Last active
April 9, 2019 16:35
-
-
Save daanraman/497654a630c67860935a8ab93cbec011 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################## | |
| # DERIVED FIELDS | |
| ############################## | |
| [derivedfields] | |
| # These fields will be extracted from all processed events, and added as new fields in case an outlier event is found. | |
| # The format for the new field will be: outlier.<field_name>, for example: outliers.initials | |
| # The format to use is GROK. These fields are extracted BEFORE the analysis happens, which means that these fields can also be used as for example aggregators or targets in use cases. | |
| timestamp=%{YEAR:timestamp_year}-%{MONTHNUM:timestamp_month}-%{MONTHDAY:timestamp_day}[T ]%{HOUR:timestamp_hour}:?%{MINUTE:timestamp_minute}(?::?%{SECOND:timestamp_second})?%{ISO8601_TIMEZONE:timestamp_timezone}? | |
| ############################## | |
| # BEACONING - DETECT OUTBOUND SSL BEACONING - TLS | |
| ############################## | |
| [beaconing_ssl_outbound] | |
| es_query_filter=_exists_:BroFilter.event_type AND BroFilter.event_type:"ssl.log" | |
| aggregator=BroFilter.server_name,BroFilter.id_orig_h,timestamp_day | |
| target=timestamp_hour | |
| trigger_sensitivity=1 | |
| outlier_type=suspicious connection | |
| outlier_reason=beaconing TLS connection | |
| outlier_summary=beaconing TLS connection to {BroFilter.server_name} | |
| run_model=1 | |
| test_model=0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment