Mozilla Security Authentication Events, Last X attribute(s) tracking by user
This module can be used to generate alerts if an authentication event is seen for a user that has new properties or attributes. In this context, a new attribute may be a field such as a source IP address, a new geo-location, or any combination of values returned in the selprinc match.
The module makes use of the Heka selprinc module for event matching and normalization, and requires a valid selprinc configuration to be present to indicate which events to consider as authentication events, and which fields to translate.
To use geocity and geocountry information in alerting, this plugin expects a valid aux configuration in selprinc storing the geocity and geocountry values in the keys "geocity" and "geocountry" in the returned selprinc match. If used, this is not required to be present for every event category but for any that has these fields available the plugin will incorporate the information into alerting.
Multiple elements in selprinc are supported such that a single tracking database can be applied to more than one event type. This assumes that the username/subject field will be consistent across the event types you want to compare.
If the username is not consistent across event types, subject_map can be used for a given event type to map values to the desired string.
selprinc_track specifies which element or combination of elements in the returned selprinc match you want to compare to identify new attributes. If more than one element is specified, the values are concatenated together prior to comparison with previous authentication events.
The module always generates an alert for an applicable message, but if an event is seen that has new data that isn't included in the tracked data the alert is modified to indicate this.
The lastx configuration value controls the number of previous attributes that are tracked for a given user ID. By default lastx is 5.
This module requires use of a lookup module in the alert configuration. See the documentation for the alert modules for more information. The lookup data send to the alerting module is adjusted based on the configuration of this sandbox and the alert contents itself.
sendglobal is always set to true in the lookup data, for every applicable message. Likewise, the subject field in the lookup data is always set to the resolved selprinc subject.
If the alert indicates new tracking data, and the user_notify configuration option is set to true, the senduser flag is set to true.
If the message has unacceptable time drift and the drift_notify configuration option is set to true, all lookup data flags are toggled off and the only flag toggled on will be senderror. If drift_notify is set to false the message is ignored.
If enable_metrics is true, the module will submit metrics events for collection by the metrics output sandbox. Ensure process_message_inject_limit is set appropriately, as if enabled process_event will submit up to 2 messages (the alert, and the metric event).
1. Sample Configuration
filename = "moz_security_auth_lastx.lua"
message_matcher = "Type ~= 'bastion.file.sshd'% && Fields[sshd_authmsg] == 'Accepted'"
ticker_interval = 0
process_message_inject_limit = 1
-- preserve the tracking data across process restarts
preserve_data = true
-- preservation_version = 0 -- optional, increment if config is changed
user_notify = true -- send direct user notifications
drift_notify = true -- send notifications on unacceptable drift
-- acceptable_message_drift = 600 -- optional, defaults to 600 seconds if not specified
-- alert_on_first = false -- optional, alert on first attribute seen for a user
-- expireolderthan = 864000 -- optional, tracked entries older than value are removed, defaults to 864000
-- lastx = 5 -- optional, track last X entries, defaults to 5
selprinc_track = { "sourceip" }
heka_selprinc = {
events = {
ssh = {
select_field = "Fields[programname]",
select_match = "^sshd$",
subject_field = "Fields[user]",
object_field = "Hostname",
sourceip_field = "Fields[ssh_remote_ipaddr]",
aux = {
{ "geocity", "Fields[ssh_remote_ipaddr_city]" },
{ "geocountry", "Fields[ssh_remote_ipaddr_country]" }
}
},
awsconsole = {
select_field = "Fields[eventType]",
select_match = "^AwsConsoleSignIn$",
subject_field = "Fields[userIdentity.userName]",
object_field = "Fields[recipientAccountId]",
sourceip_field = "Fields[sourceIPAddress]"
},
duopull = {
select_field = "Fields[msg]",
select_match = "^duopull event$",
subject_field = "Fields[event_username]",
object_field = "Fields[event_action]",
sourceip_field = "Fields[event_description_ip_address]",
subject_map = {
["An admin user"] = "admin",
["Commander Riker"] = "riker"
}
}
}
}
alert = {
lookup = "idrouter",
modules = {
idrouter = {
subjects = {
riker = {
mapfrom = { "riker" },
},
picard = {
mapfrom = { "picard" },
email = {
direct = "jean-luc@uss-enterprise"
}
},
},
email = {
direct = "%s@uss-enterprise",
global = "main-engineering@uss-enterprise"
}
}
}
}
-- enable_metrics = false -- optional, if true enable secmetrics submission
source code: moz_security_auth_lastx.lua