One thing I've learnt that I know will remain true. No matter which tool you use for SIEM, there will be times when this information is not readily available. When I say readily available, I mean parsed by default. However, I do believe once the raw data is in the event, it can be extracted and this is what becomes important. Ensuring that you can have access to the raw events that is received by your SIEM is extremely important.
Considering the amount of time I spend working with QRadar, I am surprised that I havent done any posts on working with QRadar as yet. Anyhow, for this posts, I will extract some information from FireEye's Malware-Object and Infection-Match events.
There are lots of similarities between these two objects. However, there are also lots of differences. As a result, I will use the Infection-Match as the main event from extraction
Sample Malware-Object event
<164>fenotify-129166.alert: LEEF:1.0|FireEye|MPS|7.2.0.224371|malware-object|osinfo=Microsoft Windows7 64-bit 6.1 sp1 14.0528;Microsoft WindowsXP 32-bit 5.1 sp3 14.0528^src=10.0.0.1^sname=Trojan.Asprox^shost=host.securitynik.lab^fileHash=1e5e39f8691b50377769690625efb172^filePath=/someTypeOfExe.exe^dst=10.0.0.2^proto=tcp^dvchost=FireEye^dvc=10.0.0.3^cncHost=cnc.securitynik.lab^externalId=129166^devTime=Jul 01 2014 18:27:32 UTC^sid=33351728^cncPort=8080^link=https://FireEye.securitynik.lab/event_stream/events_for_bot?ma_id\=129166^cncChannel=POST /D552F7C0BB0949631E52BEED25BA191DA4C6182356 HTTP/1.1::~~Accept: */*::~~Content-Type: application/x-www-form-urlencoded::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0::~~Host: cnc.securitynik.lab:8080::~~Content-Length: 312::~~Cache-Control: no-cache::~~::~~\\200^vlan=0^
Sample Infection-Match event
<164>fenotify-29625.1.alert: LEEF:1.0|FireEye|MPS|7.2.0.224371|infection-match|src=10.0.0.1^sname=Local.Infection^shost=host.securitynik.lab^dstMAC=00:15:17:ef:dd:3a^proto=tcp^dvchost=FireEye^dst=10.0.0.2^vlan=0^srcPort=50297^request=hxxp://www.securitynik.labhttp://www.securitynik.lab/sites/default/files/css/css_bae06db3942ff213d9081182d8d659be.css^dvc=10.0.0.3^cncHost=10.0.0.2^externalId=29625^devTime=Jun 09 2014 12:29:47 UTC^sid=502048^cncPort=9119^link=https://FireEye.securitynik.lab/event_stream/events_for_bot?ev_id\=29625^dstPort=9119^cncChannel=GET http://www.securitynik.lab/sites/default/files/css/css_bae06db3942ff213d9081182d8d659be.css HTTP/1.1::~~Accept: text/css::~~Referer: http://www.securitynik.lab/menu::~~Accept-Language: en-US::~~User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)::~~Accept-Encoding: gzip, deflate::~~Host: www.securitynik.lab::~~Proxy-Connection: Keep-Alive::~~Cookie: SESScee87b0f0ae3e3341e2b18fd993a57c3\=8g9c1rd?
Now that we have the information to be extracted there are a couple of ways to do this. However, let's assume we already have one of these events open. If we do, we can then "Extract Property" from this event. We will use the following information below to complete this task.
Property Type: Regex based
Property Definition:
field: sname
New Property: sname
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "sname" key value pair from FireEye's malware-object
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: sname=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: shost
New Property: shost
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "shost" key value pair from FireEye
Log source type: FireEye
Log Source: All
Event Name: infection-match
High Level Category: Any
Low Level Category: Any
Regex: shost=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: fileHash
New Property: fileHash
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "fileHash" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: fileHash=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: filePath
New Property: filePath
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "filePath" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: filePath=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: proto
New Property: proto
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "proto" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: proto=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: dvchost
New Property: dvchost
Fieldtype: Alphanumeric
Description: This field extract the "dvchost" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: dvchost=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: dvc
New Property: dvc
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "dvc" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: dvc=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: cncHost
New Property: cncHost
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "cncHost" key value pair from FireEye's malware-object
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: cncHost=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: externalId
New Property: externalId
Fieldtype: Alphanumeric
Description: This field extract the "externalId" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: externalId=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: devTime
New Property: devTime
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "devTime" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: devTime=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: sid
New Property: FireEye-sid
Fieldtype: Alphanumeric
Description: This field extract the "sid" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: sid=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: sid
New Property: cncPort
Fieldtype: Alphanumeric
Description: This field extract the "cncPort" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: cncPort=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: link
New Property: link
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "link" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: link=(.*?)(\^) - Capture Group 1
Enabled
Property Definition:
field: link
New Property: cncChannel
Optimize for parsing for rules, reports and searches
Fieldtype: Alphanumeric
Description: This field extract the "cncChannel" key value pair from FireEye
Log source type: FireEye
Log Source: All
High Level Category: Any
Low Level Category: Any
Regex: cncChannel=(.*?)(\^) - Capture Group 1
Enabled
There it is, we have successfully extracted the information deemed pertinent for us at this time, which FireEye did not provide by default.
Regex Refernces:
http://www.autohotkey.com/docs/misc/RegEx-QuickRef.htm
https://www.tcl.tk/man/tcl8.5/tutorial/Tcl20.html
http://www.adobe.com/devnet/dreamweaver/articles/regular_expressions_pt1.html
http://www.rexegg.com/
No comments:
Post a Comment