Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
235 lines (189 sloc) 8.55 KB
##############################
# GENERAL
##############################
[general]
# Elasticsearch parameters
es_url=http://escoordinator:9200
es_index_pattern=logstash-eagleeye-*
es_scan_size=10000
es_scroll_time=25m
es_timeout=300
# The field name representing the event timestamp in Elasticsearch
timestamp_field=timestamp
# Save outlier detection results to Elasticsearch (if set to 0, Elasticsearch events won't be touched - great for testing)
es_save_results=1
# Print outlier matches to the console. For testing purposes, it's advised to enable this so that the analyst can directly see on the command line which outliers are detected
print_outliers_to_console=0
# How far back should we process events and look for outliers?
# Both values are combined (for example the below will look back 7 days and 12 hours, up until right now).
history_window_days=7
history_window_hours=12
# Wipe all existing outliers that fall in the history window upon first run
es_wipe_all_existing_outliers=0
# How often should existing outliers be checked for a match against the configuration whitelist, and should outlier fields be removed again from matched documents
housekeeping_interval_seconds=60
es_wipe_all_whitelisted_outliers=1
# General flags to run, test or train models
# Training is only used by the Machine Learning models (word2vec)
run_models=1
test_models=0
train_models=0
# 0 for no progress info, 1-4 for progressively more output, 5+ for all the log output
log_verbosity=1
# CRITICAL ERROR WARNING INFO DEBUG
log_level=INFO
log_file=/mappedvolumes/logs/outliers.log
##############################
# ASSET FIELDS
##############################
[assets]
meta.logged_in_users=user
meta.hostname=host
##############################
# NOTIFIER
##############################
[notifier]
email_notifier=0
notification_email=user@user.be
smtp_user=<USERNAME>
smtp_pass=<PASSWORD>
smtp_server=<SMTP SERVER>
smtp_port=465
##############################
# DAEMON
##############################
[daemon]
# Only used when running ee-outliers in daemon mode. Below schedule will run each day at 00:00.
schedule=0 0 * * *
##############################
# BEACONING PARAMETERS
##############################
[beaconing]
# Define how many events should be processed at the same time, before looking for outlies.
# More often means better results, but will result in increased memory usage.
beaconing_batch_eval_size=1000000
##############################
# TERMS PARAMETERS
##############################
[terms]
# Define how many events should be processed at the same time, before looking for outlies.
# More often means better results, but will result in increased memory usage.
terms_batch_eval_size=100000
##############################
# METRICS PARAMETERS
##############################
[metrics]
# Define how many events should be processed at the same time, before looking for outlies.
# More often means better results, but will result in increased memory usage.
metrics_batch_eval_size=100000
##############################
# MACHINE LEARNING PARAMETERS
##############################
[machine_learning]
# Defaults to 0, so all logs are shown. Set TF_CPP_MIN_LOG_LEVEL to 1 to filter out INFO logs, 2 to additionall filter out WARNING, 3 to additionally filter out ERROR.
tensorflow_log_level=2
word2vec_batch_eval_size=1000
word2vec_use_cache=1
word2vec_use_test_data=0
training_data_size_pct=100
training_steps=100000
models_directory=/tmp/ee-outliers/trained_models/
##############################
# DERIVED FIELDS
##############################
[derivedfields]
# These fields will be extracted from all processed events, and added as new fields in case an outlier event is found.
# The format for the new field will be: outlier.<field_name>, for example: outliers.initials
# The format to use is GROK. These fields are extracted BEFORE the analysis happens, which means that these fields can also be used as for example aggregators or targets in use cases.
timestamp=%{YEAR:timestamp_year}-%{MONTHNUM:timestamp_month}-%{MONTHDAY:timestamp_day}[T ]%{HOUR:timestamp_hour}:?%{MINUTE:timestamp_minute}(?::?%{SECOND:timestamp_second})?%{ISO8601_TIMEZONE:timestamp_timezone}?
######################################################################################################################################################
# BEACONING USE CASE MODEL - EXAMPLES
######################################################################################################################################################
##############################
# BEACONING - DETECT OUTBOUND SSL BEACONING - TLS
##############################
[beaconing_ssl_outbound]
es_query_filter=BroFilter.event_type:"ssl.log" AND _exists_:BroFilter.server_name
aggregator=BroFilter.server_name,BroFilter.id_orig_h,timestamp_day
target=timestamp_hour
trigger_sensitivity=1
outlier_type=suspicious connection
outlier_reason=beaconing TLS connection
outlier_summary=beaconing TLS connection to {BroFilter.server_name}
run_model=1
test_model=0
######################################################################################################################################################
# SIMPLEQUERY USE CASE MODEL - EXAMPLES
######################################################################################################################################################
##############################
# SIMPLEQUERY - POWERSHELL EXECUTION IN HIDDEN WINDOW
##############################
[simplequery_powershell_execution_hidden_window]
es_query_filter=tags:endpoint AND "powershell.exe" AND (OsqueryFilter.cmdline:"-W hidden" OR OsqueryFilter.cmdline:"-WindowStyle Hidden")
outlier_type=powershell
outlier_reason=powershell execution in hidden window
outlier_summary=powershell execution in hidden window
run_model=1
test_model=0
######################################################################################################################################################
# TERMS USE CASE MODEL - EXAMPLES
######################################################################################################################################################
##############################
# TERMS - BRUTE FORCE FIELDS TO LOOK FOR GENERIC ANOMALIES - ENDPOINT LOGS
##############################
[terms_brute_force_anomalies_nginx]
es_query_filter=tags:endpoint
aggregator=slave_name
target=*
target_count_method=within_aggregator
trigger_on=low
trigger_method=mad
trigger_sensitivity=3
outlier_type=hunting
outlier_reason=anomaly discovery
outlier_summary=anomaly for field {brute_forced_field}
run_model=0
test_model=0
##############################
# TERMS - RARE PROCESSES WITH OUTBOUND CONNECTIVITY
##############################
[terms_rarely_seen_outbound_connections]
es_query_filter=tags:endpoint AND meta.command.name:"get_outbound_conns" AND -OsqueryFilter.remote_port.raw:0 AND -OsqueryFilter.remote_address.raw:127.0.0.1 AND -OsqueryFilter.remote_address.raw:"::1"
aggregator=OsqueryFilter.name
target=meta.hostname
target_count_method=across_aggregators
trigger_on=low
trigger_method=pct_of_max_value
trigger_sensitivity=5
outlier_type=outbound connection
outlier_reason=rare outbound connection
outlier_summary=rare outbound connection: {OsqueryFilter.name}
run_model=1
test_model=0
######################################################################################################################################################
# METRICS USE CASE MODEL - EXAMPLES
######################################################################################################################################################
##############################
# METRICS - BASE64 ENCODED COMMAND LINE ARGUMENTS
##############################
[metrics_base64_encoded_cmdline]
es_query_filter=tags:endpoint AND _exists_:OsqueryFilter.cmdline
aggregator=OsqueryFilter.name
target=OsqueryFilter.cmdline
metric=base64_encoded_length
trigger_on=high
trigger_method=mad
trigger_sensitivity=3
outlier_type=encoded commands
outlier_reason=base64 encoded command line arguments
outlier_summary=base64 encoded command line arguments for process {OsqueryFilter.name}
run_model=1
test_model=0
######################################################################################################################################################
# WHITELISTS
######################################################################################################################################################
[whitelist_literals]
slack_connection=rare outbound connection: Slack.exe
[whitelist_regexps]
scheduled_task_user_specific_2=^.*rare scheduled task:.*-.*-.*-.*-.*$
autorun_user_specific=^.*rare autorun:.*-.*-.*-.*-.*$