md). 45 | 46 | 1. **Add Sample Finding(s)**: 47 | Place one or more unmapped sample findings in the [sample_findings/](./sample_findings) directory. Name convention - `__.json` ex. `microsoft_defender_1.json` 48 | 49 | 1. **Validate outcomes.** 50 | Run the [provider_csv_to_provider_json_script](./tools/provider_csv_to_provider_json_script/README.md) to ensure it generates an output JSON file. 51 | 1. **Contribute to the CSNF GitHub repository.** Create a pull request (PR) using following the process defined in [CONTRIBUTING.md](./CONTRIBUTING.md). 52 | 53 | ## Contributing 54 | 55 | Please read the [CONTRIBUTING.md](./CONTRIBUTING.md) page to learn more about how you can contribute to the CSNF `demo-service`. 56 | 57 | **Please also read the CSNF [Contributor Code Of Conduct](./Covenant_Code_of_Conduct.md)**. 58 | 59 | ## License 60 | 61 | Distributed under the Apache-2.0 License, see [LICENSE.txt](./LICENSE.txt) 62 | -------------------------------------------------------------------------------- /img/CSNFpix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/img/CSNFpix.png -------------------------------------------------------------------------------- /img/branch-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/img/branch-create.png -------------------------------------------------------------------------------- /img/branch-select.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/img/branch-select.png -------------------------------------------------------------------------------- /img/demo-flow.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 |
CSP Generated HTTP Event 
CSP Generated HTTP E...
Receiver
Receiver
Dispatcher
Dispatcher
Decorator
Decorator
CSNF Canonical Model
(Dictionary)
CSNF Canonica...
docker-compose
docker-compose
csnf-app service
csnf-app service
HTTP Event Collector
HTTP Event Collector
Content-Type: application/json
Content-Type: appl...
Normalized, decorated event
Normalized, decorated...
Listening for events on http://localhost:3000
Listening for events on...Viewer does not support full SVG 1.1 -------------------------------------------------------------------------------- /mappings/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Provider Mapping Spreadsheet 3 | ## Overview 4 | A spreadsheet(CSV) is a useful tool for mapping Cloud Service Providers (CSPs) or security provider alerts to the ONUG CSF format. To accelerate mapping activities we created the below spreadsheet template and include example mapping of OCI, Azure, and AWS alerts into the ONUG CSNF. 5 | 6 | - Provider CSV File: [provider.csv](./provider.csv). 7 | 8 | ## Columns Meaning 9 | - **Provider** - the name of the provider the record ex. Oracle Cloud Infrastructure, Azure, IBM, Amazon Web Services, etc. 10 | - **Provider Type** - the type company providing the record ex. CSP, CSPM, etc 11 | - **Provider ID** - Provider Unique Identifier 12 | - **Source** - the product name providing the record ex. Cloud Guard, Defender 13 | - **Source ID** - Source Unique Identifier 14 | - **Alert Id** - the unique identifier for a field in an alert. 15 | - `__default__` is for fields that are same across alerts for a specific source. 16 | - For alert specific fields you must use the unique identifier for the alert ex. BUCKET_IS_PUBLIC 17 | - *Demo code only supports OCI Cloud Guard specific alert fields* 18 | - **Source Regex Identifier** - regex expression to that can be used for programmatic parsing of events. Sample code in python use 19 | - **CSNF Dictionary** - the CSNF conical mapping in dot notated field ex. event.guid 20 | - **Path** - the source dot notated location of the field in an alert ex: 21 | - OCI Cloud Guard: `data.resourceId` 22 | - Azure Defender: `properties.subscriptionId` 23 | - AWS GuardDuty: `AccountId` 24 | - **Static Value** - override for record. Can be used for demos or obfuscating sensitive data. 25 | - **Entity Type** - data type of the field being mapped ex. datetime, string, integer 26 | - *This feature is currently not used by the demo code* 27 | 28 | 29 | ## Provider Mapping Example 30 | | **Provider** | **Provider Type** | **Provider ID** | **Source** | **Source ID** | **Source Regex Identifier** | **alertId** | **CSNF Dictionary** | **path** | **staticValue** | **entityType** | 31 | |-----------------------------|-------------------|-----------------|-------------|---------------|-------------------------------------|------------------------|------------------------|-------------------------------------------------------|-----------------|----------------| 32 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | provider.accountId | data.additionalDetails.tenantId | string | | 33 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | event.guid | data.resourceId | string | | 34 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | event.name | data.additionalDetails.problemName | string | | 35 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | event.shortDescription | data.additionalDetails.problemDescription | string | | 36 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | event.startTime | data.additionalDetails.firstDetected | datetime | | 37 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | event.severity | data.additionalDetails.riskLevel | string | | 38 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | event.status | data.additionalDetails.status | string | | 39 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | resource.identifier | data.additionalDetails.resourceId | orclResourceId | | 40 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | resource.type | data.additionalDetails.resourceType | string | | 41 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | resource.name | data.additionalDetails.resourceName | string | | 42 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | resource.region | data.additionalDetails.region | string | | 43 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | __default__ | resource.zone | data.compartmentName | string | | 44 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | BUCKET_IS_PUBLIC | event.recommendation | data.additionalDetails.problemRecommendation | string | | 45 | | Oracle Cloud Infrastructure | CSP | 1 | Cloud Guard | 1 | ocid[0-9].cloudguardproblem.oc[0-9] | SUSPICIOUS_IP_ACTIVITY | event.geolocation.ipv4 | data.additionalDetails.impactedResourceId | | | 46 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | provider.accountId | properties.subscriptionId | string | | 47 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.guid | id | string | | 48 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.name | properties.alertName | string | | 49 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.shortDescription | properties.alertDisplayName | string | | 50 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.longDescription | properties.description | string | | 51 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.startTime | properties.detectedTimeUtc | string | | 52 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.status | properties.state | string | | 53 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | resource.identifier | properties.associatedResource | string | | 54 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | resource.type | properties.extendedProperties.resourceType | string | | 55 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.geolocation.ipv4 | properties.extendedProperties.client IP address | | | 56 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.actor | properties.extendedProperties.client principal name | | | 57 | | Azure | CSP | 2 | Defender | 1 | Microsoft.Security/ | __default__ | event.severity | properties.reportedSeverity | | | 58 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | provider.accountId | accountId | string | | 59 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | event.guid | Arn | string | | 60 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | provider.accountId | AccountId | string | | 61 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | event.actor | Resource.AccessKeyDetails.GeneratedFindingUserName | string | | 62 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | event.startTime | CreatedAt | | | 63 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | resource.identifier | Resource.AccessKeyDetails.GeneratedFindingPrincipalId | | | 64 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | event.shortDescription | Description | | | 65 | | Amazon Web Services | CSP | 4 | GuardDuty | 1 | arn:aws:guardduty | __default__ | event.name | Title | | | 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /mappings/provider.csv: -------------------------------------------------------------------------------- 1 | Provider,Provider Type,Provider ID,Source,alertId,CSNF Dictionary,path,staticValue,entityType 2 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,provider.accountId,data.additionalDetails.tenantId,,string 3 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.guid,data.resourceId,,string 4 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.name,data.additionalDetails.problemName,,string 5 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.shortDescription,data.additionalDetails.problemDescription,,string 6 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.timeStart,data.additionalDetails.firstDetected,,datetime 7 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.severity,data.additionalDetails.riskLevel,,string 8 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.state,data.additionalDetails.status,,string 9 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.guid,data.additionalDetails.resourceId,,orclResourceId 10 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.type,data.additionalDetails.resourceType,,string 11 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.name,data.additionalDetails.resourceName,,string 12 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.region,data.additionalDetails.region,,string 13 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.zone,data.compartmentName,,string 14 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,BUCKET_IS_PUBLIC,event.recommendation,data.additionalDetails.problemRecommendation,,string 15 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,SUSPICIOUS_IP_ACTIVITY,event.geolocation.ipv4,data.additionalDetails.impactedResourceId,, 16 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,SUSPICIOUS_IP_ACTIVITY,event.actor,data.additionalDetails.resourceName,, 17 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,VCN_DHCP_OPTION_CHANGED,event.actor,data.additionalDetails.resourceName,, 18 | Azure,CSP,2,Defender,__default__,provider.accountId,properties.subscriptionId,,string 19 | Azure,CSP,2,Defender,__default__,event.guid,id,,string 20 | Azure,CSP,2,Defender,__default__,event.name,properties.alertName,,string 21 | Azure,CSP,2,Defender,__default__,event.shortDescription,properties.alertDisplayName,,string 22 | Azure,CSP,2,Defender,__default__,event.longDescription,properties.description,,string 23 | Azure,CSP,2,Defender,__default__,event.timeStart,properties.detectedTimeUtc,,string 24 | Azure,CSP,2,Defender,__default__,event.state,properties.state,,string 25 | Azure,CSP,2,Defender,__default__,resource.guid,properties.associatedResource,,string 26 | Azure,CSP,2,Defender,__default__,resource.type,properties.extendedProperties.resourceType,,string 27 | Azure,CSP,2,Defender,__default__,event.geolocation.ipv4,properties.extendedProperties.client IP address,, 28 | Azure,CSP,2,Defender,__default__,event.actor,properties.extendedProperties.client principal name,, 29 | Azure,CSP,2,Defender,__default__,event.severity,properties.reportedSeverity,, 30 | Aquasec,CSPM,3,Aqua,__default__,event.name,data.control,,string 31 | Aquasec,CSPM,3,Aqua,__default__,event.guid,id,,string 32 | Aquasec,CSPM,3,Aqua,__default__,event.shortDescription,data.reason,,string 33 | Aquasec,CSPM,3,Aqua,__default__,event.timeStart,data.time,,string 34 | Aquasec,CSPM,3,Aqua,__default__,event.severity,,High,string 35 | Aquasec,CSPM,3,Aqua,__default__,resource.guid,containerid,,string 36 | Aquasec,CSPM,3,Aqua,__default__,resource.type,type,,string 37 | Aquasec,CSPM,3,Aqua,__default__,resource.name,data.container,,string 38 | Aquasec,CSPM,3,Aqua,__default__,resource.region,data.vm_location,,string 39 | Amazon Web Services,CSP,4,GuardDuty,__default__,provider.accountId,accountId,,string 40 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.guid,Arn,,string 41 | Amazon Web Services,CSP,4,GuardDuty,__default__,provider.accountId,AccountId,,string 42 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.actor,Resource.AccessKeyDetails.GeneratedFindingUserName,,string 43 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.timeStart,CreatedAt,, 44 | Amazon Web Services,CSP,4,GuardDuty,__default__,resource.guid,Resource.AccessKeyDetails.GeneratedFindingPrincipalId,, 45 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.shortDescription,Description,, 46 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.name,Title,, 47 | Falco,CSPM,4,Falco,__default__,event.guid,"output_fields.""evt.time""",,string 48 | Falco,CSPM,4,Falco,__default__,event.timeStart,time,,string 49 | Falco,CSPM,4,Falco,__default__,resource.name,"output_fields.""k8s.pod.name""",,string 50 | Falco,CSPM,4,Falco,__default__,event.severity,priority,,string 51 | Falco,CSPM,4,Falco,__default__,event.name,rule,,string 52 | Amazon Web Services,CSP,4,CloudTrail,__default__,provider.accountId,recipientAccountId,,string 53 | Amazon Web Services,CSP,4,CloudTrail,__default__,event.guid,eventID,,string 54 | Amazon Web Services,CSP,4,CloudTrail,__default__,event.actor,userIdentity.arn,,string 55 | Amazon Web Services,CSP,4,CloudTrail,__default__,event.timeStart,eventTime,, 56 | Amazon Web Services,CSP,4,CloudTrail,__default__,event.geolocation.ipv4,sourceIPAddress,, 57 | Amazon Web Services,CSP,4,CloudTrail,__default__,event.name,eventName,,string 58 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,event.timeStart,eventTime,,string 59 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,event.guid,eventID,,string 60 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,provider.accountId,data.identity.tenantId,,string 61 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,event.geolocation.ipv4,data.identity.ipAddress,,string 62 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,event.actor,data.identity.principalId,,string 63 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,event.accountId,data.compartmentId,, 64 | Oracle Cloud Infrastructure,CSP,1,Audit,__default__,event.name,data.eventName,, 65 | Fortinet,FW,6,Fortigate,__default__,event.name,subtype,,string 66 | Fortinet,FW,6,Fortigate,__default__,event.timeStart,eventtime,, 67 | Fortinet,FW,6,Fortigate,__default__,resource.guid,appid,, 68 | Fortinet,FW,6,Fortigate,__default__,resource.type,appcat,,string 69 | Fortinet,FW,6,Fortigate,__default__,resource.name,app,,string 70 | Fortinet,FW,6,Fortigate,__default__,event.severity,level,,string 71 | Fortinet,FW,6,Fortigate,__default__,event.geolocation.ipv4,srcip,, 72 | Fortinet,FW,6,Fortigate,__default__,event.geolocation.country,srccountry,,string 73 | Fortinet,FW,6,Fortigate,__default__,event.state,action,,string 74 | Google Cloud Platform,CSP,7,Security Command Center,__default__,provider.accountId,finding.resourceName,,string 75 | Google Cloud Platform,CSP,7,Security Command Center,__default__,event.state,finding.state,,string 76 | Google Cloud Platform,CSP,7,Security Command Center,__default__,event.name,finding.category,,string 77 | Google Cloud Platform,CSP,7,Security Command Center,__default__,event.timeStart,finding.eventTime,,string 78 | Google Cloud Platform,CSP,7,Security Command Center,__default__,event.severity,finding.severity,,string 79 | Google Cloud Platform,CSP,7,Security Command Center,__default__,event.longDescription,finding.sourceProperties.Explanation,,string 80 | Google Cloud Platform,CSP,7,Security Command Center,__default__,event.recommendation,finding.sourceProperties.Recommendation,,string 81 | Google Cloud Platform,CSP,7,Security Command Center,__default__,resource.type,resource.type,,string -------------------------------------------------------------------------------- /mappings/schema.yml: -------------------------------------------------------------------------------- 1 | provider: 2 | accountId: 3 | format: string 4 | description: The cloud account or organization id used to identify different entities in a multi-tenant environment. 5 | guid: 6 | format: string 7 | description: Identifier for the provider. 8 | name: 9 | format: string 10 | description: The cloud account name or alias used to identify different entities in a multi-tenant environment. 11 | product: 12 | format: string 13 | description: Source product service name from the vendor to indicate the origin (e.g. Azure Defender, Oracle Cloud Guard, etc.) 14 | type: 15 | format: string 16 | description: IaaS, SaaS or PaaS 17 | 18 | event: 19 | accountId: 20 | format: string 21 | description: The cloud account or organization id used to identify different entities in a multi-tenant environment. 22 | actor: 23 | format: string 24 | description: 25 | additionalProperties: 26 | format: string 27 | description: Key-Value pairs or property bag for additional missing but critical event properties. Includes labels. 28 | geolocation: 29 | city: 30 | format: string 31 | description: Geolocation includes country, state, city, zip and latitude, longitude information 32 | country: 33 | format: string 34 | description: Geolocation includes country, state, city, zip and latitude, longitude information 35 | ipv4: 36 | format: string 37 | description: Geolocation includes country, state, city, zip and latitude, longitude information 38 | ipv6: 39 | format: string 40 | description: Geolocation includes country, state, city, zip and latitude, longitude information 41 | latitude: 42 | format: string 43 | description: Geolocation includes country, state, city, zip and latitude, longitude information 44 | longitude: 45 | format: string 46 | description: Geolocation includes country, state, city, zip and latitude, longitude information 47 | postalcode: 48 | format: string 49 | description: Geolocation includes country, state, city, zip and latitude, longitude information 50 | state: 51 | format: string 52 | description: Geolocation includes country, state, city, zip and latitude, longitude information 53 | guid: 54 | format: string 55 | description: Identifier 56 | longDescription: 57 | format: string 58 | description: Detailed description of event 59 | name: 60 | format: string 61 | description: Name of event 62 | recommendation: 63 | format: string 64 | description: 65 | relatedEvent: 66 | format: string 67 | description: 68 | severity: 69 | format: string 70 | description: Event severity set by the provider 71 | shortDescription: 72 | format: string 73 | description: Brief description of event 74 | state: 75 | format: string 76 | description: Event state whether active or resolved 77 | time: 78 | format: string 79 | description: Time - The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. 80 | timeEnd: 81 | format: string 82 | description: Time at which the event ended. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. 83 | timeStart: 84 | format: string 85 | description: Time at which the event ocurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. 86 | timeUpdated: 87 | format: string 88 | description: Time - The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. 89 | timezone: 90 | format: string 91 | description: Timezone. 92 | type: 93 | format: string 94 | description: Enumeration of Event type - for e.g., Threat, WAF, etc. for security namespace (NEED A STAND LIST) 95 | url: 96 | format: string 97 | description: Direct URL link to the event for details 98 | 99 | resource: 100 | accountId: 101 | format: string 102 | description: The cloud account or organization id used to identify different entities in a multi-tenant environment. 103 | additionalProperties: 104 | format: string 105 | description: 106 | criticality: 107 | format: string 108 | description: If the resource is critcial or not 109 | group: 110 | format: string 111 | description: Group this resource belongs to 112 | guid: 113 | format: string 114 | description: Resource identifier 115 | name: 116 | format: string 117 | description: Resource name 118 | region: 119 | format: string 120 | description: Resource geolocation includes country, state, city, zip and latitude, longitude information –> update this to make this region for the resource only 121 | type: 122 | format: string 123 | description: Resource type 124 | url: 125 | format: string 126 | description: Resource URL / URI 127 | zone: 128 | format: string 129 | description: Resource zone 130 | 131 | service: 132 | additionalProperties: 133 | format: string 134 | description: Key-Value pairs or property bag for additional missing but critical event properties 135 | guid: 136 | format: string 137 | description: Service being monitored - identifier 138 | name: 139 | format: string 140 | description: Service name 141 | region: 142 | format: string 143 | description: Service geolocation includes country, state, city, zip and latitude, longitude information 144 | type: 145 | format: string 146 | description: Service type 147 | url: 148 | format: string 149 | description: 150 | zone: 151 | format: string 152 | description: Service zone 153 | 154 | threatactor: 155 | additionalProperties: 156 | format: string 157 | description: Key-Value pairs or property bag for additional missing but critical event properties 158 | guid: 159 | format: string 160 | description: Threat actor identifier 161 | name: 162 | format: string 163 | description: Threat actor name 164 | type: 165 | format: string 166 | description: Threat actor type 167 | 168 | decorator: 169 | behavior: 170 | format: string 171 | description: Behavior of entity associated with the event 172 | compliance: 173 | format: string 174 | description: Compliance status of enrichment source 175 | custom1: 176 | format: string 177 | description: Additional custom information pertaining to the event 178 | custom2: 179 | format: string 180 | description: Additional custom information pertaining to the event 181 | dataClassification: 182 | format: string 183 | description: Event classification 184 | references: 185 | format: string 186 | description: The source of enrichment information 187 | risk: 188 | format: string 189 | description: Risk of the event 190 | threat: 191 | format: string 192 | description: Threat information pertaining to the event 193 | vulnerability: 194 | format: string 195 | description: Vulnerability information pertaining to the event 196 | -------------------------------------------------------------------------------- /mappings/test/requirements.txt: -------------------------------------------------------------------------------- 1 | PyYAML 2 | -------------------------------------------------------------------------------- /mappings/test/test_csv_valid.py: -------------------------------------------------------------------------------- 1 | """Opens CSV for provider and tests that it's valid. """ 2 | 3 | import csv 4 | import os 5 | import yaml 6 | 7 | PROVIDER_CSV = os.path.join(os.path.dirname(__file__), "../provider.csv") 8 | SCHEMA_YAML = os.path.join(os.path.dirname(__file__), "../schema.yml") 9 | 10 | 11 | def parse_schema_yml(): 12 | """Opens specified yaml file and parses""" 13 | with open(SCHEMA_YAML, "r", encoding="utf-8") as yml_file: 14 | schemas = yaml.safe_load(yml_file) 15 | 16 | return schemas 17 | 18 | 19 | def test_csv_opens(): 20 | """Opens CSV and rights out file""" 21 | csv_data = [] 22 | with open(PROVIDER_CSV, encoding="utf-8") as csv_file: 23 | csvreader = csv.reader(csv_file) 24 | for row in csvreader: 25 | print(row) 26 | csv_data.append(row) 27 | 28 | return csv_data 29 | 30 | 31 | def validate_csnf_fields(csv_data): 32 | """Iterates over CSV and checks that each field is valid""" 33 | schemas = parse_schema_yml() 34 | print("--------------") 35 | for row in csv_data[1:]: 36 | csnf_dictionary = row[5].split(".") 37 | print(csnf_dictionary) 38 | if len(csnf_dictionary) > 3: 39 | raise ValueError("Too many elements in field") 40 | if len(csnf_dictionary) == 3: 41 | assert ( 42 | csnf_dictionary[2] 43 | in schemas[csnf_dictionary[0]][csnf_dictionary[1]].keys() 44 | ) 45 | if len(csnf_dictionary) == 2: 46 | assert csnf_dictionary[1] in schemas[csnf_dictionary[0]] 47 | 48 | 49 | csv_iterable = test_csv_opens() 50 | validate_csnf_fields(csv_iterable) 51 | -------------------------------------------------------------------------------- /ta-csnf/README.md: -------------------------------------------------------------------------------- 1 | # Splunk Technology Add-on for the Cloud Security Notification Framework 2 | 3 | ## Overview 4 | - The Add-on typically imports and enriches data from the SDK of the CSP, creating a rich data set ready for direct analysis or use in an App. The CSNF Add-on for Splunk will provide the below functionalities: 5 | - Collect sources data and map to the CSNF's canonical data model. 6 | - Categorize the data in different sourcetypes. 7 | - Parse the data and extract important fields. 8 | 9 | ## Version Support # 10 | 9.0, 8.x, 7.x 11 | 12 | ## Purpose 13 | - The purpose of the CSNF Splunk Technology Add-on is to provide a set of common attribute mappings in support of multi-cloud enterprise security SIEM and SOAR operations. 14 | 15 | ## Who is this app for? # 16 | - The primary audiance for this application are security detection engineering teams who wish to integrate CSNF within their multi cloud security landing zone. 17 | 18 | ## How does the app work? # 19 | - It works by mapping keys and values provided by your configured cloud provider to a set of CSNF common properties. The CSNF's canonical data model standardizes alerts received from multiple cloud and SaaS providers that can be used as inputs by the SOC for common security workflows. 20 | 21 | ## Installation 22 | 23 | Follow the below-listed steps to install an Add-on from the bundle: 24 | 25 | - Download the App package. 26 | - From the UI navigate to `Apps->Manage Apps`. 27 | - In the top right corner select `Install app from file`. 28 | - Select `Choose File` and select the App package. 29 | - Select `Upload` and follow the prompts. 30 | 31 | OR 32 | 33 | - Directly from the `Find More Apps` section provided in Splunk Home Dashboard. 34 | 35 | ## Configuration 36 | 37 | ## Uninstall Add-on 38 | 39 | - To uninstall add-on, user can follow below steps: 40 | - SSH to the Splunk instance -> Go to folder apps($SPLUNK_HOME/etc/apps) -> Remove the ta-csnf folder from apps directory -> Restart Splunk 41 | 42 | ## Support 43 | - Support Offered: Yes 44 | - Send email to peter.campbell@marlinspike.io 45 | - Support is not guaranteed and will be provided on a best effort basis. 46 | 47 | # Release Notes 48 | ## v 1.0.0 ## 49 | - Initial release. 50 | 51 | 52 | # Possible Issues # 53 | - None found yet, but if you find anything let us know! 54 | 55 | # Third-party software attributions/credits: # 56 | 57 | The following license applies to all parts of this software except as 58 | documented below: 59 | 60 | ==== 61 | 62 | Permission is hereby granted, free of charge, to any person obtaining 63 | a copy of this software and associated documentation files (the 64 | "Software"), to deal in the Software without restriction, including 65 | without limitation the rights to use, copy, modify, merge, publish, 66 | distribute, sublicense, and/or sell copies of the Software, and to 67 | permit persons to whom the Software is furnished to do so, subject to 68 | the following conditions: 69 | 70 | The above copyright notice and this permission notice shall be 71 | included in all copies or substantial portions of the Software. 72 | 73 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 74 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 75 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 76 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 77 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 78 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 79 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 80 | -------------------------------------------------------------------------------- /ta-csnf/SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | 6 | | Version | Supported | 7 | | ------- | ------------------ | 8 | | > 1.0 | :white_check_mark: | 9 | 10 | ## Reporting a Vulnerability 11 | 12 | You may use the GitHub [Issues](https://github.com/onug/CSNF/issues) page to report any vulnerability. We do not, currently, have any SLA on fixes to our open source projects but do try to support them on a best effort basis. -------------------------------------------------------------------------------- /ta-csnf/app.manifest: -------------------------------------------------------------------------------- 1 | { 2 | "schemaVersion": "2.0.0", 3 | "info": { 4 | "title": "Cloud Security Notification Framework", 5 | "id": { 6 | "group": null, 7 | "name": "ta-csnf", 8 | "version": "1.1.0" 9 | }, 10 | "author": [ 11 | { 12 | "name": "Peter Campbell", 13 | "email": null, 14 | "company": null 15 | }, 16 | { 17 | "name": "Richard Julian", 18 | "email": null, 19 | "company": null 20 | }, 21 | { 22 | "name": "Josh Hammer", 23 | "email": null, 24 | "company": null 25 | } 26 | ], 27 | "releaseDate": null, 28 | "description": "The Add-on typically imports and enriches data from the SDK of the CSP, creating a rich data set ready for direct analysis or use in an App.", 29 | "classification": { 30 | "intendedAudience": null, 31 | "categories": [], 32 | "developmentStatus": null 33 | }, 34 | "commonInformationModels": null, 35 | "license": { 36 | "name": null, 37 | "text": null, 38 | "uri": null 39 | }, 40 | "privacyPolicy": { 41 | "name": null, 42 | "text": null, 43 | "uri": null 44 | }, 45 | "releaseNotes": { 46 | "name": null, 47 | "text": "./README.md", 48 | "uri": null 49 | } 50 | }, 51 | "dependencies": null, 52 | "tasks": null, 53 | "inputGroups": null, 54 | "incompatibleApps": null, 55 | "platformRequirements": null, 56 | "supportedDeployments": [ 57 | "_standalone", 58 | "_distributed" 59 | ], 60 | "targetWorkloads": null 61 | } 62 | # The following sections can be customized and added to the manifest. For detailed information, 63 | # see the documentation at http://dev.splunk.com/view/packaging-toolkit/SP-CAAAE9V 64 | # 65 | # Lists the app dependencies and version requirements 66 | # "dependencies": { 67 | # ":": { 68 | # "version": "*", 69 | # "package": "", 70 | # "optional": [true|false] 71 | # } 72 | # } 73 | # 74 | # Lists the inputs that belong on the search head rather than forwarders 75 | # "tasks": [] 76 | # 77 | # Lists the possible input groups with app dependencies, and inputs that should be included 78 | # "inputGroups": { 79 | # "": { 80 | # "requires": { 81 | # ":": [""] 82 | # }, 83 | # "inputs": [""] 84 | # } 85 | # } 86 | # 87 | # Lists the app IDs that cannot be installed on the system alongside this app 88 | # "incompatibleApps": { 89 | # ":": "" 90 | # } 91 | # 92 | # Specify the platform version requirements for this app 93 | # "platformRequirements": { 94 | # "splunk": { 95 | # "Enterprise": "" 96 | # } 97 | # } 98 | # 99 | # Lists the supported deployment types this app can be installed on 100 | # "supportedDeployments": ["*" | "_standalone" | "_distributed" | "_search_head_clustering"] 101 | # 102 | # Lists the targets where app can be installed to 103 | # "targetWorkloads": ["*" | "_search_heads" | "_indexers" | "_forwarders"] 104 | # 105 | -------------------------------------------------------------------------------- /ta-csnf/default/app.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Splunk app configuration file 3 | # 4 | 5 | [install] 6 | is_configured = 0 7 | 8 | [ui] 9 | is_visible = 1 10 | label = Cloud Security Notification Framework 11 | 12 | [launcher] 13 | author = Peter Campbell, Josh Hammer, Richard Julian 14 | description = The Add-on typically imports and enriches data from the SDK of the CSP, creating a rich data set ready for direct analysis or use in an App. 15 | version = 1.1.0 16 | 17 | [package] 18 | id = ta-csnf 19 | 20 | [id] 21 | name = ta-csnf 22 | -------------------------------------------------------------------------------- /ta-csnf/default/props.conf: -------------------------------------------------------------------------------- 1 | [oci_logging] 2 | FIELDALIAS-csnf-provider-accountId = "data.additionalDetails.tenantId" ASNEW "csnf.provider.accountId" 3 | FIELDALIAS-csnf-event-guid = "data.resourceId" ASNEW "csnf.event.guid" 4 | FIELDALIAS-csnf-event-name = "data.additionalDetails.problemName" ASNEW "csnf.event.name" 5 | FIELDALIAS-csnf-event-shortDescription = "data.additionalDetails.problemDescription" ASNEW "csnf.event.shortDescription" 6 | FIELDALIAS-csnf-event-timeStart = "data.additionalDetails.firstDetected" ASNEW "csnf.event.timeStart" 7 | FIELDALIAS-csnf-event-severity = "data.additionalDetails.riskLevel" ASNEW "csnf.event.severity" 8 | FIELDALIAS-csnf-event-state = "data.additionalDetails.status" ASNEW "csnf.event.state" 9 | FIELDALIAS-csnf-resource-guid = "data.additionalDetails.resourceId" ASNEW "csnf.resource.guid" 10 | FIELDALIAS-csnf-resource-type = "data.additionalDetails.resourceType" ASNEW "csnf.resource.type" 11 | FIELDALIAS-csnf-resource-name = "data.additionalDetails.resourceName" ASNEW "csnf.resource.name" 12 | FIELDALIAS-csnf-resource-region = "data.additionalDetails.region" ASNEW "csnf.resource.region" 13 | FIELDALIAS-csnf-resource-zone = "data.compartmentName" ASNEW "csnf.resource.zone" 14 | 15 | [oci_logging] 16 | FIELDALIAS-csnf-event-timeStart = "eventTime" ASNEW "csnf.event.timeStart" 17 | FIELDALIAS-csnf-event-guid = "eventID" ASNEW "csnf.event.guid" 18 | FIELDALIAS-csnf-provider-accountId = "data.identity.tenantId" ASNEW "csnf.provider.accountId" 19 | FIELDALIAS-csnf-event-geolocation-ipv4 = "data.identity.ipAddress" ASNEW "csnf.event.geolocation.ipv4" 20 | FIELDALIAS-csnf-event-actor = "data.identity.principalId" ASNEW "csnf.event.actor" 21 | FIELDALIAS-csnf-event-accountId = "data.compartmentId" ASNEW "csnf.event.accountId" 22 | FIELDALIAS-csnf-event-name = "data.eventName" ASNEW "csnf.event.name" 23 | 24 | [Azure:Defender] 25 | FIELDALIAS-csnf-provider-accountId = "properties.subscriptionId" ASNEW "csnf.provider.accountId" 26 | FIELDALIAS-csnf-event-guid = "id" ASNEW "csnf.event.guid" 27 | FIELDALIAS-csnf-event-name = "properties.alertName" ASNEW "csnf.event.name" 28 | FIELDALIAS-csnf-event-shortDescription = "properties.alertDisplayName" ASNEW "csnf.event.shortDescription" 29 | FIELDALIAS-csnf-event-longDescription = "properties.description" ASNEW "csnf.event.longDescription" 30 | FIELDALIAS-csnf-event-timeStart = "properties.detectedTimeUtc" ASNEW "csnf.event.timeStart" 31 | FIELDALIAS-csnf-event-state = "properties.state" ASNEW "csnf.event.state" 32 | FIELDALIAS-csnf-resource-guid = "properties.associatedResource" ASNEW "csnf.resource.guid" 33 | FIELDALIAS-csnf-resource-type = "properties.extendedProperties.resourceType" ASNEW "csnf.resource.type" 34 | FIELDALIAS-csnf-event-geolocation-ipv4 = "properties.extendedProperties.client IP address" ASNEW "csnf.event.geolocation.ipv4" 35 | FIELDALIAS-csnf-event-actor = "properties.extendedProperties.client principal name" ASNEW "csnf.event.actor" 36 | FIELDALIAS-csnf-event-severity = "properties.reportedSeverity" ASNEW "csnf.event.severity" 37 | 38 | [Aquasec:Aqua] 39 | FIELDALIAS-csnf-event-name = "data.control" ASNEW "csnf.event.name" 40 | FIELDALIAS-csnf-event-guid = "id" ASNEW "csnf.event.guid" 41 | FIELDALIAS-csnf-event-shortDescription = "data.reason" ASNEW "csnf.event.shortDescription" 42 | FIELDALIAS-csnf-event-timeStart = "data.time" ASNEW "csnf.event.timeStart" 43 | FIELDALIAS-csnf-event-severity = "" ASNEW "csnf.event.severity" 44 | FIELDALIAS-csnf-resource-guid = "containerid" ASNEW "csnf.resource.guid" 45 | FIELDALIAS-csnf-resource-type = "type" ASNEW "csnf.resource.type" 46 | FIELDALIAS-csnf-resource-name = "data.container" ASNEW "csnf.resource.name" 47 | FIELDALIAS-csnf-resource-region = "data.vm_location" ASNEW "csnf.resource.region" 48 | 49 | [aws:s3] 50 | FIELDALIAS-csnf-provider-accountId = accountId ASNEW "csnf.provider.accountId" 51 | FIELDALIAS-csnf-event-shortDescription = description ASNEW "csnf.event.shortDescription" 52 | FIELDALIAS-csnf-event-guid = id ASNEW "csnf.event.guid" 53 | FIELDALIAS-csnf-provider = partition ASNEW "csnf.provider" 54 | FIELDALIAS-csnf-decorator-risk = severity ASNEW "csnf.decorator.risk" 55 | FIELDALIAS-csnf-event-name = title ASNEW "csnf.event.name" 56 | FIELDALIAS-csnf-decorator-threat = type ASNEW "csnf.decorator.threat" 57 | FIELDALIAS-csnf-resource-accountId = resource.accessKeyDetails.principalId ASNEW "csnf.resource.accountId" 58 | FIELDALIAS-csnf-resource-name = resource.accessKeyDetails.userName ASNEW "csnf.resource.name" 59 | FIELDALIAS-csnf-resource-type = resource.accessKeyDetails.userType ASNEW "csnf.resource.type" 60 | FIELDALIAS-csnf-event-startTime = createdAt ASNEW "csnf.event.startTime" 61 | FIELDALIAS-csnf-service-type = service.action.actionType ASNEW "csnf.service.type" 62 | FIELDALIAS-csnf-service-name = service.action.awsApiCallAction.serviceName ASNEW "csnf.service.name" 63 | 64 | [aws:s3] 65 | FIELDALIAS-csnf-provider-accountId = "recipientAccountId" ASNEW "csnf.provider.accountId" 66 | FIELDALIAS-csnf-event-guid = "eventID" ASNEW "csnf.event.guid" 67 | FIELDALIAS-csnf-event-actor = "userIdentity.arn" ASNEW "csnf.event.actor" 68 | FIELDALIAS-csnf-event-timeStart = "eventTime" ASNEW "csnf.event.timeStart" 69 | FIELDALIAS-csnf-event-geolocation-ipv4 = "sourceIPAddress" ASNEW "csnf.event.geolocation.ipv4" 70 | FIELDALIAS-csnf-event-name = "eventName" ASNEW "csnf.event.name" 71 | 72 | [Falco:Falco] 73 | FIELDALIAS-csnf-event-guid = "output_fields."evt.time"" ASNEW "csnf.event.guid" 74 | FIELDALIAS-csnf-event-timeStart = "time" ASNEW "csnf.event.timeStart" 75 | FIELDALIAS-csnf-resource-name = "output_fields."k8s.pod.name"" ASNEW "csnf.resource.name" 76 | FIELDALIAS-csnf-event-severity = "priority" ASNEW "csnf.event.severity" 77 | FIELDALIAS-csnf-event-name = "rule" ASNEW "csnf.event.name" 78 | 79 | [fortigate_traffic] 80 | FIELDALIAS-csnf-event-name = "subtype" ASNEW "csnf.event.name" 81 | FIELDALIAS-csnf-event-timeStart = "eventtime" ASNEW "csnf.event.timeStart" 82 | FIELDALIAS-csnf-resource-guid = "appid" ASNEW "csnf.resource.guid" 83 | FIELDALIAS-csnf-resource-type = "appcat" ASNEW "csnf.resource.type" 84 | FIELDALIAS-csnf-resource-name = "app" ASNEW "csnf.resource.name" 85 | FIELDALIAS-csnf-event-severity = "level" ASNEW "csnf.event.severity" 86 | FIELDALIAS-csnf-event-geolocation-ipv4 = "srcip" ASNEW "csnf.event.geolocation.ipv4" 87 | FIELDALIAS-csnf-event-geolocation-country = "srccountry" ASNEW "csnf.event.geolocation.country" 88 | FIELDALIAS-csnf-event-state = "action" ASNEW "csnf.event.state" 89 | 90 | [Google Cloud Platform:Security Command Center] 91 | FIELDALIAS-csnf-provider-accountId = "finding.resourceName" ASNEW "csnf.provider.accountId" 92 | FIELDALIAS-csnf-event-state = "finding.state" ASNEW "csnf.event.state" 93 | FIELDALIAS-csnf-event-name = "finding.category" ASNEW "csnf.event.name" 94 | FIELDALIAS-csnf-event-timeStart = "finding.eventTime" ASNEW "csnf.event.timeStart" 95 | FIELDALIAS-csnf-event-severity = "finding.severity" ASNEW "csnf.event.severity" 96 | FIELDALIAS-csnf-event-longDescription = "finding.sourceProperties.Explanation" ASNEW "csnf.event.longDescription" 97 | FIELDALIAS-csnf-event-recommendation = "finding.sourceProperties.Recommendation" ASNEW "csnf.event.recommendation" 98 | FIELDALIAS-csnf-resource-type = "resource.type" ASNEW "csnf.resource.type" 99 | 100 | -------------------------------------------------------------------------------- /ta-csnf/metadata/default.meta: -------------------------------------------------------------------------------- 1 | 2 | # Application-level permissions 3 | 4 | [] 5 | access = read : [ * ], write : [ admin, power ] 6 | 7 | ### EVENT TYPES 8 | 9 | [eventtypes] 10 | export = system 11 | 12 | 13 | ### PROPS 14 | 15 | [props] 16 | export = system 17 | 18 | 19 | ### TRANSFORMS 20 | 21 | [transforms] 22 | export = system 23 | 24 | 25 | ### LOOKUPS 26 | 27 | [lookups] 28 | export = system 29 | 30 | 31 | ### VIEWSTATES: even normal users should be able to create shared viewstates 32 | 33 | [viewstates] 34 | access = read : [ * ], write : [ * ] 35 | export = system 36 | -------------------------------------------------------------------------------- /ta-csnf/static/appIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/ta-csnf/static/appIcon.png -------------------------------------------------------------------------------- /ta-csnf/static/appIconAlt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/ta-csnf/static/appIconAlt.png -------------------------------------------------------------------------------- /ta-csnf/static/appIconAlt_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/ta-csnf/static/appIconAlt_2x.png -------------------------------------------------------------------------------- /ta-csnf/static/appIcon_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/ta-csnf/static/appIcon_2x.png -------------------------------------------------------------------------------- /ta-csnf/static/appLogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/ta-csnf/static/appLogo.png -------------------------------------------------------------------------------- /ta-csnf/static/appLogo_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/ta-csnf/static/appLogo_2x.png -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- 1 | # ONUG CSNF Tooling 2 | 3 | ## Overview 4 | This folder contains tools to help providers and consumers adopt ONUG's CSNF. 5 | 6 | ## Table of Contents 7 | |Tool |Description |Link | 8 | |-------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------| 9 | |Provider Mapping CSV |For mapping Cloud Service Providers (CSPs) or security provider alerts to the ONUG CSF format. |[Link](./provider_csv/README.md) | 10 | |Provider Mapping CSV to JSON Python Script|Converts a provider.csv into a JSON file |[Link](./provider_csv_to_provider_json_script/README.md)| 11 | |Sample Findings |Sample finding from providers |[Link](./sample_findings/) | 12 | |ONUG CSNF Python3 Library |A python3 library that can use a provider JSON as created by the mapping script to convert a provider finding into CSNF finding.|[Link](./onug_decorator_python/README.md) | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /tools/onug_decorator_python/README.md: -------------------------------------------------------------------------------- 1 | # ONUG CSNF Python3 Library 2 | ## ONUG CSNF Python3 Library 3 | 4 | To help customers adopt CSNF CDM we are providing a small python3 library that can use a provider JSON as created by the mapping script to convert a provider finding into CSNF finding. 5 | 6 | The [onug.py](./onug_decorator_python/onug.py) is a sample library which can use be used to convert a finding into a CSNF finding based on a provider input and a finding. Below is some sample code to test: 7 | 8 | 9 | 1. Import required libraries 10 | 11 | ``` 12 | import re # used for regex parsing of finding 13 | import logging # used for logging default is WARNING 14 | from onug import Onug # onug library 15 | ``` 16 | 17 | 2. URL for the provider JSON file 18 | 19 | ``` 20 | # URL for your provider JSON 21 | # Below is the public one 22 | provider_json = '' 23 | ``` 24 | 25 | 3. Create a finding. Your own or a one in the [sample_findings/](./sample_findings/) directory: 26 | 27 | ``` 28 | sample_finding = { 29 | "eventType" : "com.oraclecloud.cloudguard.problemdetected", 30 | "cloudEventsVersion" : "0.1", 31 | "eventTypeVersion" : "2.0", 32 | "source" : "CloudGuardResponderEngine", 33 | "eventTime" : "2021-08-28T16:37:59Z", 34 | "contentType" : "application/json", 35 | "data" : { 36 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 37 | "compartmentName" : "Comp-Name", 38 | "resourceName" : "Bucket is public", 39 | "resourceId" : "ocid1.cloudguardproblem.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 40 | "additionalDetails" : { 41 | "tenantId" : "ocid1.tenancy.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 42 | "status" : "OPEN", 43 | "reason" : "New Problem detected by CloudGuard", 44 | "problemName" : "BUCKET_IS_PUBLIC", 45 | "riskLevel" : "CRITICAL", 46 | "problemType" : "CONFIG_CHANGE", 47 | "resourceName" : "Bucket", 48 | "resourceId" : "tenancy/Bucket", 49 | "resourceType" : "Bucket", 50 | "targetId" : "ocid1.cloudguardtarget.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 51 | "labels" : "CIS_OCI_V1.1_OBJECTSTORAGE, ObjectStorage", 52 | "firstDetected" : "2021-08-28T16:37:36.945Z", 53 | "lastDetected" : "2021-08-28T16:37:36.945Z", 54 | "region" : "us-phoenix-1", 55 | "problemDescription" : "Object Storage supports anonymous, unauthenticated access to a bucket. A public bucket that has read access enabled for anonymous users allows anyone to obtain object metadata, download bucket objects, and optionally list bucket contents.", 56 | "problemRecommendation" : "Ensure that the bucket is sanctioned for public access, and if not, direct the OCI administrator to restrict the bucket policy to allow only specific users access to the resources required to accomplish their job functions." 57 | } 58 | }, 59 | "eventID" : "1642b454-eeee-aaaa-aaa-783803f83134", 60 | "extensions" : { 61 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e" 62 | } 63 | } 64 | ``` 65 | 66 | 4. Create the Onug class and get the transformed finding: 67 | ``` 68 | my_onug = Onug(provider_json, finding) 69 | my_onug.get_finding() 70 | ``` 71 | 72 | 73 | -------------------------------------------------------------------------------- /tools/onug_decorator_python/onug.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import requests 3 | import re 4 | import json 5 | 6 | 7 | class Onug: 8 | __source_to_provider_mapping = {} 9 | 10 | __finding = {} 11 | __finding["provider"] = {} 12 | __finding["source"] = {} 13 | __finding["event"] = {} 14 | __finding["resource"] = {} 15 | 16 | def __init__(self, url, raw_finding, provider=None, source=None): 17 | self.__raw_finding = raw_finding 18 | self.__url = url 19 | 20 | # Getting the ONUG mapping 21 | self.__set_onug_provider_mapping() 22 | 23 | # Build Source to provider mapping 24 | self.__set_source_regex_provider_mapping() 25 | 26 | # Storing raw_finding 27 | self.__raw_finding = raw_finding 28 | 29 | if provider and source: 30 | self.__provider = provider 31 | self.__source = source 32 | else: 33 | self.__provider, self.__source = self.__set_provider_source_raw_finding() 34 | 35 | logging.debug("__init___: provider is set to: " + str(self.__provider)) 36 | self.__set_provider_source_raw_finding() 37 | self.__set_finding_provider_data() 38 | self.__set_onug_mapping_for_source() 39 | self.__map_raw_finding_to_onug() 40 | return 41 | 42 | def __set_source_regex_provider_mapping(self): 43 | for provider_key, provider_value in self.__onug_mapping.items(): 44 | for source_key, source_value in provider_value["source"].items(): 45 | self.__source_to_provider_mapping[ 46 | source_value["sourceIdentifierRegex"] 47 | ] = {"provider": provider_key, "source": source_key} 48 | logging.debug( 49 | "__set_source_regex_provider_mapping: Added this to mapping" 50 | + str( 51 | self.__source_to_provider_mapping[ 52 | source_value["sourceIdentifierRegex"] 53 | ] 54 | ) 55 | ) 56 | 57 | def __set_provider_source_raw_finding(self): 58 | for source_key, source_value in self.__source_to_provider_mapping.items(): 59 | if re.search(source_key, str(self.__raw_finding)): 60 | return source_value["provider"], source_value["source"] 61 | 62 | logging.error( 63 | "__set_provider_source_raw_finding: FAILED TO GET SOURCE AND PROVIDER" 64 | ) 65 | raise SystemExit( 66 | "__set_provider_source_raw_finding: FAILED TO GET SOURCE AND PROVIDER" 67 | ) 68 | 69 | def __set_finding_provider_data(self): 70 | logging.debug("__set_provider_from_finding: Starting") 71 | self.__finding["provider"]["providerId"] = self.__onug_mapping[self.__provider][ 72 | "providerId" 73 | ] 74 | logging.debug( 75 | "__set_provider_from_finding: ProviderId is set to: " 76 | + self.__finding["provider"]["providerId"] 77 | ) 78 | self.__finding["provider"]["providerType"] = self.__onug_mapping[ 79 | self.__provider 80 | ]["providerType"] 81 | logging.debug( 82 | "__set_provider_from_finding: ProviderId is set to: " 83 | + self.__finding["provider"]["providerType"] 84 | ) 85 | self.__finding["provider"]["name"] = self.__onug_mapping[self.__provider][ 86 | "provider" 87 | ] 88 | logging.debug( 89 | "__set_provider_from_finding: Provider is set to: " 90 | + self.__finding["provider"]["name"] 91 | ) 92 | return 93 | 94 | def __set_onug_provider_mapping(self): 95 | logging.debug("__set_onug_provider_mapping: getting onug mapping.") 96 | try: 97 | self.__onug_mapping = requests.get(self.__url).json() 98 | except requests.exceptions.HTTPError as err: 99 | logging.error( 100 | "__set_onug_provider_mapping: FAILED TO GET REQUEST" + str(err) 101 | ) 102 | raise SystemExit(err) 103 | 104 | # def __set_finding_source_data(self): 105 | # for item_to_map in self.__onug_mapping[self.__provider]['source'][self.__source]['alerts']['default']: 106 | 107 | def __set_onug_mapping_for_source(self): 108 | logging.debug("__set_onug_mapping_for_source: getting provider mapping.") 109 | try: 110 | self.__source_mapping = self.__onug_mapping[self.__provider]["source"][ 111 | self.__source 112 | ] 113 | except Exception as err: 114 | logging.error( 115 | "__set_onug_mapping_for_source: FAILED Provider from Provider JSON" 116 | + str(err) 117 | ) 118 | raise SystemExit(err) 119 | 120 | def __mapped_item_from_path(self, path, finding): 121 | logging.debug("get_mapped_item_from_path: path is: " + str(path)) 122 | try: 123 | tuple_path = tuple(path.split(".")) 124 | for key in tuple_path: 125 | finding = finding[key] 126 | logging.debug("get_mapped_item_from_path: mapped_item is: " + str(finding)) 127 | return finding 128 | except: 129 | return False 130 | 131 | def __set_item_from_path(self, path, item): 132 | # Cheating 133 | logging.debug( 134 | "__set_item_from_path: path is: " + str(path) + " Item is: " + str(item) 135 | ) 136 | keys = path.split(".") 137 | self.__finding[keys[0]][keys[1]] = item 138 | 139 | def __map_raw_finding_to_onug(self): 140 | logging.debug("__map_raw_finding_to_onug: source mapping is: ") 141 | for alert_key, alert_value in self.__source_mapping["alerts"].items(): 142 | for map_key, map_value in alert_value["alertMapping"].items(): 143 | for key, value in map_value.items(): 144 | logging.debug( 145 | "__map_raw_finding_to_onug: Mapped Value: " + str(map_key) 146 | ) 147 | if not (map_value["mappedValue"]): 148 | path = map_value["path"] 149 | mapped_item = self.__mapped_item_from_path( 150 | path, self.__raw_finding 151 | ) 152 | # logging.debug(f'map_to_onug: {element} is mapped to {mapped_item} via path: {self.__source_mapping[element]["path"]}') 153 | self.__set_item_from_path(map_key, mapped_item) 154 | 155 | def get_provider_data(self): 156 | return self.__finding["provider"] 157 | 158 | def get_finding(self): 159 | return self.__finding 160 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ 161 | 162 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Provider CSV to JSON Mapping Conversion Script 3 | ## Overview 4 | Once the providers alerts are mapped to the CDM converting those alert mapping to a more programmatically format is helpful. To accelerate this process we created a Python script [provider-csv-to-provider-json.py](./provider-csv-to-provider-json.py) that takes a [provider CSV](../provider_csv/provider.csv) and converts it into a JSON. Here is the sample mapping in JSON. The JSON file representing the above mapping can be found here: [sample_provider_output.json](./sample_provider_output.json). 5 | 6 | 7 | ## Mapping Script Usage 8 | 9 | 1. Download the script: 10 | ``` 11 | % git clone https://github.com/onug/CSNF.git 12 | ``` 13 | change to directory with the script 14 | ``` 15 | % cd CSNF/tools/provider-csv-to-provider-json-script/ 16 | ``` 17 | or 18 | ``` 19 | % wget https://github.com/onug/CSNF/tree/main/tools/provider-csv-to-provider-json-script/provider-csv-to-provider-json.py 20 | ``` 21 | 22 | 2. Execute the script 23 | ``` 24 | % python3 provider-csv-to-provider-json.py -i sample_provider_input.csv -o sample_provider_output.json 25 | Input file is: sample_provider_input.csv 26 | Output file is: sample_provider_output.json 27 | ``` 28 | 29 | * Options 30 | ``` 31 | % python3 provider-csv-to-provider-json.py -h 32 | usage: provider-csv-to-provider-json.py [-h] [-i INPUT_CSV] [-o OUTPUT_JSON] 33 | 34 | options: 35 | -h, --help show this help message and exit 36 | -i INPUT_CSV Input CSV File 37 | -o OUTPUT_JSON JSON Output prefix 38 | ``` 39 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/onug/csnf/b0866b8721a1ecab479fd8664924404ce0210937/tools/provider_csv_to_provider_json_script/__init__.py -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/output.conf: -------------------------------------------------------------------------------- 1 | [Oracle Cloud Infrastructure:Cloud Guard] 2 | FIELDALIAS-csnf-provider-accountId = "data.additionalDetails.tenantId" ASNEW "csnf.provider.accountId" 3 | FIELDALIAS-csnf-event-guid = "data.resourceId" ASNEW "csnf.event.guid" 4 | FIELDALIAS-csnf-event-name = "data.additionalDetails.problemName" ASNEW "csnf.event.name" 5 | FIELDALIAS-csnf-event-shortDescription = "data.additionalDetails.problemDescription" ASNEW "csnf.event.shortDescription" 6 | FIELDALIAS-csnf-event-timeStart = "data.additionalDetails.firstDetected" ASNEW "csnf.event.timeStart" 7 | FIELDALIAS-csnf-event-severity = "data.additionalDetails.riskLevel" ASNEW "csnf.event.severity" 8 | FIELDALIAS-csnf-event-state = "data.additionalDetails.status" ASNEW "csnf.event.state" 9 | FIELDALIAS-csnf-resource-guid = "data.additionalDetails.resourceId" ASNEW "csnf.resource.guid" 10 | FIELDALIAS-csnf-resource-type = "data.additionalDetails.resourceType" ASNEW "csnf.resource.type" 11 | FIELDALIAS-csnf-resource-name = "data.additionalDetails.resourceName" ASNEW "csnf.resource.name" 12 | FIELDALIAS-csnf-resource-region = "data.additionalDetails.region" ASNEW "csnf.resource.region" 13 | FIELDALIAS-csnf-resource-zone = "data.compartmentName" ASNEW "csnf.resource.zone" 14 | [Oracle Cloud Infrastructure:Audit] 15 | FIELDALIAS-csnf-event-timeStart = "eventTime" ASNEW "csnf.event.timeStart" 16 | FIELDALIAS-csnf-event-guid = "eventID" ASNEW "csnf.event.guid" 17 | FIELDALIAS-csnf-provider-accountId = "data.identity.tenantId" ASNEW "csnf.provider.accountId" 18 | FIELDALIAS-csnf-event-geolocation-ipv4 = "data.identity.ipAddress" ASNEW "csnf.event.geolocation.ipv4" 19 | FIELDALIAS-csnf-event-actor = "data.identity.principalId" ASNEW "csnf.event.actor" 20 | FIELDALIAS-csnf-event-accountId = "data.compartmentId" ASNEW "csnf.event.accountId" 21 | FIELDALIAS-csnf-event-name = "data.eventName" ASNEW "csnf.event.name" 22 | [Azure:Defender] 23 | FIELDALIAS-csnf-provider-accountId = "properties.subscriptionId" ASNEW "csnf.provider.accountId" 24 | FIELDALIAS-csnf-event-guid = "id" ASNEW "csnf.event.guid" 25 | FIELDALIAS-csnf-event-name = "properties.alertName" ASNEW "csnf.event.name" 26 | FIELDALIAS-csnf-event-shortDescription = "properties.alertDisplayName" ASNEW "csnf.event.shortDescription" 27 | FIELDALIAS-csnf-event-longDescription = "properties.description" ASNEW "csnf.event.longDescription" 28 | FIELDALIAS-csnf-event-timeStart = "properties.detectedTimeUtc" ASNEW "csnf.event.timeStart" 29 | FIELDALIAS-csnf-event-state = "properties.state" ASNEW "csnf.event.state" 30 | FIELDALIAS-csnf-resource-guid = "properties.associatedResource" ASNEW "csnf.resource.guid" 31 | FIELDALIAS-csnf-resource-type = "properties.extendedProperties.resourceType" ASNEW "csnf.resource.type" 32 | FIELDALIAS-csnf-event-geolocation-ipv4 = "properties.extendedProperties.client IP address" ASNEW "csnf.event.geolocation.ipv4" 33 | FIELDALIAS-csnf-event-actor = "properties.extendedProperties.client principal name" ASNEW "csnf.event.actor" 34 | FIELDALIAS-csnf-event-severity = "properties.reportedSeverity" ASNEW "csnf.event.severity" 35 | [Aquasec:Aqua] 36 | FIELDALIAS-csnf-event-name = "data.control" ASNEW "csnf.event.name" 37 | FIELDALIAS-csnf-event-guid = "id" ASNEW "csnf.event.guid" 38 | FIELDALIAS-csnf-event-shortDescription = "data.reason" ASNEW "csnf.event.shortDescription" 39 | FIELDALIAS-csnf-event-timeStart = "data.time" ASNEW "csnf.event.timeStart" 40 | FIELDALIAS-csnf-event-severity = "" ASNEW "csnf.event.severity" 41 | FIELDALIAS-csnf-resource-guid = "containerid" ASNEW "csnf.resource.guid" 42 | FIELDALIAS-csnf-resource-type = "type" ASNEW "csnf.resource.type" 43 | FIELDALIAS-csnf-resource-name = "data.container" ASNEW "csnf.resource.name" 44 | FIELDALIAS-csnf-resource-region = "data.vm_location" ASNEW "csnf.resource.region" 45 | [Amazon Web Services:GuardDuty] 46 | FIELDALIAS-csnf-provider-accountId = "AccountId" ASNEW "csnf.provider.accountId" 47 | FIELDALIAS-csnf-event-guid = "Arn" ASNEW "csnf.event.guid" 48 | FIELDALIAS-csnf-event-actor = "Resource.AccessKeyDetails.GeneratedFindingUserName" ASNEW "csnf.event.actor" 49 | FIELDALIAS-csnf-event-timeStart = "CreatedAt" ASNEW "csnf.event.timeStart" 50 | FIELDALIAS-csnf-resource-guid = "Resource.AccessKeyDetails.GeneratedFindingPrincipalId" ASNEW "csnf.resource.guid" 51 | FIELDALIAS-csnf-event-shortDescription = "Description" ASNEW "csnf.event.shortDescription" 52 | FIELDALIAS-csnf-event-name = "Title" ASNEW "csnf.event.name" 53 | [Amazon Web Services:CloudTrail] 54 | FIELDALIAS-csnf-provider-accountId = "recipientAccountId" ASNEW "csnf.provider.accountId" 55 | FIELDALIAS-csnf-event-guid = "eventID" ASNEW "csnf.event.guid" 56 | FIELDALIAS-csnf-event-actor = "userIdentity.arn" ASNEW "csnf.event.actor" 57 | FIELDALIAS-csnf-event-timeStart = "eventTime" ASNEW "csnf.event.timeStart" 58 | FIELDALIAS-csnf-event-geolocation-ipv4 = "sourceIPAddress" ASNEW "csnf.event.geolocation.ipv4" 59 | FIELDALIAS-csnf-event-name = "eventName" ASNEW "csnf.event.name" 60 | [Falco:Falco] 61 | FIELDALIAS-csnf-event-guid = "output_fields."evt.time"" ASNEW "csnf.event.guid" 62 | FIELDALIAS-csnf-event-timeStart = "time" ASNEW "csnf.event.timeStart" 63 | FIELDALIAS-csnf-resource-name = "output_fields."k8s.pod.name"" ASNEW "csnf.resource.name" 64 | FIELDALIAS-csnf-event-severity = "priority" ASNEW "csnf.event.severity" 65 | FIELDALIAS-csnf-event-name = "rule" ASNEW "csnf.event.name" 66 | [Fortinet:Fortigate] 67 | FIELDALIAS-csnf-event-name = "subtype" ASNEW "csnf.event.name" 68 | FIELDALIAS-csnf-event-timeStart = "eventtime" ASNEW "csnf.event.timeStart" 69 | FIELDALIAS-csnf-resource-guid = "appid" ASNEW "csnf.resource.guid" 70 | FIELDALIAS-csnf-resource-type = "appcat" ASNEW "csnf.resource.type" 71 | FIELDALIAS-csnf-resource-name = "app" ASNEW "csnf.resource.name" 72 | FIELDALIAS-csnf-event-severity = "level" ASNEW "csnf.event.severity" 73 | FIELDALIAS-csnf-event-geolocation-ipv4 = "srcip" ASNEW "csnf.event.geolocation.ipv4" 74 | FIELDALIAS-csnf-event-geolocation-country = "srccountry" ASNEW "csnf.event.geolocation.country" 75 | FIELDALIAS-csnf-event-state = "action" ASNEW "csnf.event.state" 76 | [Google Cloud Platform:Security Command Center] 77 | FIELDALIAS-csnf-provider-accountId = "finding.resourceName" ASNEW "csnf.provider.accountId" 78 | FIELDALIAS-csnf-event-state = "finding.state" ASNEW "csnf.event.state" 79 | FIELDALIAS-csnf-event-name = "finding.category" ASNEW "csnf.event.name" 80 | FIELDALIAS-csnf-event-timeStart = "finding.eventTime" ASNEW "csnf.event.timeStart" 81 | FIELDALIAS-csnf-event-severity = "finding.severity" ASNEW "csnf.event.severity" 82 | FIELDALIAS-csnf-event-longDescription = "finding.sourceProperties.Explanation" ASNEW "csnf.event.longDescription" 83 | FIELDALIAS-csnf-event-recommendation = "finding.sourceProperties.Recommendation" ASNEW "csnf.event.recommendation" 84 | FIELDALIAS-csnf-resource-type = "resource.type" ASNEW "csnf.resource.type" 85 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/output.json: -------------------------------------------------------------------------------- 1 | {"Oracle Cloud Infrastructure": {"provider": "Oracle Cloud Infrastructure", "providerType": "CSP", "providerId": "1", "source": {"Cloud Guard": {"sourceName": "Cloud Guard", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "data.additionalDetails.tenantId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "data.resourceId", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "data.additionalDetails.problemName", "entityType": "string", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "data.additionalDetails.problemDescription", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "data.additionalDetails.firstDetected", "entityType": "datetime", "mappedValue": false, "value": ""}, "event.severity": {"path": "data.additionalDetails.riskLevel", "entityType": "string", "mappedValue": false, "value": ""}, "event.state": {"path": "data.additionalDetails.status", "entityType": "string", "mappedValue": false, "value": ""}, "resource.guid": {"path": "data.additionalDetails.resourceId", "entityType": "orclResourceId", "mappedValue": false, "value": ""}, "resource.type": {"path": "data.additionalDetails.resourceType", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "data.additionalDetails.resourceName", "entityType": "string", "mappedValue": false, "value": ""}, "resource.region": {"path": "data.additionalDetails.region", "entityType": "string", "mappedValue": false, "value": ""}, "resource.zone": {"path": "data.compartmentName", "entityType": "string", "mappedValue": false, "value": ""}}}, "BUCKET_IS_PUBLIC": {"alertMapping": {"event.recommendation": {"path": "data.additionalDetails.problemRecommendation", "entityType": "string", "mappedValue": false, "value": ""}}}, "SUSPICIOUS_IP_ACTIVITY": {"alertMapping": {"event.geolocation.ipv4": {"path": "data.additionalDetails.impactedResourceId", "entityType": "", "mappedValue": false, "value": ""}, "event.actor": {"path": "data.additionalDetails.resourceName", "entityType": "", "mappedValue": false, "value": ""}}}, "VCN_DHCP_OPTION_CHANGED": {"alertMapping": {"event.actor": {"path": "data.additionalDetails.resourceName", "entityType": "", "mappedValue": false, "value": ""}}}}}, "Audit": {"sourceName": "Audit", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.timeStart": {"path": "eventTime", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "eventID", "entityType": "string", "mappedValue": false, "value": ""}, "provider.accountId": {"path": "data.identity.tenantId", "entityType": "string", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "data.identity.ipAddress", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "data.identity.principalId", "entityType": "string", "mappedValue": false, "value": ""}, "event.accountId": {"path": "data.compartmentId", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "data.eventName", "entityType": "", "mappedValue": false, "value": ""}}}}}}}, "Azure": {"provider": "Azure", "providerType": "CSP", "providerId": "2", "source": {"Defender": {"sourceName": "Defender", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "properties.subscriptionId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "id", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "properties.alertName", "entityType": "string", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "properties.alertDisplayName", "entityType": "string", "mappedValue": false, "value": ""}, "event.longDescription": {"path": "properties.description", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "properties.detectedTimeUtc", "entityType": "string", "mappedValue": false, "value": ""}, "event.state": {"path": "properties.state", "entityType": "string", "mappedValue": false, "value": ""}, "resource.guid": {"path": "properties.associatedResource", "entityType": "string", "mappedValue": false, "value": ""}, "resource.type": {"path": "properties.extendedProperties.resourceType", "entityType": "string", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "properties.extendedProperties.client IP address", "entityType": "", "mappedValue": false, "value": ""}, "event.actor": {"path": "properties.extendedProperties.client principal name", "entityType": "", "mappedValue": false, "value": ""}, "event.severity": {"path": "properties.reportedSeverity", "entityType": "", "mappedValue": false, "value": ""}}}}}}}, "Aquasec": {"provider": "Aquasec", "providerType": "CSPM", "providerId": "3", "source": {"Aqua": {"sourceName": "Aqua", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.name": {"path": "data.control", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "id", "entityType": "string", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "data.reason", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "data.time", "entityType": "string", "mappedValue": false, "value": ""}, "event.severity": {"path": "", "entityType": "string", "mappedValue": true, "value": "High"}, "resource.guid": {"path": "containerid", "entityType": "string", "mappedValue": false, "value": ""}, "resource.type": {"path": "type", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "data.container", "entityType": "string", "mappedValue": false, "value": ""}, "resource.region": {"path": "data.vm_location", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}, "Amazon Web Services": {"provider": "Amazon Web Services", "providerType": "CSP", "providerId": "4", "source": {"GuardDuty": {"sourceName": "GuardDuty", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "AccountId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "Arn", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "Resource.AccessKeyDetails.GeneratedFindingUserName", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "CreatedAt", "entityType": "", "mappedValue": false, "value": ""}, "resource.guid": {"path": "Resource.AccessKeyDetails.GeneratedFindingPrincipalId", "entityType": "", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "Description", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "Title", "entityType": "", "mappedValue": false, "value": ""}}}}}, "CloudTrail": {"sourceName": "CloudTrail", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "recipientAccountId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "eventID", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "userIdentity.arn", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "eventTime", "entityType": "", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "sourceIPAddress", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "eventName", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}, "Falco": {"provider": "Falco", "providerType": "CSPM", "providerId": "4", "source": {"Falco": {"sourceName": "Falco", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.guid": {"path": "output_fields.\"evt.time\"", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "time", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "output_fields.\"k8s.pod.name\"", "entityType": "string", "mappedValue": false, "value": ""}, "event.severity": {"path": "priority", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "rule", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}, "Fortinet": {"provider": "Fortinet", "providerType": "FW", "providerId": "6", "source": {"Fortigate": {"sourceName": "Fortigate", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.name": {"path": "subtype", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "eventtime", "entityType": "", "mappedValue": false, "value": ""}, "resource.guid": {"path": "appid", "entityType": "", "mappedValue": false, "value": ""}, "resource.type": {"path": "appcat", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "app", "entityType": "string", "mappedValue": false, "value": ""}, "event.severity": {"path": "level", "entityType": "string", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "srcip", "entityType": "", "mappedValue": false, "value": ""}, "event.geolocation.country": {"path": "srccountry", "entityType": "string", "mappedValue": false, "value": ""}, "event.state": {"path": "action", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}, "Google Cloud Platform": {"provider": "Google Cloud Platform", "providerType": "CSP", "providerId": "7", "source": {"Security Command Center": {"sourceName": "Security Command Center", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "finding.resourceName", "entityType": "string", "mappedValue": false, "value": ""}, "event.state": {"path": "finding.state", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "finding.category", "entityType": "string", "mappedValue": false, "value": ""}, "event.timeStart": {"path": "finding.eventTime", "entityType": "string", "mappedValue": false, "value": ""}, "event.severity": {"path": "finding.severity", "entityType": "string", "mappedValue": false, "value": ""}, "event.longDescription": {"path": "finding.sourceProperties.Explanation", "entityType": "string", "mappedValue": false, "value": ""}, "event.recommendation": {"path": "finding.sourceProperties.Recommendation", "entityType": "string", "mappedValue": false, "value": ""}, "resource.type": {"path": "resource.type", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}} -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/provider_csv_to_provider_json.py: -------------------------------------------------------------------------------- 1 | """ CLI script to convert the ONUG provider CSV to JSON """ 2 | # Copyright (c) 2021 Oracle and/or its affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 4 | # as shown at https://oss.oracle.com/licenses/upl. 5 | 6 | import argparse 7 | import csv 8 | import json 9 | 10 | 11 | def validate_csv_data( # pylint: disable=too-many-arguments 12 | all_providers, 13 | provider_name, 14 | provider_type, 15 | provider_id, 16 | source_name, 17 | alert_id_name, 18 | csnf_path, 19 | provider_path, 20 | static_value, 21 | entity_type, 22 | ): 23 | """Guarantees that data from CSV is formatted correctly in dictionary.""" 24 | if provider_name not in all_providers: 25 | all_providers[provider_name] = { 26 | "provider": provider_name, 27 | "providerType": provider_type, 28 | "providerId": provider_id, 29 | "source": {}, 30 | } 31 | 32 | provider_source = all_providers[provider_name]["source"] 33 | 34 | if source_name not in provider_source: 35 | provider_source[source_name] = { 36 | "sourceName": source_name, 37 | "sourceId": "None", 38 | "alerts": {}, 39 | } 40 | 41 | source_alerts = provider_source[source_name]["alerts"] 42 | if alert_id_name not in source_alerts: 43 | source_alerts[alert_id_name] = {"alertMapping": {}} 44 | 45 | source_alerts[alert_id_name]["alertMapping"][csnf_path] = { 46 | "path": provider_path, 47 | "entityType": entity_type, 48 | "mappedValue": (static_value != ""), 49 | "value": static_value, 50 | } 51 | 52 | return all_providers 53 | 54 | 55 | def convert_onug_csv_to_dictionary(input_file): 56 | """Reads data from CSV and outputs it as a python dictionary""" 57 | all_providers = {} 58 | with open(input_file, encoding="utf-8") as csv_file: 59 | csvreader = csv.reader(csv_file) 60 | next(csvreader) 61 | 62 | try: 63 | for ( 64 | provider_name, 65 | provider_type, 66 | provider_id, 67 | source_name, 68 | alert_id_name, 69 | csnf_path, 70 | provider_path, 71 | static_value, 72 | entity_type, 73 | ) in csvreader: 74 | all_providers = validate_csv_data( 75 | all_providers, 76 | provider_name, 77 | provider_type, 78 | provider_id, 79 | source_name, 80 | alert_id_name, 81 | csnf_path, 82 | provider_path, 83 | static_value, 84 | entity_type, 85 | ) 86 | 87 | except ValueError as val_error: 88 | print("\n\nProper headers were not found in CSV.") 89 | print("Ensure CSV has proper CSNF headings.") 90 | raise SystemExit(val_error) from val_error 91 | 92 | return all_providers 93 | 94 | 95 | def write_json_output(all_providers, output_file): 96 | """Output file with a json dump""" 97 | with open(f"./{output_file}.json", "w", encoding="utf-8") as outfile: 98 | json.dump(all_providers, outfile) 99 | 100 | 101 | def dict_to_splunk_conf(all_providers, output_prefix): 102 | """Creates splunk configuration file and outputs file contents to screen.""" 103 | with open(f"./{output_prefix}.conf", "w", encoding="utf-8") as outfile: 104 | for provider, provider_values in all_providers.items(): 105 | for _, source_values in provider_values["source"].items(): 106 | outfile.write(f"[{provider}:{source_values['sourceName']}]\n") 107 | for alert_mapping, alert_mapping_values in source_values["alerts"][ 108 | "__default__" 109 | ]["alertMapping"].items(): 110 | alias_prefix = "FIELDALIAS-csnf-" 111 | prefix = alias_prefix + alert_mapping.replace(".", "-") 112 | outfile.write( 113 | prefix 114 | + " = " 115 | + '"' 116 | + alert_mapping_values["path"] 117 | + '"' 118 | + " ASNEW " 119 | + '"csnf.' 120 | + alert_mapping 121 | + '"\n' 122 | ) 123 | 124 | 125 | if __name__ == "__main__": 126 | parser = argparse.ArgumentParser() 127 | parser.add_argument( 128 | "-i", 129 | "--input", 130 | type=argparse.FileType("r"), 131 | dest="input_csv", 132 | help="Input CSV File", 133 | required=True, 134 | ) 135 | parser.add_argument( 136 | "-o", 137 | "--output", 138 | dest="output", 139 | help="Output prefix for both JSON and Splunk format.", 140 | required=True, 141 | ) 142 | 143 | result = parser.parse_args() 144 | 145 | if result.output.endswith(".json") or result.output.endswith(".conf"): 146 | print(f"Stripping .json or .conf from output prefix: {result.output}\n") 147 | result.output = result.output[:-5] 148 | 149 | print(f"Input file is: {result.input_csv.name}") 150 | 151 | all_providers_dict = convert_onug_csv_to_dictionary(result.input_csv.name) 152 | write_json_output(all_providers_dict, result.output) 153 | print(f"JSON output file is: {result.output}.json") 154 | dict_to_splunk_conf(all_providers_dict, result.output) 155 | print(f"Splunk output file is: {result.output}.conf") 156 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["setuptools>=61.0"] 3 | build-backend = "setuptools.build_meta" 4 | 5 | [project] 6 | name = "csnf_provider_csv_to_json" 7 | version = "0.0.1" 8 | authors = [ 9 | { name="Josh Halimer"}, 10 | ] 11 | description = "A script to convert between CSNF mapping csv and a JSON or Splunk output." 12 | readme = "README.md" 13 | requires-python = ">=3.10" 14 | classifiers = [ 15 | "Programming Language :: Python :: 3", 16 | "Operating System :: OS Independent", 17 | ] 18 | 19 | [project.urls] 20 | Homepage = "https://github.com/onug/csnf" 21 | Issues = "https://github.com/onug/csnf/issues" 22 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/requirements.txt: -------------------------------------------------------------------------------- 1 | astroid==3.0.1 2 | black==23.11.0 3 | click==8.1.7 4 | dill==0.3.7 5 | isort==5.12.0 6 | mccabe==0.7.0 7 | mypy-extensions==1.0.0 8 | packaging==23.2 9 | pathspec==0.11.2 10 | platformdirs==4.0.0 11 | pylint==3.0.2 12 | tomli==2.0.1 13 | tomlkit==0.12.3 14 | typing_extensions==4.8.0 15 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/test/resources/aws_guardduty_csnf_output.json: -------------------------------------------------------------------------------- 1 | {"Amazon Web Services": {"provider": "Amazon Web Services", "providerType": "CSP", "providerId": "4", "source": {"GuardDuty": {"sourceName": "GuardDuty", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "accountId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "Id", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "Resource.AccessKeyDetails.GeneratedFindingUserName", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "CreatedAt", "entityType": "", "mappedValue": false, "value": ""}, "resource.identifier": {"path": "Resource.AccessKeyDetails.GeneratedFindingPrincipalId", "entityType": "", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "Description", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "Title", "entityType": "", "mappedValue": false, "value": ""}, "decorator.behavior": {"path": "Service.Action.ActionType", "entityType": "", "mappedValue": false, "value": ""}, "decorator.references": {"path": "Service.ServiceName", "entityType": "", "mappedValue": false, "value": ""}, "decorator.risk": {"path": "Severity", "entityType": "", "mappedValue": false, "value": ""}, "decorator.threat": {"path": "Type", "entityType": "", "mappedValue": false, "value": ""}, "resource.name": {"path": "Resource.S3BucketDetails.Arn", "entityType": "", "mappedValue": false, "value": ""}, "resource.group": {"path": "Resource.S3BucketDetails.Owner.Id", "entityType": "", "mappedValue": false, "value": ""}}}}}}}} -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/test/resources/aws_guardduty_input.csv: -------------------------------------------------------------------------------- 1 | Provider,Provider Type,Provider ID,Source,alertId,CSNF Dictionary,path,staticValue,entityType 2 | Amazon Web Services,CSP,4,GuardDuty,__default__,provider.accountId,accountId,26923064426,string 3 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.guid,Id,77643f787adb40b98bc30b78173466c9,string 4 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.actor,Resource.AccessKeyDetails.GeneratedFindingUserName,GeneratedFindingUserName,string 5 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.startTime,CreatedAt,2022-12-15T12:09:08.488Z, 6 | Amazon Web Services,CSP,4,GuardDuty,__default__,resource.identifier,Resource.AccessKeyDetails.GeneratedFindingPrincipalId,GeneratedFindingPrincipalId, 7 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.shortDescription,Description,S3 API GeneratedFindingAPIName was invoked from known malicious IP address 198.51.100.0. This can indicate an attempt by an adversary to discover resources in your AWS environment., 8 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.name,Title,S3 API GeneratedFindingAPIName was invoked from known malicious IP address 198.51.100.0., 9 | Amazon Web Services,CSP,4,GuardDuty,__default__,decorator.behavior,Service.Action.ActionType,AWS_API_CALL, 10 | Amazon Web Services,CSP,4,GuardDuty,__default__,decorator.references,Service.Action.AWSApiCallAction.ServiceName,GeneratedFindingAPIServiceName, 11 | Amazon Web Services,CSP,4,GuardDuty,__default__,decorator.risk,Severity,8, 12 | Amazon Web Services,CSP,4,GuardDuty,__default__,decorator.threat,Type,Discovery:S3/MaliciousIPCaller, 13 | Amazon Web Services,CSP,4,GuardDuty,__default__,resource.name,Resource.S3BucketDetails.Arn,arn:aws:s3:::bucketName, 14 | Amazon Web Services,CSP,4,GuardDuty,__default__,resource.group,Resource.S3BucketDetails.Owner.Id,CanonicalId of Owner, 15 | -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/test/resources/sample_provider_input.csv: -------------------------------------------------------------------------------- 1 | Provider,Provider Type,Provider ID,Source,alertId,CSNF Dictionary,path,staticValue,entityType 2 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,provider.accountId,data.additionalDetails.tenantId,,string 3 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.guid,data.resourceId,,string 4 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.name,data.additionalDetails.problemName,,string 5 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.shortDescription,data.additionalDetails.problemDescription,,string 6 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.startTime,data.additionalDetails.firstDetected,,datetime 7 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.severity,data.additionalDetails.riskLevel,,string 8 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,event.status,data.additionalDetails.status,,string 9 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.identifier,data.additionalDetails.resourceId,,orclResourceId 10 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.type,data.additionalDetails.resourceType,,string 11 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.name,data.additionalDetails.resourceName,,string 12 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.region,data.additionalDetails.region,,string 13 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,__default__,resource.zone,data.compartmentName,,string 14 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,BUCKET_IS_PUBLIC,event.recommendation,data.additionalDetails.problemRecommendation,,string 15 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,SUSPICIOUS_IP_ACTIVITY,event.geolocation.ipv4,data.additionalDetails.impactedResourceId,, 16 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,SUSPICIOUS_IP_ACTIVITY,event.actor,data.additionalDetails.resourceName,, 17 | Oracle Cloud Infrastructure,CSP,1,Cloud Guard,VCN_DHCP_OPTION_CHANGED,event.actor,data.additionalDetails.resourceName,, 18 | Azure,CSP,2,Defender,__default__,provider.accountId,properties.subscriptionId,,string 19 | Azure,CSP,2,Defender,__default__,event.guid,id,,string 20 | Azure,CSP,2,Defender,__default__,event.name,properties.alertName,,string 21 | Azure,CSP,2,Defender,__default__,event.shortDescription,properties.alertDisplayName,,string 22 | Azure,CSP,2,Defender,__default__,event.longDescription,properties.description,,string 23 | Azure,CSP,2,Defender,__default__,event.startTime,properties.detectedTimeUtc,,string 24 | Azure,CSP,2,Defender,__default__,event.status,properties.state,,string 25 | Azure,CSP,2,Defender,__default__,resource.identifier,properties.associatedResource,,string 26 | Azure,CSP,2,Defender,__default__,resource.type,properties.extendedProperties.resourceType,,string 27 | Azure,CSP,2,Defender,__default__,event.geolocation.ipv4,properties.extendedProperties.client IP address,, 28 | Azure,CSP,2,Defender,__default__,event.actor,properties.extendedProperties.client principal name,, 29 | Azure,CSP,2,Defender,__default__,event.severity,properties.reportedSeverity,, 30 | Aquasec,CSPM,3,Aqua,__default__,event.name,data.control,,string 31 | Aquasec,CSPM,3,Aqua,__default__,event.guid,id,,string 32 | Aquasec,CSPM,3,Aqua,__default__,event.shortDescription,data.reason,,string 33 | Aquasec,CSPM,3,Aqua,__default__,event.startTime,data.time,,string 34 | Aquasec,CSPM,3,Aqua,__default__,event.severity,,High,string 35 | Aquasec,CSPM,3,Aqua,__default__,resource.identifier,containerid,,string 36 | Aquasec,CSPM,3,Aqua,__default__,resource.type,type,,string 37 | Aquasec,CSPM,3,Aqua,__default__,resource.name,data.container,,string 38 | Aquasec,CSPM,3,Aqua,__default__,resource.region,data.vm_location,,string 39 | Amazon Web Services,CSP,4,GuardDuty,__default__,provider.accountId,accountId,,string 40 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.guid,Arn,,string 41 | Amazon Web Services,CSP,4,GuardDuty,__default__,provider.accountId,AccountId,,string 42 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.actor,Resource.AccessKeyDetails.GeneratedFindingUserName,,string 43 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.startTime,CreatedAt,, 44 | Amazon Web Services,CSP,4,GuardDuty,__default__,resource.identifier,Resource.AccessKeyDetails.GeneratedFindingPrincipalId,, 45 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.shortDescription,Description,, 46 | Amazon Web Services,CSP,4,GuardDuty,__default__,event.name,Title,, -------------------------------------------------------------------------------- /tools/provider_csv_to_provider_json_script/test/resources/sample_provider_output.json: -------------------------------------------------------------------------------- 1 | {"Oracle Cloud Infrastructure": {"provider": "Oracle Cloud Infrastructure", "providerType": "CSP", "providerId": "1", "source": {"Cloud Guard": {"sourceName": "Cloud Guard", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "data.additionalDetails.tenantId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "data.resourceId", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "data.additionalDetails.problemName", "entityType": "string", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "data.additionalDetails.problemDescription", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "data.additionalDetails.firstDetected", "entityType": "datetime", "mappedValue": false, "value": ""}, "event.severity": {"path": "data.additionalDetails.riskLevel", "entityType": "string", "mappedValue": false, "value": ""}, "event.status": {"path": "data.additionalDetails.status", "entityType": "string", "mappedValue": false, "value": ""}, "resource.identifier": {"path": "data.additionalDetails.resourceId", "entityType": "orclResourceId", "mappedValue": false, "value": ""}, "resource.type": {"path": "data.additionalDetails.resourceType", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "data.additionalDetails.resourceName", "entityType": "string", "mappedValue": false, "value": ""}, "resource.region": {"path": "data.additionalDetails.region", "entityType": "string", "mappedValue": false, "value": ""}, "resource.zone": {"path": "data.compartmentName", "entityType": "string", "mappedValue": false, "value": ""}}}, "BUCKET_IS_PUBLIC": {"alertMapping": {"event.recommendation": {"path": "data.additionalDetails.problemRecommendation", "entityType": "string", "mappedValue": false, "value": ""}}}, "SUSPICIOUS_IP_ACTIVITY": {"alertMapping": {"event.geolocation.ipv4": {"path": "data.additionalDetails.impactedResourceId", "entityType": "", "mappedValue": false, "value": ""}, "event.actor": {"path": "data.additionalDetails.resourceName", "entityType": "", "mappedValue": false, "value": ""}}}, "VCN_DHCP_OPTION_CHANGED": {"alertMapping": {"event.actor": {"path": "data.additionalDetails.resourceName", "entityType": "", "mappedValue": false, "value": ""}}}}}, "Audit": {"sourceName": "Audit", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.startTime": {"path": "eventTime", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "eventID", "entityType": "string", "mappedValue": false, "value": ""}, "provider.accountId": {"path": "data.identity.tenantId", "entityType": "string", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "data.identity.ipAddress", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "data.identity.principalId", "entityType": "string", "mappedValue": false, "value": ""}, "event.accountId": {"path": "data.compartmentId", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "data.eventName", "entityType": "", "mappedValue": false, "value": ""}}}}}}}, "Azure": {"provider": "Azure", "providerType": "CSP", "providerId": "2", "source": {"Defender": {"sourceName": "Defender", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "properties.subscriptionId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "id", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "properties.alertName", "entityType": "string", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "properties.alertDisplayName", "entityType": "string", "mappedValue": false, "value": ""}, "event.longDescription": {"path": "properties.description", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "properties.detectedTimeUtc", "entityType": "string", "mappedValue": false, "value": ""}, "event.status": {"path": "properties.state", "entityType": "string", "mappedValue": false, "value": ""}, "resource.identifier": {"path": "properties.associatedResource", "entityType": "string", "mappedValue": false, "value": ""}, "resource.type": {"path": "properties.extendedProperties.resourceType", "entityType": "string", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "properties.extendedProperties.client IP address", "entityType": "", "mappedValue": false, "value": ""}, "event.actor": {"path": "properties.extendedProperties.client principal name", "entityType": "", "mappedValue": false, "value": ""}, "event.severity": {"path": "properties.reportedSeverity", "entityType": "", "mappedValue": false, "value": ""}}}}}}}, "Aquasec": {"provider": "Aquasec", "providerType": "CSPM", "providerId": "3", "source": {"Aqua": {"sourceName": "Aqua", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.name": {"path": "data.control", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "id", "entityType": "string", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "data.reason", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "data.time", "entityType": "string", "mappedValue": false, "value": ""}, "event.severity": {"path": "", "entityType": "string", "mappedValue": true, "value": "High"}, "resource.identifier": {"path": "containerid", "entityType": "string", "mappedValue": false, "value": ""}, "resource.type": {"path": "type", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "data.container", "entityType": "string", "mappedValue": false, "value": ""}, "resource.region": {"path": "data.vm_location", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}, "Amazon Web Services": {"provider": "Amazon Web Services", "providerType": "CSP", "providerId": "4", "source": {"GuardDuty": {"sourceName": "GuardDuty", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "AccountId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "Arn", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "Resource.AccessKeyDetails.GeneratedFindingUserName", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "CreatedAt", "entityType": "", "mappedValue": false, "value": ""}, "resource.identifier": {"path": "Resource.AccessKeyDetails.GeneratedFindingPrincipalId", "entityType": "", "mappedValue": false, "value": ""}, "event.shortDescription": {"path": "Description", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "Title", "entityType": "", "mappedValue": false, "value": ""}}}}}, "CloudTrail": {"sourceName": "CloudTrail", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"provider.accountId": {"path": "recipientAccountId", "entityType": "string", "mappedValue": false, "value": ""}, "event.guid": {"path": "eventID", "entityType": "string", "mappedValue": false, "value": ""}, "event.actor": {"path": "userIdentity.arn", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "eventTime", "entityType": "", "mappedValue": false, "value": ""}, "event.geolocation.ipv4": {"path": "sourceIPAddress", "entityType": "", "mappedValue": false, "value": ""}, "event.name": {"path": "eventName", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}, "Falco": {"provider": "Falco", "providerType": "CSPM", "providerId": "4", "source": {"Falco": {"sourceName": "Falco", "sourceId": "None", "alerts": {"__default__": {"alertMapping": {"event.guid": {"path": "output_fields.\"evt.time\"", "entityType": "string", "mappedValue": false, "value": ""}, "event.startTime": {"path": "time", "entityType": "string", "mappedValue": false, "value": ""}, "resource.name": {"path": "output_fields.\"k8s.pod.name\"", "entityType": "string", "mappedValue": false, "value": ""}, "event.severity": {"path": "priority", "entityType": "string", "mappedValue": false, "value": ""}, "event.name": {"path": "rule", "entityType": "string", "mappedValue": false, "value": ""}}}}}}}} -------------------------------------------------------------------------------- /tools/sample_findings/aws_gd_s3_malicousIP.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "AccountId": "026923064426", 4 | "Arn": "arn:aws:guardduty:us-east-1:026923064426:detector/f6c2881d4202ff653c1f33df4bc1791e/finding/77643f787adb40b98bc30b78173466c9", 5 | "CreatedAt": "2022-12-15T12:09:08.488Z", 6 | "Description": "S3 API GeneratedFindingAPIName was invoked from known malicious IP address 198.51.100.0. This can indicate an attempt by an adversary to discover resources in your AWS environment.", 7 | "Id": "77643f787adb40b98bc30b78173466c9", 8 | "Partition": "aws", 9 | "Region": "us-east-1", 10 | "Resource": { 11 | "AccessKeyDetails": { 12 | "AccessKeyId": "GeneratedFindingAccessKeyId", 13 | "PrincipalId": "GeneratedFindingPrincipalId", 14 | "UserName": "GeneratedFindingUserName", 15 | "UserType": "IAMUser" 16 | }, 17 | "S3BucketDetails": [ 18 | { 19 | "Arn": "arn:aws:s3:::bucketName", 20 | "Name": "bucketName", 21 | "Type": "Destination", 22 | "CreatedAt": "2017-12-18T15:58:11.551Z", 23 | "Owner": { 24 | "Id": "CanonicalId of Owner" 25 | }, 26 | "Tags": [ 27 | { 28 | "Key": "foo", 29 | "Value": "bar" 30 | } 31 | ], 32 | "DefaultServerSideEncryption": { 33 | "EncryptionType": "SSEAlgorithm", 34 | "KmsMasterKeyArn": "arn:aws:kms:region:123456789012:key/key-id" 35 | }, 36 | "PublicAccess": { 37 | "PermissionConfiguration": { 38 | "BucketLevelPermissions": { 39 | "AccessControlList": { 40 | "AllowsPublicReadAccess": false, 41 | "AllowsPublicWriteAccess": false 42 | }, 43 | "BucketPolicy": { 44 | "AllowsPublicReadAccess": false, 45 | "AllowsPublicWriteAccess": false 46 | }, 47 | "BlockPublicAccess": { 48 | "IgnorePublicAcls": false, 49 | "RestrictPublicBuckets": false, 50 | "BlockPublicAcls": false, 51 | "BlockPublicPolicy": false 52 | } 53 | }, 54 | "AccountLevelPermissions": { 55 | "BlockPublicAccess": { 56 | "IgnorePublicAcls": false, 57 | "RestrictPublicBuckets": false, 58 | "BlockPublicAcls": false, 59 | "BlockPublicPolicy": false 60 | } 61 | } 62 | }, 63 | "EffectivePermission": "NOT_PUBLIC" 64 | } 65 | } 66 | ], 67 | "InstanceDetails": { 68 | "AvailabilityZone": "GeneratedFindingInstaceAvailabilityZone", 69 | "IamInstanceProfile": { 70 | "Arn": "arn:aws:iam::026923064426:example/instance/profile", 71 | "Id": "GeneratedFindingInstanceProfileId" 72 | }, 73 | "ImageDescription": "GeneratedFindingInstaceImageDescription", 74 | "ImageId": "ami-99999999", 75 | "InstanceId": "i-99999999", 76 | "InstanceState": "running", 77 | "InstanceType": "m3.xlarge", 78 | "OutpostArn": "arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3", 79 | "LaunchTime": "2016-08-02T02:05:06.000Z", 80 | "NetworkInterfaces": [ 81 | { 82 | "Ipv6Addresses": [], 83 | "NetworkInterfaceId": "eni-bfcffe88", 84 | "PrivateDnsName": "GeneratedFindingPrivateDnsName", 85 | "PrivateIpAddress": "10.0.0.1", 86 | "PrivateIpAddresses": [ 87 | { 88 | "PrivateDnsName": "GeneratedFindingPrivateName", 89 | "PrivateIpAddress": "10.0.0.1" 90 | } 91 | ], 92 | "PublicDnsName": "GeneratedFindingPublicDNSName", 93 | "PublicIp": "198.51.100.0", 94 | "SecurityGroups": [ 95 | { 96 | "GroupId": "GeneratedFindingSecurityId", 97 | "GroupName": "GeneratedFindingSecurityGroupName" 98 | } 99 | ], 100 | "SubnetId": "GeneratedFindingSubnetId", 101 | "VpcId": "GeneratedFindingVPCId" 102 | } 103 | ], 104 | "Platform": null, 105 | "ProductCodes": [ 106 | { 107 | "Code": "GeneratedFindingProductCodeId", 108 | "ProductType": "GeneratedFindingProductCodeType" 109 | } 110 | ], 111 | "Tags": [ 112 | { 113 | "Key": "GeneratedFindingInstaceTag1", 114 | "Value": "GeneratedFindingInstaceValue1" 115 | }, 116 | { 117 | "Key": "GeneratedFindingInstaceTag2", 118 | "Value": "GeneratedFindingInstaceTagValue2" 119 | }, 120 | { 121 | "Key": "GeneratedFindingInstaceTag3", 122 | "Value": "GeneratedFindingInstaceTagValue3" 123 | }, 124 | { 125 | "Key": "GeneratedFindingInstaceTag4", 126 | "Value": "GeneratedFindingInstaceTagValue4" 127 | }, 128 | { 129 | "Key": "GeneratedFindingInstaceTag5", 130 | "Value": "GeneratedFindingInstaceTagValue5" 131 | }, 132 | { 133 | "Key": "GeneratedFindingInstaceTag6", 134 | "Value": "GeneratedFindingInstaceTagValue6" 135 | }, 136 | { 137 | "Key": "GeneratedFindingInstaceTag7", 138 | "Value": "GeneratedFindingInstaceTagValue7" 139 | }, 140 | { 141 | "Key": "GeneratedFindingInstaceTag8", 142 | "Value": "GeneratedFindingInstaceTagValue8" 143 | }, 144 | { 145 | "Key": "GeneratedFindingInstaceTag9", 146 | "Value": "GeneratedFindingInstaceTagValue9" 147 | } 148 | ] 149 | }, 150 | "ResourceType": "S3Bucket" 151 | }, 152 | "SchemaVersion": "2.0", 153 | "Service": { 154 | "Action": { 155 | "ActionType": "AWS_API_CALL", 156 | "AwsApiCallAction": { 157 | "Api": "GeneratedFindingAPIName", 158 | "CallerType": "Remote IP", 159 | "ErrorCode": "AccessDenied", 160 | "RemoteIpDetails": { 161 | "City": { 162 | "CityName": "GeneratedFindingCityName" 163 | }, 164 | "Country": { 165 | "CountryName": "GeneratedFindingCountryName" 166 | }, 167 | "GeoLocation": { 168 | "Lat": 0, 169 | "Lon": 0 170 | }, 171 | "IpAddressV4": "198.51.100.0", 172 | "Organization": { 173 | "Asn": "-1", 174 | "AsnOrg": "GeneratedFindingASNOrg", 175 | "Isp": "GeneratedFindingISP", 176 | "Org": "GeneratedFindingORG" 177 | } 178 | }, 179 | "ServiceName": "GeneratedFindingAPIServiceName", 180 | "AffectedResources": { 181 | "AWS::S3::Bucket": "GeneratedFindingS3Bucket" 182 | } 183 | } 184 | }, 185 | "Archived": false, 186 | "Count": 2, 187 | "DetectorId": "f6c2881d4202ff653c1f33df4bc1791e", 188 | "EventFirstSeen": "2022-12-15T12:09:08.000Z", 189 | "EventLastSeen": "2022-12-15T14:14:49.000Z", 190 | "ResourceRole": "TARGET", 191 | "ServiceName": "guardduty", 192 | "AdditionalInfo": { 193 | "Value": "{\"sample\":true}", 194 | "Type": "default" 195 | } 196 | }, 197 | "Severity": 8, 198 | "Title": "S3 API GeneratedFindingAPIName was invoked from known malicious IP address 198.51.100.0.", 199 | "Type": "Discovery:S3/MaliciousIPCaller", 200 | "UpdatedAt": "2022-12-15T14:14:49.973Z" 201 | } 202 | ] -------------------------------------------------------------------------------- /tools/sample_findings/aws_gd_s3_torexitnode.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "AccountId": "026923064426", 4 | "Arn": "arn:aws:guardduty:us-east-1:026923064426:detector/f6c2881d4202ff653c1f33df4bc1791e/finding/ee0481b4fc4f42648a36f6bc3687aacc", 5 | "CreatedAt": "2022-12-15T12:09:08.469Z", 6 | "Description": "API GeneratedFindingAPIName, commonly used in resource discovery, was used to access bucket GeneratedFindingS3Bucket from Tor exit node IP address 198.51.100.0. Unauthorized actors perform such activity to gather information about your Amazon S3 buckets and objects in order to further tailor the attack.", 7 | "Id": "ee0481b4fc4f42648a36f6bc3687aacc", 8 | "Partition": "aws", 9 | "Region": "us-east-1", 10 | "Resource": { 11 | "AccessKeyDetails": { 12 | "AccessKeyId": "GeneratedFindingAccessKeyId", 13 | "PrincipalId": "GeneratedFindingPrincipalId", 14 | "UserName": "GeneratedFindingUserName", 15 | "UserType": "IAMUser" 16 | }, 17 | "S3BucketDetails": [ 18 | { 19 | "Arn": "arn:aws:s3:::bucketName", 20 | "Name": "bucketName", 21 | "Type": "Destination", 22 | "CreatedAt": "2017-12-18T15:58:11.551Z", 23 | "Owner": { 24 | "Id": "CanonicalId of Owner" 25 | }, 26 | "Tags": [ 27 | { 28 | "Key": "foo", 29 | "Value": "bar" 30 | } 31 | ], 32 | "DefaultServerSideEncryption": { 33 | "EncryptionType": "SSEAlgorithm", 34 | "KmsMasterKeyArn": "arn:aws:kms:region:123456789012:key/key-id" 35 | }, 36 | "PublicAccess": { 37 | "PermissionConfiguration": { 38 | "BucketLevelPermissions": { 39 | "AccessControlList": { 40 | "AllowsPublicReadAccess": false, 41 | "AllowsPublicWriteAccess": false 42 | }, 43 | "BucketPolicy": { 44 | "AllowsPublicReadAccess": false, 45 | "AllowsPublicWriteAccess": false 46 | }, 47 | "BlockPublicAccess": { 48 | "IgnorePublicAcls": false, 49 | "RestrictPublicBuckets": false, 50 | "BlockPublicAcls": false, 51 | "BlockPublicPolicy": false 52 | } 53 | }, 54 | "AccountLevelPermissions": { 55 | "BlockPublicAccess": { 56 | "IgnorePublicAcls": false, 57 | "RestrictPublicBuckets": false, 58 | "BlockPublicAcls": false, 59 | "BlockPublicPolicy": false 60 | } 61 | } 62 | }, 63 | "EffectivePermission": "NOT_PUBLIC" 64 | } 65 | } 66 | ], 67 | "InstanceDetails": { 68 | "AvailabilityZone": "GeneratedFindingInstaceAvailabilityZone", 69 | "IamInstanceProfile": { 70 | "Arn": "arn:aws:iam::026923064426:example/instance/profile", 71 | "Id": "GeneratedFindingInstanceProfileId" 72 | }, 73 | "ImageDescription": "GeneratedFindingInstaceImageDescription", 74 | "ImageId": "ami-99999999", 75 | "InstanceId": "i-99999999", 76 | "InstanceState": "running", 77 | "InstanceType": "m3.xlarge", 78 | "OutpostArn": "arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3", 79 | "LaunchTime": "2016-08-02T02:05:06.000Z", 80 | "NetworkInterfaces": [ 81 | { 82 | "Ipv6Addresses": [], 83 | "NetworkInterfaceId": "eni-bfcffe88", 84 | "PrivateDnsName": "GeneratedFindingPrivateDnsName", 85 | "PrivateIpAddress": "10.0.0.1", 86 | "PrivateIpAddresses": [ 87 | { 88 | "PrivateDnsName": "GeneratedFindingPrivateName", 89 | "PrivateIpAddress": "10.0.0.1" 90 | } 91 | ], 92 | "PublicDnsName": "GeneratedFindingPublicDNSName", 93 | "PublicIp": "198.51.100.0", 94 | "SecurityGroups": [ 95 | { 96 | "GroupId": "GeneratedFindingSecurityId", 97 | "GroupName": "GeneratedFindingSecurityGroupName" 98 | } 99 | ], 100 | "SubnetId": "GeneratedFindingSubnetId", 101 | "VpcId": "GeneratedFindingVPCId" 102 | } 103 | ], 104 | "Platform": null, 105 | "ProductCodes": [ 106 | { 107 | "Code": "GeneratedFindingProductCodeId", 108 | "ProductType": "GeneratedFindingProductCodeType" 109 | } 110 | ], 111 | "Tags": [ 112 | { 113 | "Key": "GeneratedFindingInstaceTag1", 114 | "Value": "GeneratedFindingInstaceValue1" 115 | }, 116 | { 117 | "Key": "GeneratedFindingInstaceTag2", 118 | "Value": "GeneratedFindingInstaceTagValue2" 119 | }, 120 | { 121 | "Key": "GeneratedFindingInstaceTag3", 122 | "Value": "GeneratedFindingInstaceTagValue3" 123 | }, 124 | { 125 | "Key": "GeneratedFindingInstaceTag4", 126 | "Value": "GeneratedFindingInstaceTagValue4" 127 | }, 128 | { 129 | "Key": "GeneratedFindingInstaceTag5", 130 | "Value": "GeneratedFindingInstaceTagValue5" 131 | }, 132 | { 133 | "Key": "GeneratedFindingInstaceTag6", 134 | "Value": "GeneratedFindingInstaceTagValue6" 135 | }, 136 | { 137 | "Key": "GeneratedFindingInstaceTag7", 138 | "Value": "GeneratedFindingInstaceTagValue7" 139 | }, 140 | { 141 | "Key": "GeneratedFindingInstaceTag8", 142 | "Value": "GeneratedFindingInstaceTagValue8" 143 | }, 144 | { 145 | "Key": "GeneratedFindingInstaceTag9", 146 | "Value": "GeneratedFindingInstaceTagValue9" 147 | } 148 | ] 149 | }, 150 | "ResourceType": "S3Bucket" 151 | }, 152 | "SchemaVersion": "2.0", 153 | "Service": { 154 | "Action": { 155 | "ActionType": "AWS_API_CALL", 156 | "AwsApiCallAction": { 157 | "Api": "GeneratedFindingAPIName", 158 | "CallerType": "Remote IP", 159 | "ErrorCode": "AccessDenied", 160 | "RemoteIpDetails": { 161 | "City": { 162 | "CityName": "GeneratedFindingCityName" 163 | }, 164 | "Country": { 165 | "CountryName": "GeneratedFindingCountryName" 166 | }, 167 | "GeoLocation": { 168 | "Lat": 0, 169 | "Lon": 0 170 | }, 171 | "IpAddressV4": "198.51.100.0", 172 | "Organization": { 173 | "Asn": "-1", 174 | "AsnOrg": "GeneratedFindingASNOrg", 175 | "Isp": "GeneratedFindingISP", 176 | "Org": "GeneratedFindingORG" 177 | } 178 | }, 179 | "ServiceName": "GeneratedFindingAPIServiceName", 180 | "AffectedResources": { 181 | "AWS::S3::Bucket": "GeneratedFindingS3Bucket" 182 | } 183 | } 184 | }, 185 | "Archived": false, 186 | "Count": 2, 187 | "DetectorId": "f6c2881d4202ff653c1f33df4bc1791e", 188 | "EventFirstSeen": "2022-12-15T12:09:08.000Z", 189 | "EventLastSeen": "2022-12-15T14:14:49.000Z", 190 | "ResourceRole": "TARGET", 191 | "ServiceName": "guardduty", 192 | "AdditionalInfo": { 193 | "Value": "{\"unusual\":{\"hoursOfDay\":[1513609200000],\"userNames\":[\"GeneratedFindingUserName\"]},\"sample\":true}", 194 | "Type": "default" 195 | } 196 | }, 197 | "Severity": 5, 198 | "Title": "Resource discovery API GeneratedFindingAPIName was invoked from a Tor exit node.", 199 | "Type": "Discovery:S3/TorIPCaller", 200 | "UpdatedAt": "2022-12-15T14:14:49.946Z" 201 | } 202 | ] 203 | Download -------------------------------------------------------------------------------- /tools/sample_findings/azure_security_center_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "/subscriptions/97e01fd4-3326-41f4-b9e3-3cfd6809e10f/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517538088322968242_7951468c-3909-4b52-a442-c1f4b92d5162", 3 | "name": "2517538088322968242_7951468c-3909-4b52-a442-c1f4b92d5162", 4 | "type": "Microsoft.Security/Locations/alerts", 5 | "properties": { 6 | "vendorName": "Microsoft", 7 | "alertDisplayName": "[SAMPLE ALERT] Unusual amount of data extracted from a storage account", 8 | "alertName": "SIMULATED_Storage.Blob_DataExfiltration.AmountOfDataAnomaly", 9 | "detectedTimeUtc": "2022-04-04T18:26:07.7031757Z", 10 | "description": "THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your Azure Storage account 'Sample-Storage'.", 11 | "remediationSteps": "• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\r\n• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\r\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.", 12 | "actionTaken": "Undefined", 13 | "reportedSeverity": "High", 14 | "compromisedEntity": "Sample-Storage", 15 | "associatedResource": "/SUBSCRIPTIONS/97e01fd4-3326-41f4-b9e3-3cfd6809e10f/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Storage/storageAccounts/Sample-Storage", 16 | "subscriptionId": "97e01fd4-3326-41f4-b9e3-3cfd6809e10f", 17 | "instanceId": "7951468c-3909-4b52-a442-c1f4b92d5162", 18 | "extendedProperties": { 19 | "resourceType": "Storage", 20 | "investigation steps": "{\"displayValue\":\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information.\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2075734\"}", 21 | "potential causes": "This alert indicates that an unusually large amount of data has been extracted compared to recent activity on this Storage container.\r\nPotential causes:\r\n• An attacker has extracted a large amount of data from a Storage container (for example: data exfiltration/breach, unauthorized transfer of data).\r\n• A legitimate user or application has extracted an unusual amount of data from a Storage container (for example: maintenance activity).", 22 | "client IP address": "00.00.00.00", 23 | "client location": "Azure Data Center: East Us", 24 | "authentication type": "Anonymous", 25 | "operations types": "GetBlob", 26 | "service type": "Azure Blobs", 27 | "user agent": "dummyAgent", 28 | "container": "eicarTestStorageContainer", 29 | "extracted data": "140 MB", 30 | "test: Slice start time": "03/28/2022 18:26:07", 31 | "test: Pipeline name": "1.0.4656.1_storagetd-brs-a3", 32 | "extracted blobs": "500", 33 | "killChainIntent": "Exfiltration" 34 | }, 35 | "state": "Active", 36 | "reportedTimeUtc": "2022-04-04T18:26:47.1036441Z", 37 | "workspaceArmId": "/subscriptions/97e01fd4-3326-41f4-b9e3-3cfd6809e10f/resourcegroups/csnf/providers/microsoft.operationalinsights/workspaces/csnfsentinel", 38 | "confidenceReasons": [], 39 | "canBeInvestigated": true, 40 | "isIncident": false, 41 | "entities": [ 42 | { 43 | "$id": "centralus_1", 44 | "address": "00.00.00.00", 45 | "location": { 46 | "countryName": "United States", 47 | "city": "Washington" 48 | }, 49 | "type": "ip" 50 | } 51 | ] 52 | } 53 | } -------------------------------------------------------------------------------- /tools/sample_findings/falco_syscall.json: -------------------------------------------------------------------------------- 1 | { 2 | "hostname": "falco-hwgrc", 3 | "output": "18:52:56.237975447: Error File below a known binary directory opened for writing (user=root user_loginuid=-1 command=touch /bin/test-bin pid=12899 file=/bin/test-bin parent= pcmdline= gparent= container_id=2f83fe854c4f image=falcosecurity/falco-no-driver) k8s.ns=default k8s.pod=falco-hwgrc container=2f83fe854c4f", 4 | "priority": "Error", 5 | "rule": "Write below binary dir", 6 | "source": "syscall", 7 | "tags": [ 8 | "T1543", 9 | "container", 10 | "filesystem", 11 | "host", 12 | "mitre_persistence" 13 | ], 14 | "time": "2023-08-12T18:52:56.237975447Z", 15 | "output_fields": { 16 | "container.id": "2f83fe854c4f", 17 | "container.image.repository": "falcosecurity/falco-no-driver", 18 | "evt.time": 1691866376237975600, 19 | "fd.name": "/bin/test-bin", 20 | "k8s.ns.name": "default", 21 | "k8s.pod.name": "falco-hwgrc", 22 | "proc.aname[2]": null, 23 | "proc.cmdline": "touch /bin/test-bin", 24 | "proc.pcmdline": null, 25 | "proc.pid": 12899, 26 | "proc.pname": null, 27 | "user.loginuid": -1, 28 | "user.name": "root" 29 | } 30 | } 31 | { 32 | "hostname": "falco-hwgrc", 33 | "output": "18:55:15.804675853: Informational Privileged container started (user=65535:65535 user_loginuid=0 command=container:46e7bc35c7dd pid=-1 k8s.ns=default k8s.pod=dvldb-privileged-container-deployment-c878e6e7-5d5c966894-c7q5v container=46e7bc35c7dd image=registry.k8s.io/pause:3.9)", 34 | "priority": "Informational", 35 | "rule": "Launch Privileged Container", 36 | "source": "syscall", 37 | "tags": [ 38 | "T1610", 39 | "cis", 40 | "container", 41 | "mitre_lateral_movement", 42 | "mitre_privilege_escalation" 43 | ], 44 | "time": "2023-08-12T18:55:15.804675853Z", 45 | "output_fields": { 46 | "container.id": "46e7bc35c7dd", 47 | "container.image.repository": "registry.k8s.io/pause", 48 | "container.image.tag": "3.9", 49 | "evt.time": 1691866515804675800, 50 | "k8s.ns.name": "default", 51 | "k8s.pod.name": "dvldb-privileged-container-deployment-c878e6e7-5d5c966894-c7q5v", 52 | "proc.cmdline": "container:46e7bc35c7dd", 53 | "proc.pid": -1, 54 | "user.loginuid": 0, 55 | "user.name": "65535:65535" 56 | } 57 | } 58 | { 59 | "hostname": "falco-hwgrc", 60 | "output": "18:55:15.804675853: Informational Privileged container started (user=65535:65535 user_loginuid=0 command=container:c1a5f2097287 pid=-1 k8s.ns=default k8s.pod=dvldb-privileged-container-deployment-c878e6e7-5d5c966894-sb26b container=c1a5f2097287 image=registry.k8s.io/pause:3.9)", 61 | "priority": "Informational", 62 | "rule": "Launch Privileged Container", 63 | "source": "syscall", 64 | "tags": [ 65 | "T1610", 66 | "cis", 67 | "container", 68 | "mitre_lateral_movement", 69 | "mitre_privilege_escalation" 70 | ], 71 | "time": "2023-08-12T18:55:15.804675853Z", 72 | "output_fields": { 73 | "container.id": "c1a5f2097287", 74 | "container.image.repository": "registry.k8s.io/pause", 75 | "container.image.tag": "3.9", 76 | "evt.time": 1691866515804675800, 77 | "k8s.ns.name": "default", 78 | "k8s.pod.name": "dvldb-privileged-container-deployment-c878e6e7-5d5c966894-sb26b", 79 | "proc.cmdline": "container:c1a5f2097287", 80 | "proc.pid": -1, 81 | "user.loginuid": 0, 82 | "user.name": "65535:65535" 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /tools/sample_findings/microsoft_defender_center_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "/subscriptions/97e01fd4-3326-41f4-b9e3-3cfd6809e10f/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517538088722812591_ee939333-c75e-461d-83c2-712ba9abfadb", 3 | "name": "2517538088722812591_ee939333-c75e-461d-83c2-712ba9abfadb", 4 | "type": "Microsoft.Security/Locations/alerts", 5 | "properties": { 6 | "vendorName": "Microsoft", 7 | "alertDisplayName": "[SAMPLE ALERT] Suspected successful brute force attack", 8 | "alertName": "SIMULATED_SQL.VM_BruteForce", 9 | "detectedTimeUtc": "2022-04-04T18:25:27.7187408Z", 10 | "description": "THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource", 11 | "remediationSteps": "Go to the firewall settings in order to lock down the firewall as tightly as possible.", 12 | "actionTaken": "Undefined", 13 | "reportedSeverity": "Medium", 14 | "compromisedEntity": "Sample-VM", 15 | "associatedResource": "/SUBSCRIPTIONS/97e01fd4-3326-41f4-b9e3-3cfd6809e10f/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM", 16 | "subscriptionId": "97e01fd4-3326-41f4-b9e3-3cfd6809e10f", 17 | "instanceId": "ee939333-c75e-461d-83c2-712ba9abfadb", 18 | "extendedProperties": { 19 | "resourceType": "SQL Server 2019", 20 | "potential causes": "Brute force attack; penetration testing.", 21 | "client principal name": "Sample-account", 22 | "alert Id": "00000000-0000-0000-0000-000000000000", 23 | "client IP address": "00.00.00.00", 24 | "client IP location": "san antonio, united states", 25 | "client application": "Sample-app", 26 | "successful logins": "1", 27 | "oms workspace ID": "00000000-0000-0000-0000-000000000000", 28 | "failed logins": "0", 29 | "oms agent ID": "00000000-0000-0000-0000-000000000000", 30 | "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Brute Force\":\"https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2022-04-04T17%3a59%3a38&reportName=MSTI-TS-Brute-Force.pdf&tenantId=52aab34c-2534-4485-bf2f-b4e7e5c42e44&urlCreateDateTime=2022-04-04T17%3a59%3a38&token=ubgWSjyr0wFBBiPZyz2jJ5lmrPmwXy2jLxDNy7RVz7k=\"}}", 31 | "killChainIntent": "PreAttack" 32 | }, 33 | "state": "Active", 34 | "reportedTimeUtc": "2022-04-04T18:26:47.490371Z", 35 | "confidenceReasons": [], 36 | "canBeInvestigated": true, 37 | "isIncident": false, 38 | "entities": [ 39 | { 40 | "$id": "centralus_1", 41 | "hostName": "Sample-VM", 42 | "azureID": "/SUBSCRIPTIONS/97e01fd4-3326-41f4-b9e3-3cfd6809e10f/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM", 43 | "omsAgentID": "00000000-0000-0000-0000-000000000000", 44 | "type": "host" 45 | }, 46 | { 47 | "$id": "centralus_2", 48 | "address": "00.00.00.00", 49 | "location": { 50 | "countryCode": "sample", 51 | "countryName": "united states", 52 | "state": "texas", 53 | "city": "san antonio", 54 | "longitude": 0, 55 | "latitude": 0, 56 | "asn": 0, 57 | "carrier": "sample", 58 | "organization": "sample-organization", 59 | "organizationType": "sample-organization", 60 | "cloudProvider": "Azure", 61 | "systemService": "sample" 62 | }, 63 | "type": "ip" 64 | }, 65 | { 66 | "$id": "centralus_3", 67 | "sourceAddress": { 68 | "$ref": "centralus_2" 69 | }, 70 | "protocol": "Tcp", 71 | "type": "network-connection" 72 | }, 73 | { 74 | "$id": "centralus_4", 75 | "name": "Sample-SA", 76 | "host": { 77 | "$ref": "centralus_1" 78 | }, 79 | "type": "account" 80 | } 81 | ] 82 | } 83 | } -------------------------------------------------------------------------------- /tools/sample_findings/oci_cg_SUSPICIOUS_IP_ACTIVITY.json: -------------------------------------------------------------------------------- 1 | { 2 | "eventType" : "com.oraclecloud.cloudguard.problemdetected", 3 | "cloudEventsVersion" : "0.1", 4 | "eventTypeVersion" : "2.0", 5 | "source" : "CloudGuardResponderEngine", 6 | "eventTime" : "2022-04-06T20:15:02Z", 7 | "contentType" : "application/json", 8 | "data" : { 9 | "compartmentId" : "ocid1.tenancy.oc1..bbbbbbb4yalk3rotsz2d5enoxul4q5mldkbz562dcehkqjpdqe4apvlcxpq", 10 | "compartmentName" : "cgdemo", 11 | "resourceName" : "Suspicious Ip Activity", 12 | "resourceId" : "ocid1.cloudguardproblem.oc1.iad.amaaaaaatr7ig7cqnadrmkqba25ff64qysy7labyjvwxl5tcyjfzfoeetr4a", 13 | "additionalDetails" : { 14 | "tenantId" : "ocid1.tenancy.oc1..bbbbbbb4yalk3rotsz2d5enoxul4q5mldkbz562dcehkqjpdqe4apvlcxpq", 15 | "status" : "OPEN", 16 | "reason" : "Existing Problem updated by CloudGuard", 17 | "problemName" : "SUSPICIOUS_IP_ACTIVITY", 18 | "riskLevel" : "CRITICAL", 19 | "problemType" : "ACTIVITY", 20 | "resourceName" : "martian@mars.planet", 21 | "resourceId" : "ocid1.user.oc1..bbbbbbbaxqn3hcnoplysuobgwfrlu5urafipjglavxgi5sq4aqyx3c5emt4q", 22 | "resourceType" : "User", 23 | "targetId" : "ocid1.cloudguardtarget.oc1.iad.amaaaaaatr7ig7aasehmijwjd4e4m26qqeynndjjlis6tuphvogynqkfrj2a", 24 | "labels" : "CIS 3.0, Network", 25 | "firstDetected" : "2022-04-06T18:01:56.498Z", 26 | "lastDetected" : "2022-04-06T20:14:23.708Z", 27 | "region" : "us-ashburn-1", 28 | "impactedResourceName" : "10.18.4.40", 29 | "impactedResourceId" : "10.18.40.40", 30 | "impactedResourceType" : "Denylist", 31 | "problemAdditionalDetails" : { 32 | "Event Name" : "ListPreferences" 33 | }, 34 | "problemDescription" : "User logged in from a known list of malicious IP blocks which can be a potential threat.", 35 | "problemRecommendation" : "Ensure that the user is a genuinely logged in user and the credentials are not compromised. This can be done by enabling Multi Factor Authentication (MFA)." 36 | } 37 | }, 38 | "eventID" : "c271c602-70a9-43cd-85b7-ad3f4580eba4", 39 | "extensions" : { 40 | "compartmentId" : "ocid1.tenancy.oc1..bbbbbbb4yalk3rotsz2d5enoxul4q5mldkbz562dcehkqjpdqe4apvlcxpq" 41 | } 42 | } -------------------------------------------------------------------------------- /tools/sample_findings/oci_cg_VCN_Security_list.json: -------------------------------------------------------------------------------- 1 | { 2 | "eventType" : "com.oraclecloud.cloudguard.problemdetected", 3 | "cloudEventsVersion" : "0.1", 4 | "eventTypeVersion" : "2.0", 5 | "source" : "CloudGuardResponderEngine", 6 | "eventTime" : "2022-03-26T22:47:21Z", 7 | "contentType" : "application/json", 8 | "data" : { 9 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 10 | "compartmentName" : "NewCIS-network-cmp", 11 | "resourceName" : "VCN has no inbound Security List", 12 | "resourceId" : "ocid1.cloudguardproblem.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 13 | "additionalDetails" : { 14 | "tenantId" : "ocid1.tenancy.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 15 | "status" : "OPEN", 16 | "reason" : "New Problem detected by CloudGuard", 17 | "problemName" : "VCN_NO_INBOUND_SECURITY_LIST", 18 | "riskLevel" : "MEDIUM", 19 | "problemType" : "CONFIG_CHANGE", 20 | "resourceName" : "Default Security List for NewCIS-0-vcn", 21 | "resourceId" : "ocid1.securitylist.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 22 | "resourceType" : "VCN", 23 | "targetId" : "ocid1.cloudguardtarget.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 24 | "labels" : "Network", 25 | "firstDetected" : "2022-03-26T22:46:27.915Z", 26 | "lastDetected" : "2022-03-26T22:46:27.915Z", 27 | "region" : "us-ashburn-1", 28 | "problemAdditionalDetails" : { 29 | "vcnId" : "ocid1.vcn.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 30 | "vcnDisplayName" : "NewCIS-0-vcn" 31 | }, 32 | "problemDescription" : "Security lists provide stateful and stateless firewall capability to control network access to your instances. A security list is configured at the subnet level and enforced at the instance level. You can apply multiple security lists to a subnet where a network packet is allowed if it matches any rule in the security lists.", 33 | "problemRecommendation" : "Ensure that your OCI VCNs use security lists with ingress or inbound rules to only allow access from known resources." 34 | } 35 | }, 36 | "eventID" : "3ae09110-c5f8-4321-b6c8-79ecdfc3ba67", 37 | "extensions" : { 38 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e" 39 | } 40 | } -------------------------------------------------------------------------------- /tools/sample_findings/oci_cg_dhcp_option.json: -------------------------------------------------------------------------------- 1 | { 2 | "eventType" : "com.oraclecloud.cloudguard.problemdetected", 3 | "cloudEventsVersion" : "0.1", 4 | "eventTypeVersion" : "2.0", 5 | "source" : "CloudGuardResponderEngine", 6 | "eventTime" : "2022-04-18T17:56:44Z", 7 | "contentType" : "application/json", 8 | "data" : { 9 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 10 | "compartmentName" : "ONUG", 11 | "resourceName" : "VCN DHCP Option changed", 12 | "resourceId" : "ocid1.cloudguardproblem.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 13 | "additionalDetails" : { 14 | "tenantId" : "ocid1.tenancy.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 15 | "status" : "OPEN", 16 | "reason" : "New Problem detected by CloudGuard", 17 | "problemName" : "VCN_DHCP_OPTION_CHANGED", 18 | "riskLevel" : "MEDIUM", 19 | "problemType" : "ACTIVITY", 20 | "resourceName" : "alien@mars.planet", 21 | "resourceId" : "alien@mars.planet", 22 | "resourceType" : "User", 23 | "targetId" : "ocid1.cloudguardtarget.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 24 | "labels" : "CIS_OCI_V1.1_MONITORING, Network, CIS_OCI_V1.0_MONITORING", 25 | "firstDetected" : "2022-04-18T17:55:54.032Z", 26 | "lastDetected" : "2022-04-18T17:55:54.032Z", 27 | "region" : "us-ashburn-1", 28 | "impactedResourceName" : "Default DHCP Options for VCN4", 29 | "impactedResourceId" : "ocid1.dhcpoptions.oc1.iad.aaaaaaa", 30 | "impactedResourceType" : "DHCP", 31 | "problemDescription" : "DHCP options control certain types of configuration on the instances in a VCN. These include the specification of search domains and DNS resolvers, which can direct communications within VCNs across to Internet resources.", 32 | "problemRecommendation" : "Ensure that the change to DHCP and DNS information is permitted for this VCN and related resources." 33 | } 34 | }, 35 | "eventID" : "6367cd17-38e6-412d-936e", 36 | "extensions" : { 37 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e" 38 | } 39 | } -------------------------------------------------------------------------------- /tools/sample_findings/oci_cg_public_bucket.json: -------------------------------------------------------------------------------- 1 | { 2 | "eventType" : "com.oraclecloud.cloudguard.problemdetected", 3 | "cloudEventsVersion" : "0.1", 4 | "eventTypeVersion" : "2.0", 5 | "source" : "CloudGuardResponderEngine", 6 | "eventTime" : "2021-08-28T16:37:59Z", 7 | "contentType" : "application/json", 8 | "data" : { 9 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 10 | "compartmentName" : "Comp-Name", 11 | "resourceName" : "Bucket is public", 12 | "resourceId" : "ocid1.cloudguardproblem.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 13 | "additionalDetails" : { 14 | "tenantId" : "ocid1.tenancy.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 15 | "status" : "OPEN", 16 | "reason" : "New Problem detected by CloudGuard", 17 | "problemName" : "BUCKET_IS_PUBLIC", 18 | "riskLevel" : "CRITICAL", 19 | "problemType" : "CONFIG_CHANGE", 20 | "resourceName" : "Bucket", 21 | "resourceId" : "tenancy/Bucket", 22 | "resourceType" : "Bucket", 23 | "targetId" : "ocid1.cloudguardtarget.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 24 | "labels" : "CIS_OCI_V1.1_OBJECTSTORAGE, ObjectStorage", 25 | "firstDetected" : "2021-08-28T16:37:36.945Z", 26 | "lastDetected" : "2021-08-28T16:37:36.945Z", 27 | "region" : "us-phoenix-1", 28 | "problemDescription" : "Object Storage supports anonymous, unauthenticated access to a bucket. A public bucket that has read access enabled for anonymous users allows anyone to obtain object metadata, download bucket objects, and optionally list bucket contents.", 29 | "problemRecommendation" : "Ensure that the bucket is sanctioned for public access, and if not, direct the OCI administrator to restrict the bucket policy to allow only specific users access to the resources required to accomplish their job functions." 30 | } 31 | }, 32 | "eventID" : "1642b454-eeee-aaaa-aaa-783803f83134", 33 | "extensions" : { 34 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e" 35 | } 36 | } -------------------------------------------------------------------------------- /tools/sample_findings/oci_cg_vss.json: -------------------------------------------------------------------------------- 1 | { 2 | "eventType" : "com.oraclecloud.cloudguard.problemdetected", 3 | "cloudEventsVersion" : "0.1", 4 | "eventTypeVersion" : "2.0", 5 | "source" : "CloudGuardResponderEngine", 6 | "eventTime" : "2022-03-01T17:24:59Z", 7 | "contentType" : "application/json", 8 | "data" : { 9 | "compartmentId" : "ocid1.compartment.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 10 | "compartmentName" : "Comp-Name", 11 | "resourceName" : "Scanned host has vulnerabilities", 12 | "resourceId" : "ocid1.cloudguardproblem.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 13 | "additionalDetails" : { 14 | "tenantId" : "ocid1.tenancy.oc1..1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 15 | "status" : "OPEN", 16 | "reason" : "Existing Problem updated by CloudGuard", 17 | "problemName" : "SCANNED_HOST_VULNERABILITY", 18 | "riskLevel" : "High", 19 | "problemType" : "CONFIG_CHANGE", 20 | "resourceName" : "aDocker", 21 | "resourceId" : "ocid1.instance.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 22 | "resourceType" : "HostAgentScan", 23 | "targetId" : "ocid1.cloudguardtarget.oc1.iad.1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e1q2w3e", 24 | "labels" : "VSS", 25 | "firstDetected" : "2022-01-30T11:14:29.130Z", 26 | "lastDetected" : "2022-03-01T17:24:07.129Z", 27 | "region" : "us-ashburn-1", 28 | "problemAdditionalDetails" : { 29 | "Number of Low CVEs" : "2", 30 | "High CVEs" : "[CVE-2018-20796, CVE-2018-1000001, CVE-2020-1751, CVE-2017-1000366, CVE-2018-12886, CVE-2018-11237, CVE-2020-1752, CVE-2016-8637, CVE-2019-9192, CVE-2015-8982, CVE-2021-3326, CVE-2016-3706, CVE-2020-7014, CVE-2020-7013, CVE-2015-8983, CVE-2020-7012, CVE-2015-7547, CVE-2020-6096, CVE-2019-19246, CVE-2018-19591, CVE-2016-6323, CVE-2021-37322, CVE-2016-3075, CVE-2019-1010023, CVE-2019-6488, CVE-2019-15847, CVE-2021-38604, CVE-2016-5417, CVE-2018-10897, CVE-2016-1234, CVE-2015-5180, CVE-2020-7009, CVE-2019-16163, CVE-2009-5155]", 31 | "Scan Result Id" : "ocid1.vsshostscanresult.oc1..aaaaaaaa4bhyrwosapbnctty2xpftp6escxuxml3qppegofhjduzgre3nqiq", 32 | "Critical CVEs" : "[CVE-2021-45046, CVE-2019-9169, CVE-2022-23218, CVE-2015-8778, CVE-2015-8779, CVE-2022-23219, CVE-2018-6485, CVE-2017-15670, CVE-2021-35942, CVE-2019-1010022, CVE-2014-9984, CVE-2018-11236, CVE-2014-9761, CVE-2015-8776, CVE-2017-15804, CVE-2021-44228]", 33 | "Number of Critical CVEs" : "16", 34 | "Number of High CVEs" : "34", 35 | "Low CVEs" : "[CVE-2020-7020, CVE-2021-22136]" 36 | }, 37 | "problemDescription" : "Prerequisite: Create a Host Scan Recipe and a Host Scan Target in the Scanning service. The Scanning service scans compute hosts to identify known cybersecurity vulnerabilities related to applications, libraries, operating systems, and services. This detector triggers a problem when the Scanning service has reported that an instance has one or more CRITICAL (or lower severity, based on the Input Settings within the detector config) vulnerabilities.", 38 | "problemRecommendation" : "Patch the reported CVE's detected on host by performing actions recommended for each CVE." 39 | } 40 | } 41 | } --------------------------------------------------------------------------------