Предопределенный плейбук "Расследование. Сработавшие правила с одной и той же учетной записью" позволяет идентифицировать другие правила корреляции, для которых сработала та же учетная запись в пределах указанного временного интервала для текущего алерта. Плейбук запрашивает у KUMA правила, в которых одно и то же имя пользователя отображается в полях SourceUserName или DestinationUserName, и добавляет комментарий к алерту, помогая оценить, вовлечена ли учетная запись в более широкую вредоносную деятельность.
Перед использованием плейбука вам нужно скачать скрипты и список зависимостей, которые требуются для правильной работы плейбука.
.OriginalEvents | map(select(.Type == 3)) | map(.ExternalID) - ["R050_01", "R050_04", "R050_05", "R050_07", "R058_03", "R061_01", "R061_03", "R061_05", "R062_01", "R062_03", "R063_01", "R063_03", "R076_05", "R082_01", "R082_02", "R082_09", "R082_12", "R083_01", "R083_03", "R083_05", "R083_07", "R083_09", "R083_10", "R083_13", "R084_01", "R084_02", "R084_04", "R087_04", "R089_05", "R089_07", "R093_03", "R093_14", "R093_18", "R093_31", "R098_01", "R098_02", "R099_01", "R099_02", "R099_03", "R099_04", "R099_05", "R099_07", "R100_01", "R100_03", "R101_01", "R101_03", "R102_02", "R103_02", "R104_01", "R105_01", "R105_02", "R105_03", "R106_02", "R107_02", "R107_03", "R107_04", "R108_02", "R109_02", "R110_04", "R110_05", "R110_06", "R110_07", "R111", "R150_01", "R150_02", "R151", "R152_01", "R152_02", "R152_03", "R152_04", "R152_05", "R152_06", "R152_07", "R152_09", "R152_10", "R152_11", "R152_12", "R152_13", "R154_03", "R154_06", "R154_09", "R211_01", "R220_02", "R220_04", "R220_05", "R220_06", "R221_01", "R221_04", "R222_02", "R222_03", "R222_04", "R223_02", "R223_03", "R224_02", "R224_03", "R224_08", "R224_12", "R224_13", "R224_14", "R224_17", "R224_18", "R224_19", "R224_20", "R224_21", "R225_03", "R225_05", "R226_02", "R226_03", "R227_02", "R228_01", "R228_02", "R229_01", "R230_02", "R231_02", "R231_03", "R231_04", "R232", "R233_01", "R233_04", "R240_01", "R240_02", "R240_05", "R250", "R270", "R280_01", "R280_02", "R280_03", "R280_04", "R282_01", "R282_02", "R283_01", "R283_02", "R283_03", "R285_01", "R285_02", "R286_02", "R287_01", "R287_02", "R288_01", "R288_02", "R288_03", "R289_02", "R290_01", "R290_02", "R290_03", "R290_04", "R290_05", "R290_06", "R290_07", "R290_08", "R290_09", "R291_01", "R291_02", "R291_03", "R291_04", "R291_05", "R291_06", "R292_01", "R292_02", "R293_01", "R293_02", "R293_03", "R293_04", "R294_01", "R294_03", "R294_04", "R295_01", "R295_02", "R296_01", "R296_02", "R296_03", "R296_04", "R296_05", "R296_06", "R296_07", "R296_08", "R296_09", "R296_10", "R296_11", "R296_12", "R296_13", "R296_14", "R296_15", "R296_16", "R296_17", "R296_18", "R296_19", "R296_22", "R297", "R298", "R299", "R300_01", "R300_02", "R300_03", "R300_04", "R301_01", "R301_02", "R302_01", "R302_03", "R320", "R321", "R330", "R350_02", "R350_04", "R350_07", "R410_03", "R411_01", "R412_01", "R414_01", "R415_01", "R418_02", "R419_01", "R419_02", "R419_03", "R419_04", "R422_01", "R423_02", "R423_03", "R427_01", "R427_04", "R432_02", "R436_02", "R438_01", "R438_02", "R441", "R442", "R050_06", "R058_04", "R061_10", "R082_03", "R082_04", "R082_13", "R083_06", "R083_12", "R089_08", "R099_08", "R152_08", "R209_05", "R211_02", "R224_06", "R224_07", "R224_10", "R224_15", "R231_05", "R231_06", "R231_07", "R231_08", "R231_10", "R282_03", "R286_01", "R286_03", "R286_04", "R286_05", "R302_04", "R302_05", "R302_06", "R405_01", "R405_02", "R405_04", "R412_02", "R413_01", "R416_01", "R418_01", "R422_02", "R423_01", "R427_02", "R429_01", "R430_01", "R433_01", "R433_02", "R433_03", "R433_04", "R433_06", "R434_01", "R434_02", "R434_03", "R434_04", "R435_05", "R436_01", "R436_03", "R443"] | length == 0
{
"dslSpecVersion": "1.1.0",
"version": "1",
"actionsSpecVersion": "1",
"input": "${ {\"workdir\": \"/opt/xdr_scripts\", \"timewindow\": \"86400\"} }",
"executionFlow": [
{
"decision": {
"conditions": [
{
"name": "SourceUserName is defined",
"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .SourceUserName != \"\" and .SourceUserName != \"-\" }",
"steps": [
{
"action": {
"function": {
"type": "executeCustomScript",
"params": {
"commandLine": "${ [ \"./kuma_events.py \" , \"rules_same_username \" , ( [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .SourceUserName ) , \" \" , (alert.OriginalEvents[0] | .Timestamp | tostring) , \" \", (.timewindow) ] | add }",
"workingDirectory": "${ .workdir }",
"stdIn": ""
}
},
"output": {
"filter": "${ {rules_same_username: .} }",
"action": "merge"
},
"onError": "stop"
}
},
{
"action": {
"function": {
"type": "addCommentToAlert",
"params": {
"text": "${ \"Account \" + ( .rules_same_username.details.stdOut | fromjson | .[0] | .SourceUserName ) + \" was found in the following triggered correlation rules before and after 24h around the alert:\n\" + ([ .rules_same_username.details.stdOut | fromjson | .[] | \"──> \" + .Name ] | unique | join(\"\n\")) }"
}
},
"onError": "stop"
}
}
]
}
]
}
},
{
"decision": {
"conditions": [
{
"name": "DestinationUserName is defined and is not equal SourceUserName",
"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationUserName != \"\" and .DestinationUserName != \"-\" and .DestinationUserName != .SourceUserName }",
"steps": [
{
"action": {
"function": {
"type": "executeCustomScript",
"params": {
"commandLine": "${ [ \"./kuma_events.py \" , \"rules_same_username \" , ( [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationUserName ) , \" \" , (alert.OriginalEvents[0] | .Timestamp | tostring) , \" \", (.timewindow) ] | add }",
"workingDirectory": "${ .workdir }",
"stdIn": ""
}
},
"output": {
"filter": "${ {rules_same_username: .} }",
"action": "merge"
},
"onError": "stop"
}
},
{
"action": {
"function": {
"type": "addCommentToAlert",
"params": {
"text": "${ \"Account \" + ( .rules_same_username.details.stdOut | fromjson | .[0] | .DestinationUserName ) + \" was found in the following triggered correlation rules before and after 24h around the alert:\n\" + ([ .rules_same_username.details.stdOut | fromjson | .[] | \"──> \" + .Name ] | unique | join(\"\n\")) }"
}
},
"onError": "stop"
}
}
]
}
]
}
}
]
}