Skip to content

Commit

Permalink
add LogThreat event message for misc log events
Browse files Browse the repository at this point in the history
  • Loading branch information
syncpark committed Dec 11, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 5a8eece commit 96f024b
Showing 5 changed files with 85 additions and 9 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -9,8 +9,9 @@ Versioning](https://semver.org/spec/v2.0.0.html).

### Added

- Add new `WindowsThreat` event message for Windows Sysmon events.
- Add new `WindowsThreat` event message for Windows sysmon events.
- Add new `NetworkThreat` event message for network events.
- Add new `LogThreat` event message for misc log events.
- Added `ranked_outlier_stream` Graphql API to fetch `RankedOutlier` periodically.
- Gets the id of the currently stored `Model`.
- Generate a `RankedOutlier` iterator corresponding to the prefix of the
23 changes: 16 additions & 7 deletions src/graphql/event.rs
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ mod group;
mod http;
mod kerberos;
mod ldap;
mod log;
mod mqtt;
mod network;
mod nfs;
@@ -24,10 +25,10 @@ use self::{
dns::DnsCovertChannel, ftp::BlockListFtp, ftp::FtpBruteForce, ftp::FtpPlainText,
http::BlockListHttp, http::DomainGenerationAlgorithm, http::HttpThreat, http::NonBrowser,
http::RepeatedHttpSessions, http::TorConnection, kerberos::BlockListKerberos,
ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, mqtt::BlockListMqtt,
network::NetworkThreat, nfs::BlockListNfs, ntlm::BlockListNtlm, rdp::BlockListRdp,
rdp::RdpBruteForce, smb::BlockListSmb, smtp::BlockListSmtp, ssh::BlockListSsh,
sysmon::WindowsThreat, tls::BlockListTls,
ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, log::LogThreat,
mqtt::BlockListMqtt, network::NetworkThreat, nfs::BlockListNfs, ntlm::BlockListNtlm,
rdp::BlockListRdp, rdp::RdpBruteForce, smb::BlockListSmb, smtp::BlockListSmtp,
ssh::BlockListSsh, sysmon::WindowsThreat, tls::BlockListTls,
};
use super::{
customer::{Customer, HostNetworkGroupInput},
@@ -154,6 +155,7 @@ async fn fetch_events(
let mut block_list_tls_time = start_time;
let mut windows_threat_time = start_time;
let mut network_threat_time = start_time;
let mut misc_log_threat_time = start_time;

loop {
itv.tick().await;
@@ -190,7 +192,8 @@ async fn fetch_events(
.min(block_list_ssh_time)
.min(block_list_tls_time)
.min(windows_threat_time)
.min(network_threat_time);
.min(network_threat_time)
.min(misc_log_threat_time);

// Fetch event iterator based on time
let start = i128::from(start) << 64;
@@ -399,8 +402,12 @@ async fn fetch_events(
network_threat_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}

EventKind::Log => continue,
EventKind::LogThreat => {
if event_time >= network_threat_time {
tx.unbounded_send(value.into())?;
misc_log_threat_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
}
}
}
@@ -600,6 +607,7 @@ enum Event {
WindowsThreat(WindowsThreat),

NetworkThreat(NetworkThreat),
LogThreat(LogThreat),
}

impl From<database::Event> for Event {
@@ -645,6 +653,7 @@ impl From<database::Event> for Event {
},
database::Event::WindowsThreat(event) => Event::WindowsThreat(event.into()),
database::Event::NetworkThreat(event) => Event::NetworkThreat(event.into()),
database::Event::LogThreat(event) => Event::LogThreat(event.into()),
}
}
}
65 changes: 65 additions & 0 deletions src/graphql/event/log.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
use super::TriageScore;
use async_graphql::Object;
use chrono::{DateTime, Utc};
use review_database as database;

#[allow(clippy::module_name_repetitions)]
pub(super) struct LogThreat {
inner: database::LogThreat,
}

#[Object]
impl LogThreat {
async fn time(&self) -> DateTime<Utc> {
self.inner.time
}

async fn source(&self) -> &str {
&self.inner.source
}

async fn service(&self) -> &str {
&self.inner.service
}

async fn content(&self) -> &str {
&self.inner.content
}

async fn db_name(&self) -> &str {
&self.inner.db_name
}

async fn rule_id(&self) -> u32 {
self.inner.rule_id
}

async fn matched_to(&self) -> &str {
&self.inner.matched_to
}

async fn cluster_id(&self) -> usize {
self.inner.cluster_id
}

async fn attack_kind(&self) -> &str {
&self.inner.attack_kind
}

async fn confidence(&self) -> f32 {
self.inner.confidence
}

async fn triage_scores(&self) -> Option<Vec<TriageScore>> {
self.inner
.triage_scores
.as_ref()
.map(|scores| scores.iter().map(Into::into).collect::<Vec<TriageScore>>())
}
}

impl From<database::LogThreat> for LogThreat {
fn from(inner: database::LogThreat) -> Self {
Self { inner }
}
}
2 changes: 1 addition & 1 deletion src/graphql/event/network.rs
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ pub(super) struct NetworkThreat {
#[Object]
impl NetworkThreat {
async fn time(&self) -> DateTime<Utc> {
self.inner.timestamp
self.inner.time
}

async fn source(&self) -> &str {
1 change: 1 addition & 0 deletions src/graphql/semi_model.rs
Original file line number Diff line number Diff line change
@@ -117,6 +117,7 @@ struct SemiModel {
}

#[derive(SimpleObject, Serialize)]
#[allow(clippy::module_name_repetitions)]
pub struct SemiModelInfo {
model_type: i32,
model_name: String,

0 comments on commit 96f024b

Please sign in to comment.