-
Notifications
You must be signed in to change notification settings - Fork 10
/
cef.toml.example
109 lines (101 loc) · 7 KB
/
cef.toml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
[general]
backup_dir = "/Users/avanbrunt/Desktop/backdir"
output_format = "template"
output_type = "tcp+tls"
tcp_out = "0.0.0.0:8888"
[tls]
ca_cert = "/etc/integrations/ca.pem"
cert = "/etc/integrations/cert.pem"
key = "/etc/integrations/cert.key"
tls_verify = true
[alerts_template]
template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|{{reason_code}}|{{reason}}|{{severity}}|{{extension}}"
type_field = "type"
time_format = "%b %d %Y %H:%m:%S"
time_fields = ["backend_timestamp", "first_event_timestamp"]
[alerts_template.extension]
default = """\
cat={{type}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}\
\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\tstart={{first_event_timestamp}}\
\toutcome={{run_state}}\tdeviceProcessId={{process_pid}}\tdeviceProcessName={{process_name}}\
\tfileHash={{process_sha256}}\tdeviceExternalId={{device_id}}\tdvc={{device_internal_ip}}\
\tduser={{device_username}}\tcs2={{alert_url}}\tcs2Label=Link\tcs3={{device_name}}\
\tcs3Label=Device_Name\tcs4={{process_effective_reputation}}\tcs4Label=Process_Effective_Reputation\
\tcs5={{parent_name}}\tcs5Label=Parent_Name\tcs6={{parent_sha256}}\tcs6Label=Parent_Hash\
\tc6a1={{device_external_ip}}\tc6a1Label=External_Device_Address"""
CB_ANALYTICS = """\
cat={{type}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}\
\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\tstart={{first_event_timestamp}}\
\toutcome={{run_state}}\tdeviceProcessId={{process_pid}}\tdeviceProcessName={{process_name}}\
\tfileHash={{process_sha256}}\tdeviceExternalId={{device_id}}\tdvc={{device_internal_ip}}\
\tduser={{device_username}}\tcs1={{threat_id}}\tcs1Label=Threat_ID\tcs2={{alert_url}}\tcs2Label=Link\
\tcs3={{device_name}}\tcs3Label=Device_Name\tcs4={{process_effective_reputation}}\
\tcs4Label=Process_Effective_Reputation\tcs5={{parent_name}}\tcs5Label=Parent_Name\
\tcs6={{parent_sha256}}\tcs6Label=Parent_Hash\tc6a1={{device_external_ip}}\
\tc6a1Label=External_Device_Address"""
CONTAINER_RUNTIME = """\
cat={{type}}\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\
\tstart={{first_event_timestamp}}\toutcome={{run_state}}\tdeviceExternalId={{replica_id}}\
\tdestinationTranslatedPort={{netconn_remote_port}}\tsourceTranslatedPort={{netconn_local_port}}\
\tapplicationProtocol={{netconn_protocol}}\tdestinationDnsDomain={{netconn_remote_domain}}\
\tdestinationTranslatedAddress={{netconn_remote_ip}}\tsourceTranslatedAddress={{netconn_local_ip}}\
\tcs1={{threat_id}}\tcs1Label=Threat_ID\tcs2={{alert_url}}\tcs2Label=Link\tcs3={{cluster}}\
\tcs3Label=Cluster\tcs4={{namespace}}\tcs4Label=Namespace\tcs5={{workload_kind}}\
\tcs5Label=Workload_Kind\tcs6={{remote_replica_id}}\tcs6Label=Remote_Replica_id"""
DEVICE_CONTROL = """\
cat={{type}}\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\
\tstart={{first_event_timestamp}}\toutcome={{run_state}}\tdeviceExternalId={{device_id}}\
\tdvc={{device_internal_ip}}\tduser={{device_username}}\tcs1={{threat_id}}\tcs1Label=Threat_ID\
\tcs2={{alert_url}}\tcs2Label=Link\tcs3={{device_name}}\tcs3Label=Device_Name\tcs4={{vendor_id}}\
\tcs4Label=Vendor_ID\tcs5={{product_id}}\tcs5Label=Product_ID\tcs6={{serial_number}}\
\tcs6Label=Serial_Number\tc6a1={{device_external_ip}}\tc6a1Label=External_Device_Address"""
HOST_BASED_FIREWALL = """\
cat={{type}}\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\
\tstart={{first_event_timestamp}}\toutcome={{run_state}}\tdeviceProcessId={{process_pid}}\
\tdeviceProcessName={{process_name}}\tfileHash={{process_sha256}}\tdeviceExternalId={{device_id}}\
\tdvc={{device_internal_ip}}\tduser={{device_username}}\tdestinationTranslatedPort={{netconn_remote_port}}\
\tsourceTranslatedPort={{netconn_local_port}}\tapplicationProtocol={{netconn_protocol}}\
\tdestinationDnsDomain={{netconn_remote_domain}}\tdestinationTranslatedAddress={{netconn_remote_ip}}\
\tsourceTranslatedAddress={{netconn_local_ip}}\tcs1={{threat_id}}\tcs1Label=Threat_ID\tcs2={{alert_url}}\
\tcs2Label=Link\tcs3={{device_name}}\tcs3Label=Device_Name\tcs4={{process_effective_reputation}}\
\tcs4Label=Process_Effective_Reputation\tcs5={{parent_name}}\tcs5Label=Parent_Name\tcs6={{parent_sha256}}\
\tcs6Label=Parent_Hash\tc6a1={{device_external_ip}}\tc6a1Label=External_Device_Address"""
INTRUSION_DETECTION_SYSTEM = """\
cat={{type}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}\
\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\tstart={{first_event_timestamp}}\
\toutcome={{run_state}}\tdeviceProcessId={{process_pid}}\tdeviceProcessName={{process_name}}\
\tfileHash={{process_sha256}}\tdeviceExternalId={{device_id}}\tdvc={{device_internal_ip}}\
\tduser={{device_username}}\tdestinationTranslatedPort={{netconn_remote_port}}\
\tsourceTranslatedPort={{netconn_local_port}}\tapplicationProtocol={{netconn_protocol}}\
\tdestinationDnsDomain={{netconn_remote_domain}}\tdestinationTranslatedAddress={{netconn_remote_ip}}\
\tsourceTranslatedAddress={{netconn_local_ip}}\tcs1={{threat_id}}\tcs1Label=Threat_ID\
\tcs2={{alert_url}}\tcs2Label=Link\tcs3={{device_name}}\tcs3Label=Device_Name\
\tcs4={{process_effective_reputation}}\tcs4Label=Process_Effective_Reputation\
\tcs5={{parent_name}}\tcs5Label=Parent_Name\tcs6={{parent_sha256}}\tcs6Label=Parent_Hash\
\tc6a1={{device_external_ip}}\tc6a1Label=External_Device_Address"""
WATCHLIST = """\
cat={{type}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}\
\tact={{sensor_action}}\texternalId={{id}}\trt={{backend_timestamp}}\tstart={{first_event_timestamp}}\
\toutcome={{run_state}}\tdeviceProcessId={{process_pid}}\tdeviceProcessName={{process_name}}\
\tfileHash={{process_sha256}}\tdeviceExternalId={{device_id}}\tdvc={{device_internal_ip}}\
\tduser={{device_username}}\tcs1={{threat_id}}\tcs1Label=Threat_ID\tcs2={{alert_url}}\
\tcs2Label=Link\tcs3={{device_name}}\tcs3Label=Device_Name\tcs4={{process_effective_reputation}}\
\tcs4Label=Process_Effective_Reputation\tcs5={{parent_name}}\tcs5Label=Parent_Name\
\tcs6={{parent_sha256}}\tcs6Label=Parent_Hash\tc6a1={{device_external_ip}}\
\tc6a1Label=External_Device_Address"""
[audit_logs_template]
template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|Audit Logs|{{description}}|1|{{extension}}"
type_field = ""
time_format = "%b %d %Y %H:%m:%S"
time_fields = ["eventTime"]
[audit_logs_template.extension]
default = "rt={{eventTime}}\tdvchost={{orgName}}\tduser={{loginName}}\tdvc={{clientIp}}\tcs4Label=Event_ID\tcs4={{eventId}}"
[Prod02ORG]
custom_api_id = "RANDOM_ID"
custom_api_key = "RANDOM_SECRET"
org_key = "SOME_ORG"
server_url = "defense.conferdeploy.net"
alerts_enabled = true
audit_logs_enabled = true
[[Prod02ORG.alert_rules]]
minimum_severity = 1