No idea whether it's a bug yet, I just need a 2nd set of eyes :)
This is my event as indexed in ES (Obviously some parts have been
obfuscated):
{
"_index": "cloudtrail_index_2017.10.04.19",
"_type": "cloudtrail_doc",
"_id": "95617686-bd39-46ff-b5c0-db3aeb5b6bab",
"_score": null,
"_timestamp": 1507143907108,
"_source": {
"eventID": "9e3d5468-2d97-4b9a-9821-5c61fec8c158",
"additionalEventData:MFAUsed": "No",
"adapter:stellaradapter:end:ts": "1507143907145",
"threatinteljoinbolt:joiner:ts": "1507143907153",
"eventVersion": "1.05",
"threat:triage:rules:0:comment": "Checks whether the field is_work
is true or false.",
"sourceIPAddress": "208.110.73.106",
"eventSource": "signin.amazonaws.com",
"enrichmentsplitterbolt:splitter:begin:ts": "1507143907143",
"enrichmentjoinbolt:joiner:ts": "1507143907147",
"additionalEventData:MobileVersion": "No",
"threat:triage:rules:0:name": "Not WORK",
"source:type": "cloudtrail",
"original_string":
"{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDAI5ITCMVR3BQV5DUFW\",\"arn\":\"arn:aws:iam::<ACCOUNTID>:user/<EMAIL>\",\"accountId\":\"<ACCOUNTID>\",\"userName\":\"<EMAIL>\"},\"eventTime\":\"2017-10-04T18:57:31Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"208.110.73.106\",\"userAgent\":\"Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101
Firefox/56.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"LoginTo\":\"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\",\"MobileVersion\":\"No\",\"MFAUsed\":\"No\"},\"eventID\":\"9e3d5468-2d97-4b9a-9821-5c61fec8c158\",\"eventType\":\"AwsConsoleSignIn\",\"recipientAccountId\":\";<ACCOUNTID>\"}",
"eventTime": "2017-10-04T18:57:31Z",
"eventName": "ConsoleLogin",
"recipientAccountId": "<ACCOUNTID>",
"userIdentity:principalId": "AIDAI5ITCMVR3BQV5DUFW",
"threatintelsplitterbolt:splitter:end:ts": "1507143907148",
"threat:triage:rules:0:score": 20,
"timestamp": 1507143907108,
"threat:triage:rules:0:reason": "208.110.73.106 is not an WORK
network!",
"awsRegion": "us-east-1",
"is_work": false,
"userIdentity:userName": "<EMAIL>",
"enrichmentsplitterbolt:splitter:end:ts": "1507143907143",
"threat:triage:score": 20,
"is_alert": "true",
"userAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0)
Gecko/20100101 Firefox/56.0",
"adapter:stellaradapter:begin:ts": "1507143907145",
"eventType": "AwsConsoleSignIn",
"userIdentity:arn": "arn:aws:iam::<ACCOUNTID>:user/<EMAIL>",
"userIdentity:accountId": "<ACCOUNTID>",
"userIdentity:type": "IAMUser",
"threatintelsplitterbolt:splitter:begin:ts": "1507143907148",
"guid": "95617686-bd39-46ff-b5c0-db3aeb5b6bab",
"additionalEventData:LoginTo":
"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true";,
"responseElements:ConsoleLogin": "Success"
},
"fields": {
"adapter:stellaradapter:end:ts": [
1507143907145
],
"threatinteljoinbolt:joiner:ts": [
1507143907153
],
"enrichmentsplitterbolt:splitter:end:ts": [
1507143907143
],
"enrichmentsplitterbolt:splitter:begin:ts": [
1507143907143
],
"enrichmentjoinbolt:joiner:ts": [
1507143907147
],
"adapter:stellaradapter:begin:ts": [
1507143907145
],
"eventTime": [
1507143451000
],
"threatintelsplitterbolt:splitter:begin:ts": [
1507143907148
],
"threatintelsplitterbolt:splitter:end:ts": [
1507143907148
],
"timestamp": [
1507143907108
]
},
"sort": [
1507143451000
]
}
This is my sensor configuration:
{
"enrichment": {
"fieldMap": {
"stellar": {
"config": {
"is_work": "IN_SUBNET(if IS_IP(sourceIPAddress) then
sourceIPAddress else NULL, '1.2.3.4/16', '5.6.7.8/23')"
}
}
},
"fieldToTypeMap": {},
"config": {}
},
"threatIntel": {
"fieldMap": {
"stellar": {
"config": [
"is_alert := exists(is_work) && is_work != true && eventName ==
\"ConsoleLogin\"",
"is_alert := is_alert || (eventName == \"ConsoleLogin\" &&
userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\")",
"is_alert := is_alert || (eventName == \"ConsoleLogin\" &&
additionalEventData:MFAUsed == \"No\")"
]
}
},
"fieldToTypeMap": {},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "Not WORK",
"comment": "Checks whether the field is_work
is true or false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not an WORK
network!', sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or
not.",
"rule": "userIdentity:sessionContext:attributes:mfaAuthenticated ==
'False'",
"score": 20,
"reason": null
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or
not.",
"rule": "additionalEventData:MFAUsed ==
'No'",
"score": 20,
"reason": null
}
],
"aggregator": "SUM",
"aggregationConfig": {}
}
},
"configuration": {}
}
Any idea why the score isn't 40? I would expect riskLevelRule 1 & 2 to
be SUMmed?
