splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Stealth Intercept Parsing - Incorrect Sourcetypes

Open mmizener opened this issue 2 years ago • 2 comments

The parser app-syslog-stealthbits_stealthintercept_alerts.conf is not assigning the StealthINTERCEPT:alerts. Sample event:

StealthINTERCEPT - SI Analytics_Brute Force Attack - Severity=Warning Component=4 OrigServer=REDACTEDHOST usrName=SVC-Stealthbits UserName= UserSID= Started=May 03 01:26:00 Ended=May 03 04:58:00 NumberOfLogins=1940 UsedLoginProtocols=Kerberos AttackingHost=(UNKNOWN) 192.168.30.3 AttackingHostIp=192.168.30.3 AttackedHost=DA6PCDC01.OCM.ORIXUSA.CORP AttackedHostIp=10.230.200.11 AlertText=Activity still in process.Attacking Host: (UNKNOWN) 192.168.30.3; Attacked Host: REDACTEDHOST.ABC.EFG.CORP; Attack started: 5/3/2022 1:26:00 AM; Last activity: 5/3/2022 4:58:00 AM; Number of attempts: 1940

The REGEX in filter application app-syslog-stealthbits_stealthintercept_alerts[sc4s-syslog] matches the above event.

The parser for standard StealthINTERCEPT events is dropping logs into the main with the sc4s:fallback sourcetype. Sample event:

PRI=13 MESSAGE=REDACTEDHOST01 StealthINTERCEPT - Active Directory Object Modified - PolicyName="All AD Changes" Domain="ABC" Server="ABC\EFGHOST01" ServerAddress="10.4.200.11" Perpetrator="ABC\ANONYMOUS LOGON" ClientHost="ABCHOST01.CDE.EFG.CORP" ClientAddress="10.4.200.11" TargetHost="n/a" TargetHostIP="n/a" ModifiedObject="n/a" DistinguishedName="CN=XYZ,CN=Sites,CN=Configuration,DC=ABC,DC=CORP" ObjectClass="site" SuccessfulChange="True" BlockedEvent="False" AttributeName="msDS-BridgeHeadServersUsed" Operation="Change Attribute" NewAttributeValue="CN=NTDS Settings,CN=EFGHOST01,CN=Servers,CN=EFGHOST01,CN=Sites,CN=Configuration,DC=CORPUSA,DC=CORP | GUID = {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} | SID = X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX 0x14 0x00 0x00 0x00 0x46 0x66 0x7b 0x4d 0xae 0x24 0x9b 0x4a 0xb7 0x55 0x0c 0x5f 0xa2 0xf4 0xc2 0xab" OldAttributeValue=""

Thank you.

mmizener avatar May 06 '22 15:05 mmizener

We need the message before parsing as well , with pri and all , can you please capture it in tcpdump, sanitise and share here

rjha-splunk avatar May 11 '22 13:05 rjha-splunk

The tcpdump data contains host/domain details that cannot be masked without corrupting the entire pcap. Is there another method of getting the details you need?

mmizener avatar May 20 '22 19:05 mmizener

@mmizener, We didn't hear anything from you on this issue. We are closing this issue for now.

Feel free to reach out in case of any further queries.

bparmar-splunk avatar Jan 04 '23 09:01 bparmar-splunk