开源SOC实现（九）-多源数据处理

开源SOC实现（九）-多源数据处理
2023-1-24 10:0:29 Author: Kali渗透测试教程(查看原文) 阅读量:11 收藏

整个合集探索到这里发现一个关键问题，已经接入的多个数据源之间代表相同含义的字段名称不同，导致难以统一进行数据统计展示，自动化调查以及人工狩猎。需要在数据源接入Graylog后进行字段的统一调整，调整完之后存储对应的索引中。之前的文章简述了如何接入，如何分数据源存储不同索引，没有如何进行字段映射成同一字段的过程。结合日志可以看到同为Sysmon上报日志，对于Windows以及Linux的字段也存在差异。

先看Windows上Sysmon的日志字段名称(data_win_eventdata_destinationIp、data_win_eventdata_destinationPort、data_win_eventdata_sourceIp、data_win_eventdata_sourcePort)

再看Linux上Sysmon日志字段名称(data_eventdata_DestinationIp、data_eventdata_destinationPort、data_eventdata_sourceIp、message.data_eventdata_sourcePort)

本合辑系列没有讲如何在Linux上安装Sysmon，具体安装过程参考以下链接

https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.mdhttps://github.com/dotnet/core/issues/3752

安装完后通过root用户启动

sysmon -i -accepteula

对应的日志文件存放在/var/log/syslog路径

cat /var/log/syslog

默认的配置文件中并没有记录 Event ID 3 NetworkConnect Detected，需要更新配置文件

把以下内容放入Sysmonconfigforlinux.xml文件中，来源SysmonForLinux-CollectAll-Config.xml · GitHub

<Sysmon schemaversion="4.70">  <EventFiltering>    <!-- Event ID 1 == ProcessCreate. Log all newly created processes -->    <RuleGroup name="" groupRelation="or">      <ProcessCreate onmatch="exclude"/>    </RuleGroup>    <!-- Event ID 3 == NetworkConnect Detected. Log all network connections -->    <RuleGroup name="" groupRelation="or">      <NetworkConnect onmatch="exclude"/>    </RuleGroup>    <!-- Event ID 5 == ProcessTerminate. Log all processes terminated -->    <RuleGroup name="" groupRelation="or">      <ProcessTerminate onmatch="exclude"/>    </RuleGroup>    <!-- Event ID 9 == RawAccessRead. Log all raw access read -->    <RuleGroup name="" groupRelation="or">      <RawAccessRead onmatch="exclude"/>    </RuleGroup>    <!-- Event ID 10 == ProcessAccess. Log all open process operations -->    <RuleGroup name="" groupRelation="or">      <ProcessAccess onmatch="exclude"/>    </RuleGroup>    <!-- Event ID 11 == FileCreate. Log every file creation -->    <RuleGroup name="" groupRelation="or">      <FileCreate onmatch="exclude"/>    </RuleGroup>    <!--Event ID 23 == FileDelete. Log all files being deleted -->    <RuleGroup name="" groupRelation="or">      <FileDelete onmatch="exclude"/>    </RuleGroup>  </EventFiltering></Sysmon>

更新Sysmon配置文件

sysmon -c Sysmonconfigforlinux.xml

1.日志数据字段处理

登录Graylog控制台，点击System-Pipelines，点击Manage rules

点击Create Rule

创建一条关于Linux Sysmon字段映射的Rule，把Description字段设置为LINUX SYSMON EVENT 3，对应的Rule source规则如下所示，配置完点击Apply，再点击Save&Close

rule "LINUX SYSMON EVENT 3"when    $message.rule_group1 == "linux" AND $message.rule_group3 == "sysmon_event3"then    set_field("process_image", $message.data_eventdata_image);    set_field("process_id", $message.data_eventdata_processId);    set_field("protocol", $message.data_eventdata_protocol);    set_field("user_name", $message.data_eventdata_user);    set_field("dst_ip", $message.data_eventdata_DestinationIp);    set_field("dst_port", $message.data_eventdata_destinationPort);    set_field("src_ip", $message.data_eventdata_sourceIp);    set_field("src_port", $message.data_eventdata_sourcePort);end

同样创建关于Windows Sysmon字段映射的Rule，把Description字段设置为WINDOWS SYSMON EVENT 3，对应的Rule source唯一下所示，配置完点击Apply，再点击Save&Close

rule "WINDOWS SYSMON EVENT 3"when    $message.rule_group1 == "windows" AND $message.rule_group3 == "sysmon_event3"then    set_field("process_image", $message.data_win_eventdata_image);    set_field("process_id", $message.data_win_eventdata_processId);    set_field("protocol", $message.data_win_eventdata_protocol);    set_field("user_name", $message.data_win_eventdata_user);    set_field("dst_ip", $message.data_win_eventdata_destinationIp);    set_field("dst_port", $message.data_win_eventdata_destinationPort);    set_field("src_ip", $message.data_win_eventdata_sourceIp);    set_field("src_port", $message.data_win_eventdata_sourcePort);end

配置完成如下图所示

再对Sysmon的Linux日志创建一条自动调查的rule，点击Create Rule，把Description字段设置为GreyNoise Lookup on data_eventdata_destinationIp，对应的Rule source规则如下所示，配置完点击Apply，再点击Save&Close

rule "GreyNoise Lookup on data_eventdata_destinationIp"when    has_field("data_eventdata_destinationIp")then    let ldata = lookup(        lookup_table: "GreyNoise",        key: to_string($message.data_eventdata_destinationIp)    );    set_fields(        fields: ldata,        prefix: "GreyNoise_"        );end

点击Manage pipelines

点击GreyNoise后的Edit按钮

在页面中点击Add new stage

在弹出窗口勾选刚才创建的两条rule，点击Save

点击Stage 0后面的Edit按钮，勾选刚才创建的rule，如下图所示

配置完成如下图所示

查看新收到的Sysmon的Windows日志中已经带有刚才映射的相关字段，如下图所示

Sysmon的Linux日志中同样有对应字段，如下图所示

完成多源数据的字段映射之后，可以对开源SOC实现（六）-Grafana Dashboard中实现的面板进行修改，如面板一：Network Connection中对应的字段可更改成如下图所示

欢迎订阅收看开源SOC实现（十）-SIEM Rule&SIGMA

参考链接：

https://gist.github.com/Cyb3rWard0g/bcf1514cc340197f0076bf1da8954077https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054

文章来源: http://mp.weixin.qq.com/s?__biz=MzI3NDYwMzI4Mg==&mid=2247486173&idx=1&sn=5f004bbd33ad5b47c843067a8c840f3e&chksm=eb10c6a0dc674fb64c6b209f72e49f872145e23cf9161315f5668df30d66f237ef8225e3ff60#rd
如有侵权请联系:admin#unsafe.sh