diff --git a/dashboards/community/stamus_networks-latest/metadata.yaml b/dashboards/community/stamus_networks-latest/metadata.yaml new file mode 100644 index 0000000..c3b8029 --- /dev/null +++ b/dashboards/community/stamus_networks-latest/metadata.yaml @@ -0,0 +1,9 @@ +metadata_details: + data_dependencies: "Stamus Networks Clear NDR data" + required_fields: "dataSource.vendor" + description: "Overview Dashboard for Stamus Networks Clear NDR logs" + usecase_type: "Operational" + usecase_action: "Dashboard" + tags: dashboard, stamus, stamus networks, clear ndr, ndr, network + version: latest + author: Tom Martin \ No newline at end of file diff --git a/dashboards/community/stamus_networks-latest/stamus_networks_overview.conf b/dashboards/community/stamus_networks-latest/stamus_networks_overview.conf new file mode 100644 index 0000000..a7375da --- /dev/null +++ b/dashboards/community/stamus_networks-latest/stamus_networks_overview.conf @@ -0,0 +1,212 @@ +{ + graphs: [ + { + description: "test", + graphStyle: "line", + title: "Clear NDR Threats Over Time", + layout: { + h: 14, + i: "0", + minH: 3, + minW: 6, + w: 40, + x: 0, + y: 0 +}, + lineSmoothing: "straightLines", + breakdownFacet: "stamusThreat_name", + filter: "stamusThreat_name != \"null\"", + filter: "message contains 'threat_name' AND stamusThreat_name != \"null\"", + plotNulls: "gaps" + }, + { + description: "pie chart top alerts", + graphStyle: "", + query: "dataSource.vendor='Stamus Networks' event_type='stamus' | group networks = array_agg_distinct(net_infoDest_agg) by stamusThreat_name", + title: "Threats By Network Name", + layout: { + h: 14, + i: "1", + minH: 3, + minW: 6, + w: 40, + x: 0, + y: 98 +} + }, + { + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.vendor='Stamus Networks' event_type='stamus' | group count() by stamusKill_chain", + title: "Kill Chain", + layout: { + h: 14, + i: "2", + minH: 3, + minW: 6, + w: 20, + x: 0, + y: 42 +}, + dataLabelType: "PERCENTAGE" + }, + { + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.vendor='Stamus Networks' event_type='stamus' | group count() by stamusThreat_name", + title: "Clear NDR Threat Names", + layout: { + h: 14, + i: "3", + minH: 3, + minW: 6, + w: 20, + x: 20, + y: 14 +}, + dataLabelType: "PERCENTAGE", + }, + { + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.vendor='Stamus Networks' event_type='stamus' | group count() by stamusFamily_name", + title: "Clear NDR Threat Families", + layout: { + h: 14, + i: "4", + minH: 3, + minW: 6, + w: 20, + x: 0, + y: 14 +}, + dataLabelType: "PERCENTAGE", + }, + { + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.vendor='Stamus Networks' event_type='flow' | group count() by app_proto\n", + title: "Top 10 Network Protocols", + layout: { + h: 14, + i: "5", + minH: 3, + minW: 6, + w: 20, + x: 20, + y: 70 +}, + dataLabelType: "PERCENTAGE", + }, + { + graphStyle: "", + title: "Impacted Assets", + layout: { + h: 14, + i: "6", + minH: 3, + minW: 6, + w: 40, + x: 0, + y: 28 +}, + query: "dataSource.vendor='Stamus Networks' event_type='stamus' and alertTargetIp != null| group Threats = array_agg_distinct(stamusThreat_name) by alertTargetIp" + , + }, + { + graphStyle: "pie", + maxPieSlices: 10, + query: "dataSource.vendor='Stamus Networks' httpStatus >= 0 httpStatus <= 599 | group count() by httpStatus", + title: "HTTP Status", + layout: { + h: 14, + i: "7", + minH: 3, + minW: 6, + w: 20, + x: 0, + y: 112 +}, + dataLabelType: "PERCENTAGE" + }, + { + graphStyle: "pie", + query: "dataSource.vendor='Stamus Networks' event_type='http' | group count() by geoipRegistered_countryName", + title: "Country Name", + maxPieSlices: 10, + layout: { + h: 14, + i: "8", + minH: 3, + minW: 6, + w: 20, + x: 20, + y: 42 +}, + dataLabelType: "PERCENTAGE" + , + }, + { + graphStyle: "pie", + query: "dataSource.vendor='Stamus Networks' event.type='stamus' | group count() by app_proto", + title: "Protocols used By Threats", + layout: { + h: 14, + i: "9", + minH: 3, + minW: 6, + w: 20, + x: 20, + y: 112 +}, + maxPieSlices: 10, + dataLabelType: "PERCENTAGE", + }, + { + graphStyle: "pie", + layout: { + h: 14, + i: "10", + minH: 3, + minW: 6, + w: 20, + x: 0, + y: 70 +}, + maxPieSlices: 10, + query: "dataSource.vendor='Stamus Networks' event_type='http' | group count() by httpServer", + title: "HTTP Servers", + dataLabelType: "PERCENTAGE" + }, + { + graphStyle: "", + layout: { + h: 14, + i: "11", + minH: 3, + minW: 6, + w: 40, + x: 0, + y: 56 +}, + query: "dataSource.vendor='Stamus Networks' event_type='stamus'and alertMetadataStamus_type != '[dopv]'| group Threats = array_agg_distinct(stamusThreat_name) by timestamp, dst.ip.address, src.ip.address | columns timestamp, src.ip.address, dst.ip.address, Threats| sort +timestamp", + title: "Impacted Assets Timeline " + }, + { + graphStyle: "", + layout: { + h: 14, + i: "12", + minH: 3, + minW: 6, + w: 40, + x: 0, + y: 84 +}, + query: "dataSource.vendor='Stamus Networks' event_type='stamus'and alertMetadataStamus_type = '[dopv]'| group Threats = array_agg_distinct(stamusThreat_name) by timestamp, dst.ip.address, src.ip.address | columns timestamp, src.ip.address, dst.ip.address, Threats| sort +timestamp", + title: "Impacted Assets Timeline DoPV" + } + ], + description: "Clear NDR Network Data Overview", + options: {"layout":{"locked":0}} +} \ No newline at end of file diff --git a/parsers/community/stamus_networks-latest/metadata.yaml b/parsers/community/stamus_networks-latest/metadata.yaml new file mode 100644 index 0000000..1d8049d --- /dev/null +++ b/parsers/community/stamus_networks-latest/metadata.yaml @@ -0,0 +1,11 @@ +metadata_details: + purpose: Parser for Stamus Networks Clear NDR logs + datasource_vendor: Stamus Networks + dataSource: Stamus Networks + format: JSON + ingestion_method: HEC + dependency_summary: Requires ingestion of the original Stamus Networks Clear NDR logs. + performance_impact: "Minimal" + tags: stamus, stamus networks, clear ndr, ndr, logs, parser + version: latest + author: Tom Martin \ No newline at end of file diff --git a/parsers/community/stamus_networks-latest/stamus-networks.conf b/parsers/community/stamus_networks-latest/stamus-networks.conf new file mode 100644 index 0000000..5f14a14 --- /dev/null +++ b/parsers/community/stamus_networks-latest/stamus-networks.conf @@ -0,0 +1,395 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Clear NDR", + "dataSource.vendor": "Stamus Networks", + "class_name": "Network Activity", + "category_name": "Network Activity" + }, + formats: [ + { + id: "EverythingElse", + format: "${parse=json}$", + rewrites: [ + { + input: "flowSrc_port", + output: "src.port.number", + match: ".*", + replace: "$0" + }, + { + input: "flowSrc_ip", + output: "src.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "flowDest_port", + output: "dst.port.number", + match: ".*", + replace: "$0" + }, + { + input: "flowDest_ip", + output: "dst.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "event_type", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + input: "alertSignature", + output: "activity_name", + match: ".*", + replace: "$0" + } + ], + repeat: true + }, + { + id:"flow", + format: ".*type\":\"flow", + rewrites: [ + { + input: "src_port", + output: "src.port.number", + match: ".*", + replace: "$0" + }, + { + input: "src_ip", + output: "src.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "dest_port", + output: "dst.port.number", + match: ".*", + replace: "$0" + }, + { + input: "dest_ip", + output: "dst.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "event_type", + output: "event.type", + match: ".*", + replace: "$0" + } + ], + halt: true + }, + { + id: "Alert", + format: ".*type\":\"alert", + halt: true, + rewrites: [ + { + input: "flowSrc_port", + output: "src.port.number", + match: ".*", + replace: "$0" + }, + { + input: "flowSrc_ip", + output: "src.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "flowDest_port", + output: "dst.port.number", + match: ".*", + replace: "$0" + }, + { + input: "flowDest_ip", + output: "dst.ip.address", + match: ".*", + replace: "$0" + }, + { + input: "event_type", + output: "event.type", + match: ".*", + replace: "$0" + }, + { + input: "alertSignature", + output: "activity_name", + match: ".*", + replace: "$0" + }, + { + input: "alert.action", + output: "alert.action", + match: ".*", + replace: "$0" + }, { + input: "alert.category", + output: "alert.category", + match: ".*", + replace: "$0" + }, { + input: "alert.gid", + output: "alert.gid", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata", + output: "event.additional_info", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.affected_product", + output: "alert.product_name", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.attack_target", + output: "attack.target", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.created_at", + output: "alert.creation_time", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.cve", + output: "vulnerability.cve_id", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.deployment", + output: "event.deployment_environment", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.former_category", + output: "alert.category_previous", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.lateral_function", + output: "network.lateral_movement_function", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.lateral_key", + output: "network.lateral_movement_key", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.lateral_asset", + output: "asset.lateral_asset", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.malware_family", + output: "malware.family_name", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.mitre_tactic_id", + output: "attack.tactic_id", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.mitre_tactic_name", + output: "attack.tactic_name", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.mitre_technique_id", + output: "attack.technique_id", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.mitre_technique_name", + output: "attack.technique_name", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.nrd_asset", + output: "asset.nrd_asset", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.nrd_key", + output: "attack.nrd_key", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.nrd_period", + output: "attack.nrd_period", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.performance_impact", + output: "system.performance_impact", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.provider", + output: "event.provider", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.signature_severity", + output: "alert.severity", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.source", + output: "alert.source", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.stamus_classification", + output: "classification.label", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.tag", + output: "event.tag", + match: ".*", + replace: "$0" + }, { + input: "alert.metadata.updated_at", + output: "alert.last_update_time", + match: ".*", + replace: "$0" + }, { + input: "alert.rev", + output: "alert.revision_number", + match: ".*", + replace: "$0" + }, { + input: "alert.severity", + output: "alert.severity", + match: ".*", + replace: "$0" + }, { + input: "alert.signature", + output: "alert.signature", + match: ".*", + replace: "$0" + }, { + input: "alert.signature_id", + output: "alert.signature_id", + match: ".*", + replace: "$0" + }, { + input: "app_proto", + output: "network.application_protocol", + match: ".*", + replace: "$0" + }, { + input: "app_proto_expected", + output: "network.expected_application_protocol", + match: ".*", + replace: "$0" + }, { + input: "app_proto_orig", + output: "network.original_application_protocol", + match: ".*", + replace: "$0" + }, { + input: "app_proto_tc", + output: "network.transported_protocol", + match: ".*", + replace: "$0" + }, { + input: "dest_ip", + output: "network.destination.ip", + match: ".*", + replace: "$0" + }, { + input: "dest_port", + output: "network.destination.port", + match: ".*", + replace: "$0" + }, { + input: "metadata", + output: "event.metadata", + match: ".*", + replace: "$0" + }, { + input: "metadata.flowbits", + output: "event.flowbits", + match: ".*", + replace: "$0" + }, { + input: "packet", + output: "network.packet", + match: ".*", + replace: "$0" + }, { + input: "packet_info", + output: "network.packet_info", + match: ".*", + replace: "$0" + }, { + input: "packet_info.linktype", + output: "network.packet_info.linktype", + match: ".*", + replace: "$0" + }, { + input: "payload", + output: "network.packet.payload", + match: ".*", + replace: "$0" + }, { + input: "payload_printable", + output: "network.packet.payload_printable", + match: ".*", + replace: "$0" + }, { + input: "pcap_cnt", + output: "network.pcap_count", + match: ".*", + replace: "$0" + }, { + input: "pkt_src", + output: "network.packet.source", + match: ".*", + replace: "$0" + }, { + input: "proto", + output: "network.protocol", + match: ".*", + replace: "$0" + }, { + input: "src_ip", + output: "network.source.ip", + match: ".*", + replace: "$0" + }, { + input: "src_port", + output: "network.source.port", + match: ".*", + replace: "$0" + }, { + input: "stream", + output: "network.stream_id", + match: ".*", + replace: "$0" + }, { + input: "vlan", + output: "network.vlan_id", + match: ".*", + replace: "$0" + } + ] + } + ] +} \ No newline at end of file