Coder Social home page Coder Social logo

carbonblack / cbc-syslog Goto Github PK

View Code? Open in Web Editor NEW
29.0 12.0 11.0 662 KB

Syslog Connector for the Carbon Black Cloud

License: MIT License

Python 98.88% Dockerfile 0.90% Shell 0.22%
carbon-black-cloud cb-defense endpoint-standard cb-threathunter enterprise-edr

cbc-syslog's Introduction

Carbon Black Cloud Syslog Connector 2.x

Introduction

The Carbon Black Cloud Syslog connector lets administrators forward alerts and audit logs from their Carbon Black Cloud instance to local, on-premise systems or other cloud applications.

Still need CBC Syslog 1.x? Checkout the legacy branch

If you are looking to migrate from CBC Syslog 1.x to 2.x take a look at the migration doc.

Features

  • Generates templated messages to support any desired syslog format or send the entire raw JSON message
  • Supports multi-tenancy of one or more Carbon Black Cloud organizations into a single syslog stream
  • Use local File, HTTP, TCP, encrypted (TCP over TLS), or UDP transport protocols to send data

Requirements

The following python packages are required to use CBC Syslog

  • carbon-black-cloud-sdk
  • Jinja2
  • psutil
  • tomli >= 1.1.0; python_version < '3.11'

Note: tomli is only required for python versions before 3.11 as tomlib has been included in the standard python library

Installation

You can install the Syslog Connector using either PyPI or GitHub.

PyPI Installation

pip install cbc-syslog

GitHub Installation

  1. Clone the repository using SSH or HTTPS

     SSH
     git clone [email protected]:carbonblack/cbc-syslog.git
    
     HTTPS
     git clone https://github.com/carbonblack/cbc-syslog.git
    
  2. Change to the CBC Syslog directory

     cd cbc-syslog
    
  3. Install python package

     pip install .
    

Running cbc_syslog_forwarder

The script cbc_syslog_forwarder is installed into the OS bin directory for easy access from any directory

>>> cbc_syslog_forwarder --help
usage: cbc_syslog_forwarder [-h] [--log-file LOG_FILE] [-d] [-v] {poll,history,convert,setup,check} ...

positional arguments:
  {poll,history,convert,setup,check}
                        The action to be taken
    poll                Fetches data from configured sources and forwards to configured output since last poll attempt
    history             Fetches data from specified source for specified time range and forwards to configured output
    convert             Convert CBC Syslog 1.0 conf to new 2.0 toml
    setup               Setup wizard to walkthrough configuration
    check               Check config for valid API keys with correct permissions

options:
  -h, --help            show this help message and exit
  --log-file LOG_FILE, -l LOG_FILE
                        Log file location
  -d, --debug           Set log level to debug
  -v, --verbose         Set log level to info

The cbc_syslog_forwarder poll command is designed to be executed in a cronjob or scheduled task for continual syslog forwarding

Mac/Linux:

Create a file to save the cronjob such as syslog-job.txt. Cronjobs use the UNIX cron format for specifying the schedule for the job to be executed

5  *  *  *  *  cbc_syslog_forwarder --log-file /some/path/cbc-syslog.log poll /some/path/my-config.toml

To start the job once the file is created run the following command

crontab syslog-job.txt

Windows:

Windows uses Task Scheduler for running scheduled applications.

  1. Search for Task Scheduler
  2. Click on Action then Create Task
  3. Name your Scheduled Task
  4. Click on the Actions Tab and Click New
  5. Under Program/script enter cbc_syslog_forwarder.
  6. Under Add arguments provide the arguments you use to run the poll command with absolute paths to any files
  7. Click OK
  8. Click on the Triggers tab and Click New
  9. Now is the time to schedule your Task. Fill out the information as needed and Click Ok

Your Task has been created! To test your Scheduled Task, follow these instructions below:

  1. Search for Task Scheduler
  2. Click on the folder Task Scheduler Library on the left hand column
  3. Select the Task you want to Test
  4. Select Run on the Actions column on the right hand column.

For more information on windows task scheduler checkout how-create-automated-task-using-task-scheduler

Create a Config file

If you are creating a CBC Syslog toml file for the first time checkout the setup wizard which walks you through the basic configuration steps.

cbc_syslog_forwarder setup my-config.toml

For more information on each section follow the guide below:

  1. Create a CUSTOM API key in at least one Carbon Black Cloud instance with the following permissions org.alerts READ and org.audits READ

    For more information on creating a CUSTOM API key see the Carbon Black Cloud User Guide

  2. Create a toml file - e.g. my-config.toml

    For a detailed breakdown of all the supported configurations see examples/cbc-syslog.toml.example

  3. Create the general section

     [general]
     backup_dir = "/some/dir"
     output_type = "file/http/tcp/tcp+tls/udp"
     output_format = "json/template"
    

    a. Specify an absolute path in backup_dir to a directory where unsent messages and previous state can be saved in the case of failure

    b. Decide how you would like to send the messages in output_type from file, http, tcp, tcp+tls or udp

    c. Decide your output_format from json or template

  4. Based on the output_type you have choosen you'll need to configure one of the following output destinations

    Examples outputs

     file_path = "/some/dir"
    
     http_out = "https://example.com"
     http_headers =  "{ \"content-type\": \"application/json\" }"
     https_ssl_verify = true
    
     tcp_out = "1.2.3.5:514"
    
     udp_out = "1.2.3.5:514"
    

    a. If you selected tcp+tls you'll need to configure the tls section based on your destination's expected certs

     [tls]
     ca_cert =
     cert =
     key =
     key_password =
     tls_verify =
    
  5. If you choose json for output_format skip to step 6 otherwise see 4a

    Example CEF template

     [alerts_template]
     template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|{{reason_code}}|{{reason}}|{{severity}}|{{extension}}"
     type_field = "type"
     time_format = "%b %d %Y %H:%m:%S"
     time_fields = ["backend_timestamp"]
    
     [alerts_template.extension]
     default = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}"
     CB_ANALYTICS = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}"
    
     [audit_logs_template]
     template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|Audit Logs|{{description}}|1|{{extension}}"
     time_format = "%b %d %Y %H:%m:%S"
     time_fields = ["eventTime"]
    
     [audit_logs_template.extension]
     default = "rt={{eventTime}}\tdvchost={{orgName}}\tduser={{loginName}}\tdvc={{clientIp}}\tcs4Label=Event_ID\tcs4={{eventId}}"
    

    a. You'll need to create a template for each data type you plan to enable

    b. Each data template supports a base template along with the option to specify an extension which can be used customize each message based on the values of the specified type_field

    In the example above the type_field for alerts is set to type which enables a different extension to be selected based on the alert field type

    Note: If a value is not specified in the extension then the default option will be used. The values are CASE_SENSITIVE

    c. If you need to modify the format of a timestamp then you can specify a python strftime format in time_format as well as the time_fields that need to be modified

    For more information on strftime formats see https://strftime.org/

    d. See Search Fields - Alert for the full list of Alert fields

  6. Configure one or more Carbon Black Cloud Organizations

    Example Organization

     [SourceName1]
     server_url = defense.conferdeploy.net
     org_key = ABCD1234
     custom_api_id = ABCDE12345
     custom_api_key = ABCDEFGHIKLMNO1234567890
     alerts_enabled = true
     audit_logs_enabled = true
    

    a. The server_url should match the hostname of your Carbon Black Cloud environment

    b. The org_key can be found on the API Access page in the Carbon Black Cloud console from step 1

    c. Use the CUSTOM API key from step 1

    d. Enable the desired data you would like to send for the organization

  7. If you set alerts_enabled to true then you will need to configure one or more alert_rules

    Each alert_rules is a separate request for alerts such that you can configure custom criteria for a desired usecase. See Search Fields - Alert for the fields marked Searchable.

    Example Alert Rules

     [[SourceName1.alert_rules]]
     type = [ "WATCHLIST", "DEVICE_CONTROL" ]
     minimum_severity = 7
    
     [[SourceName1.alert_rules]]
     type = [ "CB_ANALYTICS" ]
     minimum_severity = 3
    

    The key is the alert field you want to filter by and the value is a list of values you want to filter except minimum_severity which is a single integer. Each value is OR'd for a key and values are AND'd across keys e.g. type:( WATCHLIST OR DEVICE_CONTROL) AND minimum_severity: 7

    If you want to fetch ALL alerts then use the following alert_rules

     [[SourceName1.alert_rules]]
     minimum_severity = 1
    

Creating a custom message with templates

The configuration file provides the ability to define a template for each data type as well as the ability to create a custom extension which can be defined based on a configurable field to make a unique message for a data's sub type

The templates use jinja2 for rendering customizable messages. You can provide the text to be included as well as variable data by wrapping the field name in double curly braces e.g. {{field_name}}.

Template Configuration Properties

  • template defines the base syslog header which will be included for all messages of the data type

    Note: Make sure to include {{extension}} inside the template value in order for the extension template to be rendered as part of the message

  • type_field defines the field in the data that should be used to define which extension should be rendered. The value in the extensions are case sensistive

  • time_format and time_fields provides you the ability to customize the way the timestamps are formatte and which fields to modify. This utilizes python strftime formatting, for more information on strftime formats see https://strftime.org/

Example:

[alerts_template]
template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|{{reason_code}}|{{reason}}|{{severity}}|{{extension}}"
type_field = "type"
time_format = "%b %d %Y %H:%m:%S"
time_fields = ["backend_timestamp"]

Extension

  • default defines the extension which will be utilized if no field is specified for type_field or a value was not specified in the extension
  • Any other key in the extension dictionary will be interpretted as a possible value to be matched for the type_field. The values are case sensistive

Example:

[alerts_template.extension]
default = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}"
CB_ANALYTICS = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}"

Fields

The following fields are available for building the Syslog header

  • {{datetime_utc}} - Uses current time with format e.g. 1985-04-12T23:20:50.52Z
  • {{datetime_legacy}} - Uses current time with format e.g. Jan 18 11:07:53
  • {{vendor}} - CarbonBlack
  • {{product}} - CBCSyslog
  • {{product_version}} - Current CBC Syslog version e.g. 2.0.3

For the available Alert fields see Search Fields - Alerts

For the available Audit Log fields see Audit Log Events

Customer Support

If you want to report an issue or request a new feature please open an issue on GitHub

If you are struggling to setup the tool and your an existing Carbon Black Cloud customer reach out to Support from your product console or your sales contact. Support tickets can also be submitted through our User Exchange community.

For other helpful resources check out our contact us page https://developer.carbonblack.com/contact

cbc-syslog's People

Contributors

arunpatyal avatar askthedragon avatar avanbrunt-cb avatar bvasil-cb avatar dependabot[bot] avatar jgarman avatar kebringer-cb avatar kgarcia-cb avatar lhilmes-cb avatar mikethecanuck-cb avatar qriff avatar smultani avatar zacharyestep avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

cbc-syslog's Issues

Error building docker container

#10 103.5 Complete!
#10 104.4 Collecting pip
#10 104.8 Downloading https://files.pythonhosted.org/packages/b7/2d/ad02de84a4c9fd3b1958dc9fb72764de1aa2605a9d7e943837be6ad82337/pip-21.0.1.tar.gz (1.5MB)
#10 106.1 Installing collected packages: pip
#10 106.1 Found existing installation: pip 8.1.2
#10 106.1 Uninstalling pip-8.1.2:
#10 106.1 Successfully uninstalled pip-8.1.2
#10 106.1 Running setup.py install for pip: started
#10 107.5 Running setup.py install for pip: finished with status 'done'
#10 107.6 Successfully installed pip-21.0.1
#10 107.8 Traceback (most recent call last):
#10 107.8 File "/usr/bin/pip", line 9, in
#10 107.8 load_entry_point('pip==21.0.1', 'console_scripts', 'pip')()
#10 107.8 File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
#10 107.8 return get_distribution(dist).load_entry_point(group, name)
#10 107.8 File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
#10 107.8 return ep.load()
#10 107.8 File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
#10 107.8 entry = import(self.module_name, globals(),globals(), ['name'])
#10 107.8 File "/usr/lib/python2.7/site-packages/pip/_internal/cli/main.py", line 60
#10 107.8 sys.stderr.write(f"ERROR: {exc}")
#10 107.8 ^
#10 107.8 SyntaxError: invalid syntax

executor failed running [/bin/sh -c yum update -y && yum install -y gcc python-devel && yum install -y epel-release && yum install -y python-pip rpm-build && pip install --upgrade pip && pip install pyinstaller==2.7 && mkdir -p /root/build-root /root/cbc-syslog /root/rpmbuild/SOURCES]: exit code: 1

Get error when no alerts are available

I get following error when no alerts are available on the backend server.
If alerts were available, finishes without errors.

cat /etc/redhat-release

CentOS Linux release 7.6.1810 (Core)

rpm -qa | grep cb-defense

python-cb-defense-syslog-1.2-12.x86_64

tail -12 /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

2019-04-08 09:00:02,631 - main - INFO - Number of files in store forward: 0
2019-04-08 09:00:02,631 - main - INFO - Found 1 Cb Defense Servers in config file
2019-04-08 09:00:02,631 - main - INFO - Handling notifications for https://api-prod05.conferdeploy.net
2019-04-08 09:00:02,631 - main - INFO - Attempting to connect to url: https://api-prod05.conferdeploy.net
2019-04-08 09:00:03,330 - main - INFO - <Response [200]>
2019-04-08 09:00:03,330 - main - INFO - successfully connected, no alerts at this time
2019-04-08 09:00:03,330 - main - INFO - There are no messages to forward to host
2019-04-08 09:00:03,330 - main - ERROR - 'NoneType' object is not iterable
Traceback (most recent call last):
File "cb_defense_syslog.py", line 740, in
File "cb_defense_syslog.py", line 675, in main
TypeError: 'NoneType' object is not iterable

OSError: [Errno 22] Invalid argument

Describe the bug

In the Windows OS environment, the scripts (core.py, output.py etc) will result in the following error when attempting to use unsupported characters (":") in a file name on Windows.


2023-12-06 11:17:38,983 - cbc_syslog.cli - ERROR - [Errno 22] Invalid argument: 'C:\cbc-syslog2\backup\cbc-2023-12-06T11:16:08.436704Z.bck'
Traceback (most recent call last):
File "C:\Program Files\Python312\Lib\site-packages\cbc_syslog\cli.py", line 115, in main
succeeded = poll(Config(args.config_file))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Python312\Lib\site-packages\cbc_syslog\core.py", line 149, in poll
with open(backup_file, "a") as backup:
^^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 22] Invalid argument: 'C:\cbc-syslog2\backup\cbc-2023-12-06T11:16:08.436704Z.bck'

Reproduction steps

It always reproduces in the Windows environment.

Expected behavior

Use file names supported by Windows.

Additional context

No response

Add informative message when 401 received

Thanks to @bigblueswope again :)

And at line 31, lets add an informative message when the API key is wrong

if response.status_code == 401:
    logger.warn("Authentication failed check config file for proper Connector ID and API key")
    sys.exit(1)

Some tweeks needed to run cbc-syslog 1.0.2 with Python 3.6 (CentOS)

When I installed cbc-syslog 1.0.2 on CentOS with python3.6, I get following error when testing:

# /usr/bin/python3.6 /usr/local/lib/python3.6/site-packages/cbc_syslog/cb_defense_syslog.py --config-file /usr/local/lib/python3.6/site-packages/cbc_syslog/root/etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf --log-file /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/cbc_syslog/cb_defense_syslog.py", line 5, in <module>
    import ConfigParser
ModuleNotFoundError: No module named 'ConfigParser'
#

I needed following fix to make it run:

# diff -u /usr/local/lib/python3.6/site-packages/cbc_syslog/cb_defense_syslog.py.orig /usr/local/lib/python3.6/site-packages/cbc_syslog/cb_defense_syslog.py
--- /usr/local/lib/python3.6/site-packages/cbc_syslog/cb_defense_syslog.py.orig 2020-07-21 16:20:57.418225523 +0900
+++ /usr/local/lib/python3.6/site-packages/cbc_syslog/cb_defense_syslog.py      2020-07-21 16:21:22.824624882 +0900
@@ -2,7 +2,7 @@
 import ssl
 import sys
 import argparse
-import ConfigParser
+import configparser
 import requests
 from jinja2 import Template
 import os
@@ -35,7 +35,7 @@
     """
     global config
     try:
-        config = ConfigParser.ConfigParser()
+        config = configparser.ConfigParser()
         config.readfp(open(args.config_file))
     except Exception as e:
         logging.error(e, exc_info=True)

Error building docker container

Receive an error when trying to build the docker container:

Step 5/11 : RUN pip install -r requirements.txt   && python setup.py -v bdist_binaryrpm   && cd /root/build-root   && rpm2cpio /root/rpmbuild/RPMS/x86_64/python-cb-defense-syslog-*.rpm | cpio -id
 ---> Running in 264935c8e5ee
Collecting Jinja2==2.8 (from -r requirements.txt (line 1))
  Downloading https://files.pythonhosted.org/packages/96/a1/c56bc4d99dc2663514a8481511e80eba8994133ae75eebdadfc91a5597d9/Jinja2-2.8-py2.py3-none-any.whl (263kB)
Collecting MarkupSafe==0.23 (from -r requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/c0/41/bae1254e0396c0cc8cf1751cb7d9afc90a602353695af5952530482c963f/MarkupSafe-0.23.tar.gz
Collecting requests>=2.20.0 (from -r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/7d/e3/20f3d364d6c8e5d2353c72a67778eb189176f08e873c9900e10c0287b84b/requests-2.21.0-py2.py3-none-any.whl (57kB)
Collecting flask==0.12.4 (from -r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/2e/48/f1936dadac2326b3d73f2fe0a964a87d16be16eb9d7fc56f09c1bea3d17c/Flask-0.12.4-py2.py3-none-any.whl (81kB)
Collecting six==1.12.0 (from -r requirements.txt (line 5))
  Downloading https://files.pythonhosted.org/packages/73/fb/00a976f728d0d1fecfe898238ce23f502a721c0ac0ecfedb80e0d88c64e9/six-1.12.0-py2.py3-none-any.whl
Collecting urllib3<1.25,>=1.21.1 (from requests>=2.20.0->-r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl (118kB)
Collecting chardet<3.1.0,>=3.0.2 (from requests>=2.20.0->-r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl (133kB)
Collecting idna<2.9,>=2.5 (from requests>=2.20.0->-r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl (58kB)
Collecting certifi>=2017.4.17 (from requests>=2.20.0->-r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl (154kB)
Collecting itsdangerous>=0.21 (from flask==0.12.4->-r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/76/ae/44b03b253d6fade317f32c24d100b3b35c2239807046a4c953c7b89fa49e/itsdangerous-1.1.0-py2.py3-none-any.whl
Collecting click>=2.0 (from flask==0.12.4->-r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/fa/37/45185cb5abbc30d7257104c434fe0b07e5a195a6847506c074527aa599ec/Click-7.0-py2.py3-none-any.whl (81kB)
Collecting Werkzeug>=0.7 (from flask==0.12.4->-r requirements.txt (line 4))
  Downloading https://files.pythonhosted.org/packages/20/c4/12e3e56473e52375aa29c4764e70d1b8f3efa6682bef8d0aae04fe335243/Werkzeug-0.14.1-py2.py3-none-any.whl (322kB)
Installing collected packages: MarkupSafe, Jinja2, urllib3, chardet, idna, certifi, requests, itsdangerous, click, Werkzeug, flask, six
  Running setup.py install for MarkupSafe: started
    Running setup.py install for MarkupSafe: finished with status 'done'
  Found existing installation: chardet 2.2.1
    Uninstalling chardet-2.2.1:
      Successfully uninstalled chardet-2.2.1
Successfully installed Jinja2-2.8 MarkupSafe-0.23 Werkzeug-0.14.1 certifi-2018.11.29 chardet-3.0.4 click-7.0 flask-0.12.4 idna-2.8 itsdangerous-1.1.0 requests-2.21.0 six-1.12.0 urllib3-1.24.1
You are using pip version 8.1.2, however version 19.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
running bdist_binaryrpm
running sdist
running check
warning: sdist: manifest template 'MANIFEST.in' does not exist (using default file list)

error: venv/local/lib: No such file or directory
The command '/bin/sh -c pip install -r requirements.txt   && python setup.py -v bdist_binaryrpm   && cd /root/build-root   && rpm2cpio /root/rpmbuild/RPMS/x86_64/python-cb-defense-syslog-*.rpm | cpio -id' returned a non-zero code: 1

Running on Debian 9
Docker version 18.09.0 build 4d60db4

output_format handling for 'leef' seems incorrect

For cbc-syslog version 1.0.2, following line seems to be wrong.
158 if not output_format == 'cef' and not output_format == 'json' and output_format == 'leef':

I think it should be:
158 if not output_format == 'cef' and not output_format == 'json' and not output_format == 'leef':

How to re retrieve notifications?

Is it possible to re retrieve notifications? Meaning, I get 2500 messages and for some reason I delete the resultant syslog file and I want to get them again.. how can I do that?
For now, I'm only to get new notifications/events, but not ask for them again.

[ERROR] LEEF output format

Hello team,

It seems the LEEF output format is a little bit broken..

It's weird because in your config file you don't mention the possibility to put this kind of output : "Output format of the data sent. Currently support json or cef formats".
But when we read the python file, there is this possibility : "logger.error('Must specify JSON, CEF , or LEEF output format')" (line 162)

OS version

Red Hat Enterprise Linux Server release 7.7 (Maipo)

Package version

python-cb-defense-syslog-1.2-12.x86_64

Log error

2020-01-02 17:15:21,634 - __main__ - INFO - Handling notifications for https://api-prod0X.conferdeploy.net
2020-01-02 17:15:21,635 - __main__ - INFO - Attempting to connect to url: https://api-prod0X.conferdeploy.net
2020-01-02 17:15:21,786 - __main__ - INFO - <Response [200]>
2020-01-02 17:15:21,787 - __main__ - ERROR - 'dict' object has no attribute 'json'
Traceback (most recent call last):
  File "cb_defense_syslog.py", line 740, in <module>
  File "cb_defense_syslog.py", line 657, in main
  File "cb_defense_syslog.py", line 78, in parse_cb_defense_response_leef
AttributeError: 'dict' object has no attribute 'json'

We would like to use this connector to forward Carbon Black Defense logs to our Qradar instance. This last requires the logs in LEEF format to works properly..

Thank you in advance for your help on this case !

Regards,

Lucas A.

No such file or directory

Hello,

I'm trying to understand the CMD line. Should there be an executable in the path?

CMD ["/usr/share/cb/integrations/cbc-syslog/cbc-syslog", "--config-file", "/etc/cb/integrations/cbc-syslog/cbc-syslog.conf", "--log-file", "/dev/stdout"]

Running the build container as described sudo docker container run -it <containerId> /bin/bash and checking the directory executed on the CMD I only find the store directory that is created on the Dockerfile.

RUN mkdir -p /usr/share/cb/integrations/cbc-syslog/store

Should the command be this instead: CMD ["cbc-syslog", "--config-file", "/etc/cb/integrations/cbc-syslog/cbc-syslog.conf", "--log-file", "/dev/stdout"] ? I ask because on line

COPY --from=build /root/build-root /
it copies the files from the build image that includes the cbc-syslogs executable into /usr/bin. I'm trying to get this to work on docker, but I get the No such file or directory message.

Regards,

Identify CbDefense org in notifications

If configured to use multiple orgs/connectors, we need to be able to identify which org the notification came from. This could be done in the connector by including the ServerURL used in the API call and the ConnectorID. This would allow you to pull from multiple orgs, send to SIEM and still identify which org that notification came from.

No alerts

Describe the bug

I've set up the cbc-syslog tool using the poll mode on my Debian server and I do receive Audit Log syslog messages in my SIEM system but no Alerts. I have the following parameters setup in my conf file:

[general]
backup_dir = "/tmp"
output_format = "template"
output_type = "udp"
udp_out = "IP:Port"

[nav]
server_url = "defense-eu.conferdeploy.net"
org_key = "xxxxx"
custom_api_id = "xxxxx"
custom_api_key = "xxxxx"
audit_logs_enabled = true
alerts_enabled = true

[[nav.alert_rules]]
type = [ "WATCHLIST", "DEVICE_CONTROL", "CB_ANALYTICS", "CONTAINER_RUNTIME", "HOST_BASED_FIREWALL", "INTRUSION_DETECTION_SYSTEM" ]
minimum_severity = 1

[alerts_template]
template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|{{reason_code}}|{{reason}}|{{severity}}|{{extension}}"
type_field = "type"
time_format = "%b %d %Y %H:%m:%S"
time_fields = ["backend_timestamp"]

[alerts_template.extension]
default = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}"
CB_ANALYTICS = "cat={{type}}\tact={{sensor_action}}\toutcome={{run_state}}\tframeworkName=MITRE_ATT&CK\tthreatAttackID={{attack_tactic}}:{{attack_technique}}"

[audit_logs_template]
template = "{{datetime_utc}} localhost CEF:1|{{vendor}}|{{product}}|{{product_version}}|Audit Logs|{{description}}|1|{{extension}}"
type_field = ""
time_format = "%b %d %Y %H:%m:%S"
time_fields = ["eventTime"]

[audit_logs_template.extension]
default = "rt={{eventTime}}\tdvchost={{orgName}}\tduser={{loginName}}\tdvc={{clientIp}}\tcs4Label=Event_ID\tcs4={{eventId}}"

I have also checked with tcpdump what data is sent to the output port but also there only the audit log messages are sent.

When I use the CB API directly to test (using curl) I do get alerts returned...

Any idea why I don't get alerts out of the cbc-syslog tool using the poll mode?

Reproduction steps

  1. use the config in the description (with correct ip, port and api keys configured).
  2. run the tool using the poll option

Expected behavior

Alerts and audit logs should be polled...

Additional context

No additional context

Connector skips over organizations if an earlier org reports no notifications available

Reported by @bigblueswope

If you've defined multiple SIEM connectors, as soon as one returns no records it calls sys.exit() instead of just returning None

See https://github.com/carbonblack/cb-defense-syslog-tls/blob/master/cb-defense-syslog.py#L353 and line 368:

need to move lines 370-383 into the (not really there) else: portion of the if statement at 366

if not log_messages:
    logger.info("There are no messages to forward to host")
else:
    logger.info("Sending {} messages to {}:{}".format(len(log_messages),
                                                  output_params['output_host'],
                                                  output_params['output_port']))

    #
    # finally send the messages
    #
    for log in log_messages:
        template = Template(config.get('general', 'template'))
        template = Template(config.get('general', 'template'))
        send_syslog_tls(output_params['output_host'],
                    output_params['output_port'],
                    template.render(log),
                    output_params['output_type'])

Feature request: Logging to file instead

Would be nice to be able to specify a Rotating Log file instead of a Syslog Destination in the configuration file.

Something like this perhaps?http://www.blog.pythonlibrary.org/2014/02/11/python-how-to-create-rotating-logs/

This would allow for a local log file output (instead of a syslog destination), which will enable logstash (or something similar) to pick-up the file in JSON format and deliver to various destinations.

In our case that's Rabbit/ElasticSearch

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.