This repository has been archived by the owner on Mar 17, 2022. It is now read-only.
forked from ace-ecosystem/ACE
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
42f9eea
commit e962c55
Showing
1 changed file
with
218 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,218 @@ | ||
| [custom_alerts] | ||
| splunk - snort = analysis/custom/splunk_snort.html | ||
| splunk - av = analysis/custom/splunk_av.html | ||
| splunk - bit9 = analysis/custom/splunk_bit9.html | ||
| splunk - cb = analysis/custom/cb.html | ||
| splunk - av - mcafee = analysis/custom/splunk_av_mcafee.html | ||
|
|
||
| [analysis_module_carbon_black_netconn_source_analysis] | ||
| module = saq.modules.carbon_black | ||
| class = CarbonBlackNetconnSourceAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| relative_duration_before = 04:00:00 | ||
| relative_duration_after = 04:00:00 | ||
| observation_grouping_time_range = 45:00 | ||
|
|
||
| ; the maximum number of process guids to extract | ||
| process_guid_limit = 3 | ||
|
|
||
| [analysis_module_dlp_process_hash_analysis_v1] | ||
| module = saq.modules.process | ||
| class = DLPProcessHashAnalyzer_v1 | ||
| enabled = yes | ||
| semaphore = splunk | ||
| max_asset_count = 6 | ||
| relative_duration_before = 24:00:00 | ||
| relative_duration_after = 00:15:00 | ||
|
|
||
| [analysis_module_bit9_file_hash_analysis_v1] | ||
| module = saq.modules.process | ||
| class = Bit9FileHashAnalyzer_v1 | ||
| enabled = no | ||
| semaphore = splunk | ||
| max_asset_count = 6 | ||
| relative_duration_before = 24:00:00 | ||
| relative_duration_after = 00:15:00 | ||
|
|
||
| [analysis_module_snort] | ||
| module = saq.modules.snort | ||
| class = SnortAlertsAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| exclude_proxy = observable_group:proxy | ||
| exclude_external = observable_group:external_gateway | ||
| exclude_smtp = observable_group:smtp | ||
| exclude_internal_dns = observable_group:internal_dns | ||
| exclude_external_dns = observable_group:external_dns | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 04:00:00 | ||
| relative_duration_after = 04:00:00 | ||
|
|
||
| [analysis_module_pan_threats] | ||
| module = saq.modules.pan | ||
| class = PanThreatsAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| exclude_proxy = observable_group:proxy | ||
| exclude_external = observable_group:external_gateway | ||
| exclude_smtp = observable_group:smtp | ||
| exclude_internal_dns = observable_group:internal_dns | ||
| exclude_external_dns = observable_group:external_dns | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 04:00:00 | ||
| relative_duration_after = 04:00:00 | ||
|
|
||
| [analysis_module_pan_snort_correlation] | ||
| module = saq.modules.pan | ||
| class = PanSnortCorrelationAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| relative_duration_before = 00:05:00 | ||
| relative_duration_after = 00:05:00 | ||
| observation_grouping_time_range = 45:00 | ||
|
|
||
| [analysis_module_dns_request_analysis_v1] | ||
| module = saq.modules.dns | ||
| class = DNSRequestAnalyzer_v1 | ||
| enabled = yes | ||
| semaphore = splunk | ||
| ; the maximum number of proxy requests to obtain from splunk | ||
| max_request_count = 50 | ||
| ; if there are less than X users requesting the resource in the timeframe then we add the users as observables | ||
| max_source_count = 6 | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 00:01:00 | ||
| relative_duration_after = 00:01:00 | ||
| ; 24 hour baseline period | ||
| baseline_relative_duration_before = 24:00:00 | ||
| baseline_relative_duration_after = 02:00:00 | ||
|
|
||
| [analysis_module_bluecoat_analysis_by_dst_v1] | ||
| module = saq.modules.bluecoat | ||
| class = BluecoatProxyAnalyzerByDestination_v1 | ||
| enabled = yes | ||
| semaphore = splunk | ||
| exclude_proxy = observable_group:internal | ||
| ; the maximum number of proxy requests to obtain from splunk | ||
| max_request_count = 50 | ||
| ; if there are less than X users requesting the resource in the timeframe then we add the users as observables | ||
| max_user_count = 6 | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 00:15:00 | ||
| relative_duration_after = 00:15:00 | ||
| ; 24 hour baseline period | ||
| baseline_relative_duration_before = 24:00:00 | ||
| baseline_relative_duration_after = 02:00:00 | ||
| ; a CSV file that maps bluecoat categories to tags | ||
| category_tag_csv_path = etc/bluecoat_category_tagging.csv | ||
|
|
||
| [analysis_module_bluecoat_analysis_by_src_v1] | ||
| module = saq.modules.bluecoat | ||
| class = BluecoatProxyAnalyzerBySource_v1 | ||
| enabled = yes | ||
| semaphore = splunk | ||
| ; the maximum number of proxy requests to obtain from splunk | ||
| max_request_count = 1000 | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 00:01:00 | ||
| relative_duration_after = 00:01:00 | ||
|
|
||
| [analysis_module_squid] | ||
| module = saq.modules.squid | ||
| class = SquidProxyAnalyzerByDestination | ||
| enabled = no | ||
| semaphore = splunk | ||
| ; the maximum number of proxy requests to obtain from splunk | ||
| max_request_count = 10 | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 00:15:00 | ||
| relative_duration_after = 00:15:00 | ||
|
|
||
| [analysis_module_exploit_kit_proxy_analyzer] | ||
| module = saq.modules.bluecoat | ||
| class = ExploitKitProxyAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| exclude_internal = observable_group:internal | ||
| ; the maximum number of proxy requests to obtain from splunk | ||
| max_request_count = 10 | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 00:01:00 | ||
| relative_duration_after = 00:01:00 | ||
|
|
||
| [analysis_module_symantec] | ||
| module = saq.modules.symantec | ||
| class = SymantecAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| ; tighter time around splunk searches | ||
| relative_duration_before = 24:00:00 | ||
| relative_duration_after = 00:15:00 | ||
|
|
||
| [analysis_module_dlp_process] | ||
| module = saq.modules.dlp | ||
| class = DLPProcessAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
| ; we go a bit wider for DLP Process searches | ||
| relative_duration_before = 24:00:00 | ||
| relative_duration_after = 02:00:00 | ||
| ; go pretty far back for the baseline | ||
| baseline_relative_duration_before = 720:00:00 | ||
| baseline_relative_duration_after = 02:00:00 | ||
| ; this one takes a long time to run so don't go back too far (7 days should be good) | ||
| global_baseline_relative_duration_before = 168:00:00 | ||
| global_baseline_relative_duration_after = 02:00:00 | ||
|
|
||
| [analysis_module_email_history_analyzer_v2] | ||
| module = saq.modules.email | ||
| class = EmailHistoryAnalyzer_v2 | ||
| enabled = yes | ||
| semaphore = splunk | ||
|
|
||
| ; we go back a bit to try to catch phish sitting idle in the inbox | ||
| relative_duration_before = 72:00:00 | ||
| relative_duration_after = 02:00:00 | ||
|
|
||
| ; the following is a list of comma-separated domains that are aliased together | ||
| ; so if a user's email address domain matches on of these then the entire group is searched with "OR" clause | ||
| ; for example, [email protected] would search for [email protected] OR [email protected] | ||
| ; each of these configuration items must start with map_ at the beginning of the name | ||
| ;map_company_1 = teamcompany.onmicrosoft.com,company.com | ||
|
|
||
| [analysis_module_vpn_analyzer] | ||
| module = saq.modules.vpn_analysis | ||
| class = VPNAnalyzer | ||
| enabled = yes | ||
| semaphore = splunk | ||
|
|
||
| ; we need to look way back and after to see when they logged in and off | ||
| relative_duration_before = 24:00:00 | ||
| relative_duration_after = 24:00:00 | ||
|
|
||
| [analysis_module_email_history_analyzer_v1] | ||
| module = saq.modules.email | ||
| class = EmailHistoryAnalyzer_v1 | ||
| enabled = no | ||
| semaphore = splunk | ||
| ; we go back a bit to try to catch phish sitting idle in the inbox | ||
| relative_duration_before = 72:00:00 | ||
| relative_duration_after = 02:00:00 | ||
|
|
||
| [module_group_correlation] | ||
| analysis_module_bluecoat_analysis_by_dst_v1 = yes | ||
| analysis_module_bluecoat_analysis_by_src_v1 = yes | ||
| analysis_module_carbon_black_netconn_source_analysis = yes | ||
| analysis_module_dlp_process = yes | ||
| analysis_module_dlp_process_hash_analysis_v1 = yes | ||
| analysis_module_dns_request_analysis_v1 = yes | ||
| analysis_module_email_history_analyzer_v1 = no | ||
| analysis_module_email_history_analyzer_v2 = yes | ||
| analysis_module_exploit_kit_proxy_analyzer = yes | ||
| analysis_module_pan_snort_correlation = yes | ||
| analysis_module_pan_threats = yes | ||
| analysis_module_snort = yes | ||
| analysis_module_squid = no | ||
| analysis_module_symantec = yes | ||
| analysis_module_vpn_analyzer = yes |