From 13d53d5da3e3a578521942184bb8f477135f2718 Mon Sep 17 00:00:00 2001 From: Adebayo Paul Oke Date: Sun, 8 Sep 2024 21:10:38 -0400 Subject: [PATCH 1/2] Create codeql.yml --- .github/workflows/codeql.yml | 90 ++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..8e1a1e3 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,90 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '16 10 * * 0' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 14d020836987dd1b5fda9d33f8eab40332f90759 Mon Sep 17 00:00:00 2001 From: Adebayo Paul Oke Date: Mon, 30 Sep 2024 01:34:11 -0400 Subject: [PATCH 2/2] Update CODE_OF_CONDUCT.md --- CODE_OF_CONDUCT.md | 190 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 186 insertions(+), 4 deletions(-) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 5b627cf..1d4f95b 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,186 @@ -## Code of Conduct -This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). -For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact -opensource-codeofconduct@amazon.com with any additional questions or comments. +Lexxy2422 + +SIEM integrations with enterprise-grade logical +SIEM-specific configurations for enhanced detection and automated incident response. Below, I’ll outline a complete architecture for high-security environments, using **Elastic Stack**, **Splunk**, and **QRadar** with complex detection rules and multi-stage attack pattern matching. + +### **1. Advanced SIEM Detection: Multi-Stage Attack Detection using MITRE ATT&CK** +This solution monitors for a sequence of behaviors based on the MITRE ATT&CK framework. For example, it can detect a potential attack chain comprising `Initial Access → Privilege Escalation → Lateral Movement + +Python + Splunk Implementation: Multi-Stage Detection with Correlation Analysis** + +Features: +- Correlates multiple suspicious events across different logs. +- Uses state-based detection (maintains attack context). +- Sends alerts to SIEM or triggers automated playbooks. + +python +import requests +import json +import time +from datetime import datetime, timedelta + + Splunk Configuration +splunk_url = "https://splunk-server:8089/services/search/jobs" +splunk_token = "YOUR_SPLUNK_API_TOKEN" +headers = {"Authorization": f"Bearer {splunk_token}"} + +MITRE ATT&CK Stages +attack_chain = { + "Initial Access": {"query": "search index=main sourcetype=windows:security EventCode=4625", "state": False, "timestamp": None}, + "Privilege Escalation": {"query": "search index=main sourcetype=windows:security EventCode=4672", "state": False, "timestamp": None}, + "Lateral Movement": {"query": "search index=main sourcetype=windows:security EventCode=4624", "state": False, "timestamp": None} +} + + Define the correlation window (e.g., 30 mins) +correlation_window = timedelta(minutes=30) + +Function to execute Splunk queries +def splunk_query(query): + payload = {"search": query, "output_mode": "json"} + response = requests.post(splunk_url, headers=headers, data=payload, verify=False) + if response.status_code == 201: + job_id = response.json()["sid"] + return job_id + else: + print(f"[!] Splunk query failed: {response.text}") + return None + +Function to check for attack stages in the logs +def check_attack_stage(stage): + job_id = splunk_query(attack_chain[stage]["query"]) + if job_id: + # Check job status + status_url = f"{splunk_url}/{job_id}/results" + time.sleep(5) # Allow some time for Splunk to process the query + response = requests.get(status_url, headers=headers, verify=False) + if response.status_code == 200: + results = response.json()["results"] + if results: + attack_chain[stage]["state"] = True + attack_chain[stage]["timestamp"] = datetime.utcnow() + print(f"[+] Stage '{stage}' detected at {attack_chain[stage]['timestamp']}.") + else: + print(f"[!] Failed to get results for job {job_id}") + else: + print("[!] No job ID returned for the query.") + +Function to correlate multi-stage attacks +def correlate_attack_chain(): + print("[*] Correlating attack stages based on MITRE ATT&CK framework...") + initial_access = attack_chain["Initial Access"]["timestamp"] + privilege_escalation = attack_chain["Privilege Escalation"]["timestamp"] + lateral_movement = attack_chain["Lateral Movement"]["timestamp"] + + if all([initial_access, privilege_escalation, lateral_movement]): + if (privilege_escalation - initial_access) <= correlation_window and (lateral_movement - privilege_escalation) <= correlation_window: + print("[!] Multi-stage attack detected! Possible APT detected.") + # Trigger alert or automated response + alert_payload = { + "time": str(datetime.utcnow().timestamp()), + "event": "Multi-stage attack detected. Potential APT activity.", + "attack_chain": attack_chain + } + requests.post(splunk_url, headers=headers, data=json.dumps(alert_payload)) + reset_attack_chain() # Reset after detection + else: + print("[*] No correlation found within the given time window.") + else: + print("[*] Waiting for all attack stages to be detected...") + +Function to reset the attack chain state +def reset_attack_chain(): + for stage in attack_chain: + attack_chain[stage]["state"] = False + attack_chain[stage]["timestamp"] = None + +Main logic loop to periodically check each stage +while True: + for stage in attack_chain: + if not attack_chain[stage]["state"]: + check_attack_stage(stage) + correlate_attack_chain() + time.sleep(60) # Run the detection loop every 60 seconds + + +Key Points: +1. Correlates Events : Matches behavior patterns across different events (e.g., failed logins, privilege escalation). +2. Alerts on Complete Chain: Only triggers when all stages are met, reducing false positives. +3. Splunk Automation: Sends alerts to Splunk’s alerting module or triggers response actions. + + +2. Advanced Network Threat Detection with ML Integration (Python + Zeek + Scikit-Learn) +Use machine learning to analyze network traffic logs for anomalies that traditional rules might miss. This script uses Zeek’s network logs and Scikit-Learn’s anomaly detection models. + +Features: +- Detects anomalous network patterns (e.g., data exfiltration). +- Uses unsupervised learning to adapt to changing environments. +- Can automatically tune its model based on new data. + +python +import os +import json +import time +import joblib +import numpy as np +from sklearn.ensemble import IsolationForest +from elasticsearch import Elasticsearch + +# Define paths and files +zeek_log_dir = "/opt/zeek/logs/current" +http_log_file = os.path.join(zeek_log_dir, "http.log") + +ElasticSearch Configuration +es = Elasticsearch(["https://elastic-server:9200"], http_auth=('elastic', 'password'), verify_certs=False) +index_name = "network-anomalies" + +Load pre-trained ML model or train a new one +model_path = "/opt/siem/ml_model/isolation_forest.joblib" +if os.path.exists(model_path): + print("[*] Loading pre-trained anomaly detection model...") + model = joblib.load(model_path) +else: + print("[*] Training a new anomaly detection model...") + model = IsolationForest(contamination=0.01) # Set contamination rate for anomalies + +Function to extract network features from Zeek logs +def extract_features(http_log): + features = [] + # Example features: Request size, response size, duration + features.append(int(http_log.get("request_body_len", 0))) + features.append(int(http_log.get("response_body_len", 0))) + features.append(float(http_log.get("duration", 0.0))) + return np.array(features).reshape(1, -1) + +Monitor Zeek logs for new entries +def detect_anomalies(): + print("[*] Monitoring Zeek HTTP logs for anomalies...") + with open(http_log_file, "r") as log_file: + for line in log_file: + try: + # Parse JSON-formatted log entries + http_log = json.loads(line) + features = extract_features(http_log) + # Predict if the current log is an anomaly + prediction = model.predict(features) + if prediction == -1: # Anomalous entry + print(f"[!] Anomalous traffic detected: {http_log}") + es.index(index=index_name, body=http_log) # Send alert to Elastic + except json.JSONDecodeError: + continue + +Start monitoring for network anomalies +detect_anomalies() + + +Key Points : +1. ML-Based Detection : Uses IsolationForest to flag outliers in network behavior. +2. Feature Engineering: Extracts specific features like request size, response size, and duration. +3. SIEM Integration : Pushes alerts to Elastic for correlation with other data sources. + +Next Steps: +- Refine Models: Use a larger dataset to train more sophisticated models (e.g., clustering or deep learning). +- Expand MITRE ATT&CK Coverage: Integrate other ATT&CK techniques for comprehensive detection. +- SIEM Orchestration: Add automation playbooks for response (e.g., quarantine devices). + +Need further enhancements or integration? Let me know which area to drill into next! +