From 6dd85fc5b0b6d87fecefe6bb832c5263c70ba2f9 Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 13 May 2024 17:13:54 +0200 Subject: [PATCH] feat(timesketch): add TLS CA option, copy in conf, change web container port to 8080, update default configs --- charts/timesketch/Chart.yaml | 2 +- charts/timesketch/README.md | 8 + .../timesketch/configs/bigquery_matcher.yaml | 24 +++ charts/timesketch/configs/context_links.yaml | 64 +++++++ charts/timesketch/configs/data_finder.yaml | 105 +++++++++++ .../configs/dfiq/approaches/Q0001.01.yaml | 57 ++++++ .../configs/dfiq/approaches/Q0001.02.yaml | 24 +++ .../configs/dfiq/approaches/Q0002.01.yaml | 24 +++ .../configs/dfiq/approaches/Q0003.01.yaml | 18 ++ .../configs/dfiq/approaches/Q0003.02.yaml | 25 +++ .../configs/dfiq/approaches/Q0004.01.yaml | 24 +++ .../configs/dfiq/approaches/Q0005.01.yaml | 24 +++ .../configs/dfiq/approaches/Q0006.01.yaml | 24 +++ .../timesketch/configs/dfiq/facets/F0001.yaml | 8 + .../timesketch/configs/dfiq/facets/F0002.yaml | 8 + .../configs/dfiq/questions/Q0001.yaml | 11 ++ .../configs/dfiq/questions/Q0002.yaml | 13 ++ .../configs/dfiq/questions/Q0003.yaml | 18 ++ .../configs/dfiq/questions/Q0004.yaml | 16 ++ .../configs/dfiq/questions/Q0005.yaml | 19 ++ .../configs/dfiq/questions/Q0006.yaml | 19 ++ .../configs/dfiq/questions/Q0007.yaml | 16 ++ .../configs/dfiq/scenarios/S0001.yaml | 13 ++ charts/timesketch/configs/regex_features.yaml | 176 +++++++++--------- .../timesketch/configs/scenarios/facets.yaml | 35 ++++ .../configs/scenarios/questions.yaml | 120 ++++++++++++ .../configs/scenarios/scenarios.yaml | 23 +++ .../configs/sigma/rules/lnx_susp_zmap.yml | 22 +++ .../sigma/rules/win_powershell_susp_1.yaml | 20 ++ .../sigma/rules/win_suspicious_keywords.yml | 21 +++ .../templates/deployment-frontend.yaml | 14 +- .../templates/deployment-worker.yaml | 14 +- charts/timesketch/templates/service.yaml | 2 +- charts/timesketch/values.yaml | 4 + 34 files changed, 919 insertions(+), 96 deletions(-) create mode 100644 charts/timesketch/README.md create mode 100644 charts/timesketch/configs/bigquery_matcher.yaml create mode 100644 charts/timesketch/configs/data_finder.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0001.01.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0001.02.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0002.01.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0003.01.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0003.02.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0004.01.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0005.01.yaml create mode 100644 charts/timesketch/configs/dfiq/approaches/Q0006.01.yaml create mode 100644 charts/timesketch/configs/dfiq/facets/F0001.yaml create mode 100644 charts/timesketch/configs/dfiq/facets/F0002.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0001.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0002.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0003.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0004.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0005.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0006.yaml create mode 100644 charts/timesketch/configs/dfiq/questions/Q0007.yaml create mode 100644 charts/timesketch/configs/dfiq/scenarios/S0001.yaml create mode 100644 charts/timesketch/configs/scenarios/facets.yaml create mode 100644 charts/timesketch/configs/scenarios/questions.yaml create mode 100644 charts/timesketch/configs/scenarios/scenarios.yaml create mode 100644 charts/timesketch/configs/sigma/rules/lnx_susp_zmap.yml create mode 100644 charts/timesketch/configs/sigma/rules/win_powershell_susp_1.yaml create mode 100644 charts/timesketch/configs/sigma/rules/win_suspicious_keywords.yml diff --git a/charts/timesketch/Chart.yaml b/charts/timesketch/Chart.yaml index 3f919a5..5e844dd 100644 --- a/charts/timesketch/Chart.yaml +++ b/charts/timesketch/Chart.yaml @@ -4,7 +4,7 @@ description: | A toolset of DFIR tools appVersion: "20240508" type: application -version: 0.1.2 +version: 0.1.3 maintainers: - name: Tommy Skaug email: tommy@skaug.me diff --git a/charts/timesketch/README.md b/charts/timesketch/README.md new file mode 100644 index 0000000..9cf8b13 --- /dev/null +++ b/charts/timesketch/README.md @@ -0,0 +1,8 @@ + + +## Debugging + +```sh +task flux:sync +kubectl annotate es timesketch-conf force-sync=$(date +%s) --overwrite -n sec-forensics +``` diff --git a/charts/timesketch/configs/bigquery_matcher.yaml b/charts/timesketch/configs/bigquery_matcher.yaml new file mode 100644 index 0000000..fd0de6d --- /dev/null +++ b/charts/timesketch/configs/bigquery_matcher.yaml @@ -0,0 +1,24 @@ +# +# Configuration file for the BigQuery matcher analyzer plugin. +# +# You can configure several matchers. They should look like this: +# +# matcher_name: +# event_field_name: sha256_hash +# bq_project: 'project_name' +# bq_query: 'SELECT DISTINCT hash FROM project.dataset.tablename WHERE hash IN UNNEST(@sha256_hash)' +# tags: ['bigquery-sha256-match'] +# emojis: ['SKULL'] +# +# The fields are used as follows: +# * matcher_name: Name for the matcher entry. +# * event_field_name: Field name in a Timesketch event that you want to match against. +# * bq_project: Google Cloud Project you want to run the BigQuery job under. +# * bq_query: Query that is used to match Timesketch events. Results from this query +# will be tagged. Match the "IN UNNEST(@sha256_hash)" part to your event_field_name. +# This example would tag any Timesketch events which have a "sha256_hash" field that +# has a matching row in BigQuery in the "hash" column. +# * tags: Tags to apply for matching Timesketch events. +# * emojis: Emojis to add for matching Timesketch events. +# + diff --git a/charts/timesketch/configs/context_links.yaml b/charts/timesketch/configs/context_links.yaml index 446d396..ad16595 100644 --- a/charts/timesketch/configs/context_links.yaml +++ b/charts/timesketch/configs/context_links.yaml @@ -1,3 +1,67 @@ +# ------------------------------------------------------------------------ +# -- CONTEXT LINKS -- +# ------------------------------------------------------------------------ +# +# This is a config file to define context links for event attributes. +# Documentation: https://timesketch.org/guides/admin/context-links/ +# +# There are two types of context links: +# +# 1. Hardcoded modules: These are modules that are hardcoded into Timesketch. +# The config is used to define the match fields for the module. +# +# module_name: +# +# match_fields: Type: list[str] | List of field keys where +# this context link should be available. Will +# be checked as case insensitive! +# +# validation_regex: Type: str | OPTIONAL +# A regex pattern that needs to be +# matched by the field value to to make the +# context link available. This can be used to +# validate the format of a value (e.g. a hash). +# +# Currnetly supported modules are: +# - XML formatter: Displays a formatted XML in a pop-up dialog. +# - Unfurl graph: Displays a graph of an URL using unfurl results. +# +# 2. External services: These are context links that are defined by each admin. +# Those links use external services to provide additional information about the +# attribute value. +# +# context_link_name: +# +# short_name: Type: str | The name for the context link. +# Will be displayed in the context link submenu. +# +# match_fields: Type: list[str] | List of field keys where +# this context link should be available. Will +# be checked as case insensitive! +# +# validation_regex: Type: str | OPTIONAL +# A regex pattern that needs to be +# matched by the field value to to make the +# context link available. This can be used to +# validate the format of a value (e.g. a hash). +# +# context_link: Type: str | The link that will be opened in a +# new tab when the context link is clicked. +# IMPORTANT: Add the placeholder "" +# where the attribute value should be inserted +# into the link. +# +# redirect_warning: [TRUE]: If the context link is clicked it will +# open a pop-up dialog first that asks the +# user if they would like to proceed to +# the linked page. (Recommended for +# external pages.) +# [FALSE]: The linked page will be opened without +# any pop-up. (Recommended for internal +# pages.) +# +# ------------------------------------------------------------------------ +## Hardcoded Modules hardcoded_modules: ### format xml dialog xml_formatter: diff --git a/charts/timesketch/configs/data_finder.yaml b/charts/timesketch/configs/data_finder.yaml new file mode 100644 index 0000000..9f71a04 --- /dev/null +++ b/charts/timesketch/configs/data_finder.yaml @@ -0,0 +1,105 @@ +# Config file for analyzing data to detect whether data sources +# are present in the data set or not. +# +# Each analyzer definition in this file defines sets of requirements +# that are needed to determine if a certain type of data is present +# in the sketch. In addition to the parameters given in this definition +# start and end time are defined as parameters to the data analyzer +# to further limit the data set that is searched. +# +# The analyzer is simple, it runs the query, which is defined either as a +# query_string or a query_dsl. Then a particular field or an attribute +# of the resulting data set is fetched and compared against a regular +# expression. If there is a match in the regular expression then a True +# value is returned, and that data is considered to be part of the +# overall dataset for that time period, otherwise False is returned and +# we assume that data is missing from the total dataset. +# +# These are the available fields: +# description Simple string that provides a bit more description +# of the data that is being analyzed. +# +# notes A message that may be displayed to the user if the +# data source is not present in the dataset, perhaps +# helpful hints on where the data is defined, how to +# collect it, or how to add it to Timesketch. +# +# query_string A query string (OpenSearch Query String) that +# defines the search string that will be used to find +# data within the dataset. This is the same search +# string as can be found in the Web UI of Timesketch. +# +# query_dsl A query DSL (OpenSearch Query DSL) that defines the +# full query DSL that is used to find data within the +# the dataset. Each data analyzer needs to define +# either a query_string or a query_dsl. If both are +# defined the query_string is used and query_dsl +# is ignored. +# +# attribute The attribute or field that will be further +# inspected by a regular expression in order to +# determine if the data exists within the dataset. +# +# regular_expression The regular expression that is run on the data from +# the field or the attribute that is fetched from the +# the attribute definition. +# +# re_flags Each regular expression can define a flag, which is +# a list of flags as strings from the re module. +# These include: +# - DEBUG +# - DOTALL +# - IGNORECASE +# - LOCALE +# - MULTILINE +# - TEMPLATE +# - UNICODE +# - VERBOSE +# +# re_parameters A regular expression may also contain a variable +# that can be replaced by a user supplied value, +# eg. 'http(s)?://{domain}' to further check for +# a particular value. If and only if a re_parameters +# value is set then all values in the RE that are +# within curly brackets ({}) are replaced with the +# user supplied value. Only string values are +# supported for now. +# +# Example: +# +# windows_administrator_login: +# description: Login information for Administrator in Windows EVTX files. +# notes: Collect the SECURITY.EVTX log from a Windows machine. +# query_string: data_type:"windows:evtx:record" AND event_identifier:4624 +# attribute: username +# regular_expression: "^Administrator" + +# ------------------------------------------------------------------------ +windows_administrator_login: + description: Login information for Administrator in Windows EVTX files. + notes: Collect the SECURITY.EVTX log from a Windows machine. + query_string: data_type:"windows:evtx:record" AND event_identifier:4624 + attribute: username + regular_expression: "^Administrator" + +windows_login: + description: Login information in Windows EVTX files. + notes: Collect the SECURITY.EVTX log from a Windows machine. + query_string: data_type:"windows:evtx:record" AND event_identifier:4624 + +browser_history: + description: Browser history information. + notes: Collect browser history and parse using plaso or make source and url fields are set. + query_string: source_short:"WEBHIST" OR source:"WEBHIST" + attribute: url + regular_expression: "https?://" + +windows_event_log_specific_computer: + description: + notes: Collect + query_string: data_type:"windows:evtx:record" + attribute: computer_name + regular_expression: "{computer_name}" + re_flags: [IGNORECASE] + re_parameters: + - computer_name diff --git a/charts/timesketch/configs/dfiq/approaches/Q0001.01.yaml b/charts/timesketch/configs/dfiq/approaches/Q0001.01.yaml new file mode 100644 index 0000000..c4b1dd6 --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0001.01.yaml @@ -0,0 +1,57 @@ +display_name: Remote Desktop Protocol (RDP) from Windows Event Logs +description: + summary: + details: + references: + - +type: approach +id: Q0001.01 +tags: + - windows +view: + data: + - type: artifact + value: WindowsEventLogs + processors: + - name: plaso + options: + - type: parsers + value: winevtx + analysis: + timesketch: + - description: RDP authentication from client + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:4624 AND logon_type:RemoteInteractive' + - description: Failed RDP authentication from client + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:4625 AND logon_type:RemoteInteractive' + - description: Use of explicit credentials + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:4648 AND source_name:"Microsoft-Windows-Security-Auditing"' + - description: ClientActiveXCore RDP client + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:1024 AND source_name:"Microsoft-Windows-TerminalServices-ClientActiveXCore"' + - description: RDP client connection to server + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:1102 AND source_name:"Microsoft-Windows-TerminalServices-ClientActiveXCore"' + - description: RDP successful logon + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:1149 AND source_name:"Microsoft-Windows-TerminalServices-RemoteConnectionManager"' + - description: RDP successful TCP connection + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:(98 OR 131) AND source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"' + - description: RDP session logon + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:21 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' + - description: RDP session shell start + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:22 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' + - description: RDP session logoff + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:23 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' + - description: RDP session reconnection + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:25 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' + - description: RDP session disconnect + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:40 AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' diff --git a/charts/timesketch/configs/dfiq/approaches/Q0001.02.yaml b/charts/timesketch/configs/dfiq/approaches/Q0001.02.yaml new file mode 100644 index 0000000..e8f6f66 --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0001.02.yaml @@ -0,0 +1,24 @@ +display_name: Remote Desktop Protocol (RDP) from the Registry +description: + summary: + details: + references: + - +type: approach +id: Q0001.01 +tags: + - windows +view: + data: + - type: artifact + value: WindowsRegistryFiles + processors: + - name: plaso + analysis: + timesketch: + - description: RDP destinations (registry) + type: opensearch-query + value: 'key_path:"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Terminal Server Client\\Servers"' + - description: mstsc.exe in ShimCache + type: opensearch-query + value: 'data_type:"windows:registry:appcompatcache" AND path:mstsc.exe' diff --git a/charts/timesketch/configs/dfiq/approaches/Q0002.01.yaml b/charts/timesketch/configs/dfiq/approaches/Q0002.01.yaml new file mode 100644 index 0000000..bfbfba9 --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0002.01.yaml @@ -0,0 +1,24 @@ +display_name: Map Network Shares from Windows Event Logs +description: + summary: + details: + references: + - +type: approach +id: Q0002.01 +tags: + - windows +view: + data: + - type: artifact + value: WindowsEventLogs + processors: + - name: plaso + options: + - type: parsers + value: winevtx + analysis: + timesketch: + - description: Map Network share with net.exe + type: opensearch-query + value: 'data_type:"windows:prefetch:execution" AND net\.exe*' diff --git a/charts/timesketch/configs/dfiq/approaches/Q0003.01.yaml b/charts/timesketch/configs/dfiq/approaches/Q0003.01.yaml new file mode 100644 index 0000000..1656c6e --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0003.01.yaml @@ -0,0 +1,18 @@ +display_name: PsExec execution from filesystem events +description: + summary: + details: + references: + - +type: approach +id: Q0003.01 +tags: + - windows +view: + processors: + - name: plaso + analysis: + timesketch: + - description: PsExec executions from prefetch + type: opensearch-query + value: 'data_type:"windows:prefetch:execution" AND psexec\.exe*' diff --git a/charts/timesketch/configs/dfiq/approaches/Q0003.02.yaml b/charts/timesketch/configs/dfiq/approaches/Q0003.02.yaml new file mode 100644 index 0000000..21517aa --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0003.02.yaml @@ -0,0 +1,25 @@ +display_name: PsExec execution from Windows Event Logs +description: + summary: + details: + references: + - +type: approach +id: Q0003.02 +tags: + - windows +view: + data: + - type: artifact + value: WindowsEventLogs + processors: + - name: plaso + options: + - type: parsers + value: winevtx + analysis: + timesketch: + - description: PsExec installed as a service + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:7045 AND source_name:"Service Control Manager" AND strings:"psexesvc"' + diff --git a/charts/timesketch/configs/dfiq/approaches/Q0004.01.yaml b/charts/timesketch/configs/dfiq/approaches/Q0004.01.yaml new file mode 100644 index 0000000..c03fba2 --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0004.01.yaml @@ -0,0 +1,24 @@ +display_name: Scheduled tasks from Windows Event Logs +description: + summary: + details: + references: + - +type: approach +id: Q0004.01 +tags: + - windows +view: + data: + - type: artifact + value: WindowsEventLogs + processors: + - name: plaso + options: + - type: parsers + value: winevtx + analysis: + timesketch: + - description: Scheduled tasks executions + type: opensearch-query + value: 'data_type:"windows:prefetch:execution" AND executable:("AT.EXE" OR "SCHTASKS.EXE")' diff --git a/charts/timesketch/configs/dfiq/approaches/Q0005.01.yaml b/charts/timesketch/configs/dfiq/approaches/Q0005.01.yaml new file mode 100644 index 0000000..d267fc8 --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0005.01.yaml @@ -0,0 +1,24 @@ +display_name: Installed services from Windows Event Logs +description: + summary: + details: + references: + - +type: approach +id: Q0005.01 +tags: + - windows +view: + data: + - type: artifact + value: WindowsEventLogs + processors: + - name: plaso + options: + - type: parsers + value: winevtx + analysis: + timesketch: + - description: Installed services + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:7045 AND source_name:"Service Control Manager"' diff --git a/charts/timesketch/configs/dfiq/approaches/Q0006.01.yaml b/charts/timesketch/configs/dfiq/approaches/Q0006.01.yaml new file mode 100644 index 0000000..28f321a --- /dev/null +++ b/charts/timesketch/configs/dfiq/approaches/Q0006.01.yaml @@ -0,0 +1,24 @@ +display_name: WMI activity from from Windows Event Logs +description: + summary: + details: + references: + - +type: approach +id: Q0006.01 +tags: + - windows +view: + data: + - type: artifact + value: WindowsEventLogs + processors: + - name: plaso + options: + - type: parsers + value: winevtx + analysis: + timesketch: + - description: Provided DLLs executed by wmiprvse + type: opensearch-query + value: 'data_type:"windows:evtx:record" AND event_identifier:7045 AND source_name:"Service Control Manager"' diff --git a/charts/timesketch/configs/dfiq/facets/F0001.yaml b/charts/timesketch/configs/dfiq/facets/F0001.yaml new file mode 100644 index 0000000..2f3f732 --- /dev/null +++ b/charts/timesketch/configs/dfiq/facets/F0001.yaml @@ -0,0 +1,8 @@ +display_name: Remote Access +description: Remote access can indicate lateral movements. +type: facet +id: F0001 +tags: + - windows +parent_ids: + - S0001 diff --git a/charts/timesketch/configs/dfiq/facets/F0002.yaml b/charts/timesketch/configs/dfiq/facets/F0002.yaml new file mode 100644 index 0000000..af1d2fa --- /dev/null +++ b/charts/timesketch/configs/dfiq/facets/F0002.yaml @@ -0,0 +1,8 @@ +display_name: Remote Execution +description: Remote executions can indicate lateral movements. +type: facet +id: F0002 +tags: + - windows +parent_ids: + - S0001 diff --git a/charts/timesketch/configs/dfiq/questions/Q0001.yaml b/charts/timesketch/configs/dfiq/questions/Q0001.yaml new file mode 100644 index 0000000..ae610da --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0001.yaml @@ -0,0 +1,11 @@ +display_name: Who has used Remote Desktop (RDP) to login to the system? +description: | + Remote Desktop Protocol (RDP) is a protocol developed by Microsoft which provides a user with a graphical + interface to connect to another computer over a network connection. The user employs RDP client software for this + purpose, while the other computer must run RDP server software. (based on: https://en.wikipedia.org/wiki/Remote_Desktop_Protocol) +type: question +id: Q0001 +tags: + - windows +parent_ids: + - F0001 diff --git a/charts/timesketch/configs/dfiq/questions/Q0002.yaml b/charts/timesketch/configs/dfiq/questions/Q0002.yaml new file mode 100644 index 0000000..bb0229f --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0002.yaml @@ -0,0 +1,13 @@ +display_name: Which network shares has been mapped? +description: | + Mapped network shares are a way to access files and folders on other computers + on a network as if they were local drives. This can be useful for sharing files and + folders between users and computers, or for accessing files and folders that are + stored on a central server. Mapped network shares can be used to move laterally within + a network. +type: question +id: Q0002 +tags: + - windows +parent_ids: + - F0001 diff --git a/charts/timesketch/configs/dfiq/questions/Q0003.yaml b/charts/timesketch/configs/dfiq/questions/Q0003.yaml new file mode 100644 index 0000000..0e49222 --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0003.yaml @@ -0,0 +1,18 @@ +display_name: Has there been any executions of PsExec? +description: | + PsExec is a command-line tool that allows you to execute commands on remote computers. + It is part of the Sysinternals suite of tools, which are a collection of free and + open-source utilities for Windows system administration. + + It works by establishing a remote connection to the target computer and then executing + the specified command. The command can be anything that you would normally run on a local + computer, such as a batch file, a PowerShell script, or a simple command-line instruction. + + PsExec can be used to move from one computer to another on a network. This can be + done by using PsExec to execute a command on the target computer. +type: question +id: Q0003 +tags: + - windows +parent_ids: + - F0002 diff --git a/charts/timesketch/configs/dfiq/questions/Q0004.yaml b/charts/timesketch/configs/dfiq/questions/Q0004.yaml new file mode 100644 index 0000000..120b80c --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0004.yaml @@ -0,0 +1,16 @@ +display_name: What Scheduled Tasks has been executed? +description: | + Scheduled tasks are a feature of Windows that allows you to run a program or script at + a specific time or date. This can be useful for tasks such as backing up files or running + updates. + + Scheduled tasks can be used for lateral movement between computers in a few ways. + First, an attacker who has gained access to a computer on a network can create a + scheduled task that runs a malicious program on another computer on the network. This + can be done by using the Task Scheduler user interface. +type: question +id: Q0004 +tags: + - windows +parent_ids: + - F0002 diff --git a/charts/timesketch/configs/dfiq/questions/Q0005.yaml b/charts/timesketch/configs/dfiq/questions/Q0005.yaml new file mode 100644 index 0000000..aa0a526 --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0005.yaml @@ -0,0 +1,19 @@ +display_name: Which system services has been installed and executed? +description: | + A system service in Windows is a program that runs in the background and provides essential + functionality for the operating system. System services are typically started automatically + when Windows boots up, and they run continuously until Windows is shut down. + + System services can be used for lateral movement between computers in a few ways. First, an + attacker who has gained access to a computer on a network can create a malicious system service + that runs on the computer. This can be done by using the `sc` command-line tool. + + Once the malicious system service is running, it can be used to execute commands on the computer + or to connect to other computers on the network. This can allow the attacker to move laterally to + other computers on the network and gain further access. +type: question +id: Q0005 +tags: + - windows +parent_ids: + - F0002 diff --git a/charts/timesketch/configs/dfiq/questions/Q0006.yaml b/charts/timesketch/configs/dfiq/questions/Q0006.yaml new file mode 100644 index 0000000..b5c0fa9 --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0006.yaml @@ -0,0 +1,19 @@ +display_name: Has there been any remote executions via WMI? +description: | + WMI, or Windows Management Instrumentation, is a set of tools and APIs that allow you to manage + Windows computers remotely. WMIC, or Windows Management Instrumentation Command-line, is a + command-line tool that allows you to interact with WMI. + + WMI can be used for a variety of purposes, including getting information about Windows computers, + Managing Windows computers and Automating tasks on Windows computers. + + WMI can be used for lateral movement between computers in a few ways. First, an attacker who + has gained access to a computer on a network can use WMIC to execute commands on other computers + on the network. This can be done by using the wmic command with the /node switch and the name + of the target computer. +type: question +id: Q0006 +tags: + - windows +parent_ids: + - F0002 diff --git a/charts/timesketch/configs/dfiq/questions/Q0007.yaml b/charts/timesketch/configs/dfiq/questions/Q0007.yaml new file mode 100644 index 0000000..acd5633 --- /dev/null +++ b/charts/timesketch/configs/dfiq/questions/Q0007.yaml @@ -0,0 +1,16 @@ +display_name: Has there been any remote PowerShell executions? +description: | + Remote PowerShell executions in Windows allow you to run PowerShell commands on a remote computer. + This can be useful for a variety of purposes, such as troubleshooting problems, deploying software, + or running administrative tasks. + + Remote PowerShell executions can be used for lateral movement between computers in a few ways. + First, an attacker who has gained access to a computer on a network can use remote PowerShell + executions to run commands on other computers on the network. This can be done by using the + `Invoke-Command` cmdlet with the ComputerName parameter. +type: question +id: Q0007 +tags: + - windows +parent_ids: + - F0002 diff --git a/charts/timesketch/configs/dfiq/scenarios/S0001.yaml b/charts/timesketch/configs/dfiq/scenarios/S0001.yaml new file mode 100644 index 0000000..e230414 --- /dev/null +++ b/charts/timesketch/configs/dfiq/scenarios/S0001.yaml @@ -0,0 +1,13 @@ +display_name: Windows Lateral Movement +description: | + Lateral movement is the process of an attacker moving from one system to another within a network + after they have gained initial access to a system. This can be done through a variety of methods, + such as exploiting vulnerabilities in software or using stolen credentials. + + Once an attacker has gained lateral movement within a network, they can then access sensitive data, + install malware, or disrupt operations. Lateral movement is a critical step in many cyberattacks, + as it allows attackers to gain deeper access to a network and ultimately achieve their goals. +type: scenario +id: S0001 +tags: + - windows diff --git a/charts/timesketch/configs/regex_features.yaml b/charts/timesketch/configs/regex_features.yaml index a525f5c..e1e7a1c 100644 --- a/charts/timesketch/configs/regex_features.yaml +++ b/charts/timesketch/configs/regex_features.yaml @@ -53,130 +53,126 @@ # ------------------------------------------------------------------------ email_addresses: - query_string: 'source_short:"WEBHIST"' - attribute: 'message' - store_as: 'email_address' - re: '([a-zA-Z0-9_\.+\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+)' - re_flags: [] - tags: ['email-address'] + query_string: 'source_short:"WEBHIST"' + attribute: 'message' + store_as: 'email_address' + re: '([a-zA-Z0-9_\.+\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+)' + re_flags: [] + tags: ['email-address'] gmail_accounts: - query_string: 'source_short:"WEBHIST" AND url:"mail.google.com"' - attribute: 'message' - store_as: 'found_account' - re: '[a-zA-Z0-9_\.+\-]+@(gmail|googlemail)\.com' - re_flags: [] - tags: ['gmail-account'] - emojis: ['ID_BUTTON'] + query_string: 'source_short:"WEBHIST" AND url:"mail.google.com"' + attribute: 'message' + store_as: 'found_account' + re: '[a-zA-Z0-9_\.+\-]+@(gmail|googlemail)\.com' + re_flags: [] + tags: ['gmail-account'] + emojis: ['ID_BUTTON'] github_accounts: - query_string: 'source_short:"WEBHIST" AND - url:"https://github.com/users" AND title:"Your Profile"' - attribute: 'url' - store_as: 'found_account' - re: 'https://github.com/users/([A-z-\d]{1,39})' - re_flags: [] - tags: ['github-account'] - emojis: ['ID_BUTTON'] + query_string: 'source_short:"WEBHIST" AND url:"https://github.com/users" AND title:"Your Profile"' + attribute: 'url' + store_as: 'found_account' + re: 'https://github.com/users/([A-z-\d]{1,39})' + re_flags: [] + tags: ['github-account'] + emojis: ['ID_BUTTON'] # Linkedin account extraction from profile edit url linkedin_accounts: - query_string: 'source_short:"WEBHIST" AND - url:"https://www.linkedin.com/in/" AND url:"/edit/"' - attribute: 'url' - store_as: 'found_account' - re: 'https://www.linkedin.com/in/([A-z-\d]{5,32})/edit/' - tags: ['linkedin-account'] - emojis: ['ID_BUTTON'] + query_string: 'source_short:"WEBHIST" AND url:"https://www.linkedin.com/in/" AND url:"/edit/"' + attribute: 'url' + store_as: 'found_account' + re: 'https://www.linkedin.com/in/([A-z-\d]{5,32})/edit/' + tags: ['linkedin-account'] + emojis: ['ID_BUTTON'] rdp_ts_ipv4_addresses: - query_string: 'data_type:"windows:evtx:record" AND - source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' - attribute: 'strings' - store_as: 'ip_address' - re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' + query_string: 'data_type:"windows:evtx:record" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' + attribute: 'strings' + store_as: 'ip_address' + re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' rdp_rds_ipv4_addresses: - query_string: 'data_type:"windows:evtx:record" AND - source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"' - attribute: 'strings' - store_as: 'client_ip' - re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' + query_string: 'data_type:"windows:evtx:record" AND source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"' + attribute: 'strings' + store_as: 'client_ip' + re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' ssh_client_ipv4_addresses: - query_string: 'reporter:"sshd"' - attribute: 'message' - store_as: 'client_ip' - re: 'Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$' + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'client_ip' + re: 'Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$' ssh_client_ipv4_addresses_2: - query_string: 'reporter:"sshd"' - attribute: 'message' - store_as: 'client_ip' - re: 'Connection [a-z]+ by ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'client_ip' + re: 'Connection [a-z]+ by ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' ssh_host_ipv4_addresses: - query_string: 'reporter:"sshd"' - attribute: 'message' - store_as: 'host_ip' - re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$' + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'host_ip' + re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$' ssh_client_password_ipv4_addresses: - query_string: 'reporter:"sshd"' - attribute: 'message' - store_as: 'client_ip' - re: '(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'client_ip' + re: '(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' ssh_disconnected_username: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'username' - re: 'Disconnected\s+from user (?P[^\s]+) [^\s]+ port \d+$' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'username' + re: 'Disconnected\s+from user (?P[^\s]+) [^\s]+ port \d+$' ssh_disconnected_ip_address: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'ip_address' - re: 'Disconnected from user [^\s]+ (?P[^\s]+) port \d+$' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'ip_address' + re: 'Disconnected from user [^\s]+ (?P[^\s]+) port \d+$' ssh_disconnected_port: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'port' - re: 'Disconnected from user [^\s]+ [^\s]+ port (?P\d+)$' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'port' + re: 'Disconnected from user [^\s]+ [^\s]+ port (?P\d+)$' ssh_failed_username: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'username' - re: 'Failed password for (?:invalid user)?\s*(?P[^\s]+) from [^\s]+ port \d+ ssh\d' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'username' + re: 'Failed password for (?:invalid user)?\s*(?P[^\s]+) from [^\s]+ port \d+ ssh\d' ssh_failed_ip_address: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'ip_address' - re: 'Failed password for (?:invalid user)?\s*[^\s]+ from (?P[^\s]+) port \d+ ssh\d' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'ip_address' + re: 'Failed password for (?:invalid user)?\s*[^\s]+ from (?P[^\s]+) port \d+ ssh\d' ssh_failed_port: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'port' - re: 'Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P\d+) ssh\d' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'port' + re: 'Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P\d+) ssh\d' ssh_failed_method: - query_string: 'reporter:"sshd"' - attribute: 'body' - store_as: 'authentication_method' - re: 'Failed (?P[^\s]+) for .*ssh\d' + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'authentication_method' + re: 'Failed (?P[^\s]+) for .*ssh\d' win_bits_client_ipv4_addresses: - query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' - attribute: 'strings' - store_as: 'ip_address' - re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' + query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' + attribute: 'strings' + store_as: 'ip_address' + re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' win_bits_client_url: - query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' - attribute: 'strings' - store_as: 'url' - re: '(?<=")(?:(?:https?:\/\/)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)(?:[\/\?#][^\s,"]*)?(?=")' + query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' + attribute: 'strings' + store_as: 'url' + re: '(?<=")(?:(?:https?:\/\/)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)(?:[\/\?#][^\s,"]*)?(?=")' diff --git a/charts/timesketch/configs/scenarios/facets.yaml b/charts/timesketch/configs/scenarios/facets.yaml new file mode 100644 index 0000000..4eb89e6 --- /dev/null +++ b/charts/timesketch/configs/scenarios/facets.yaml @@ -0,0 +1,35 @@ +# ------------------------------------------------------------------------ +# -- Facets -- +# ------------------------------------------------------------------------ +# +# Facets are mini investigations that focus on strategically and specifically +# selected sets of investigative questions. +# +# This is a config file to define facets. +# +# Each facet consists of the following fields: +# +# -- metadata -- +# display_name Simple string that contains the display name that +# be used in an UI to describe the question. +# +# description Further description of the facet, what the +# facet attempts to answer, whether it will +# require further manual analysis, etc. +# +# questions List of investigative questions that will help +# the analyst to come to an conclusion for the facet. +# +# ------------------------------------------------------------------------ +attacker_maintain_access: + display_name: Are there any signs of an attacker moving from the computer to another host? + description: Are there any signs of an attacker moving from the computer to another host? (Lateral Movement) + questions: + - user_logged_in_win + - user_downloaded_file + +interference_with_protective_measures: + display_name: Interference with protective measures? + description: Are there any signs of an attacker trying to maintain their access? (Persistence) + questions: + - user_logged_in_win diff --git a/charts/timesketch/configs/scenarios/questions.yaml b/charts/timesketch/configs/scenarios/questions.yaml new file mode 100644 index 0000000..5f54cc6 --- /dev/null +++ b/charts/timesketch/configs/scenarios/questions.yaml @@ -0,0 +1,120 @@ +# ------------------------------------------------------------------------ +# -- Questions -- +# ------------------------------------------------------------------------ +# +# This is a config file to define questions that can be asked +# in Timesketch. A single question is by nature small in scope and tactical, +# something that can be answered by analysis, either automatically or by +# providing enough context so that an analyst can determine the answer. +# +# Each investigation may contain many questions, some dependent on the +# outcome of others, that is one question can determine that no further +# questions need to be asked, or that several other questions need to be +# brought up, etc. +# +# These questions define what data needs to be present in order to +# be able to answer it, as well as what user supplied parameters may be +# required to be defined beforehand. It will then also define what set of +# analyzers, graph plugins and potential searches will be useful in order +# to answer the question and what conditions are sufficient +# in order to have the question answered. +# +# As described above, each of these isolated tactical questions are part +# of a bigger picture, part of an investigation, which sets out to answer +# a broader set of questions, which can then in hand be part of an even +# larger scenario. +# +# Each question consists of the following fields: +# +# -- metadata -- +# +# display_name Simple string that contains the display name that +# be used in an UI to describe the question. +# +# description Further description of the question, what the +# question attempts to answer, whether it will +# require further manual analysis, etc. +# +# -- data requirements -- +# +# data_sources A list of data sources (as defined in the +# data_finder.yaml configuration file) that +# either need to be present, should not be +# present or are optional in the dataset in +# order to be able to answer the question. +# +# parameters A list of parameters that will be asked +# in the investigation, to provide context +# needed for the question. This can be +# simple things like the username of the user +# the analyst is looking at, or a domain that +# they are interested in, that is some context +# that is needed in order for the question to be +# properly asked. +# +# +# -- context/enrichment -- +# +# analyzers A list of analyzers that will be run on the +# dataset. +# +# graphs A list of graph plugins that will assist the +# analyst with answering the question. +# +# search_templates A list of search templates that will assist the +# analyst with answering the question. +# +# sigma_rules A list of sigma_rules that will enrich the sketch +# with information to help the analyst answering the question. +# +# +# -- answers -- +# +# answer_simple If the answer can be simply derived from a search +# in the dataset, an answer source can be defined. +# It contains two section, a "must" or "must_not", +# which is a list of data finder defintions that all +# must or must not return True values. This can be +# used to define things that should be present in the +# dataset or should not be there in order to give +# an answer to the investigative question. +# +# answer_analyzer If the answer cannot be derived from a simple +# search a name of an analyzer can be provided +# that is specifically designed to answer this +# particular investigative question. +# ------------------------------------------------------------------------ +user_logged_in_win: + display_name: Did someone log into a Windows machine? + description: This question aim to answer whether + someone (anyone) logged into the machine. It will run the login analyzer + to determine if there was any login activity. This question only + looks at activity logged in the EVTX file, therefore it only + applies to Windows machines. + data_sources: + - windows_login + analyzers: + - login + sigma_rules: + - + answer_simple: + must: + - windows_login + +user_downloaded_file: + display_name: What files were downloaded through a web browser to a computer? + description: This question checks whether there is browser activity + happening and during that activity a specific file got downloaded + or is seen on the disk during the time period. + data_sources: + - browser_activity + parameters: + - username + - filename + answer_simple: + must: + - browser_activity + - user_browser_activity + - browser_download + - browser_specific_file_download + diff --git a/charts/timesketch/configs/scenarios/scenarios.yaml b/charts/timesketch/configs/scenarios/scenarios.yaml new file mode 100644 index 0000000..a46103a --- /dev/null +++ b/charts/timesketch/configs/scenarios/scenarios.yaml @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------------ +# -- Scenarios -- +# ------------------------------------------------------------------------ +# +# This is a config file to define scenarios. +# +# Each scenario consists of the following fields: +# +# -- metadata -- +# display_name Simple string that contains the display name that +# be used in an UI to describe the question. +# +# description Further description of the question, what the +# question attempts to answer, whether it will +# require further manual analysis, etc. +# +# ------------------------------------------------------------------------ +- short_name: "compromise_assessment" + display_name: "Compromise Assessment" + description: "Initial triage of a compromised system." + facets: + - attacker_maintain_access + - interference_with_protective_measures diff --git a/charts/timesketch/configs/sigma/rules/lnx_susp_zmap.yml b/charts/timesketch/configs/sigma/rules/lnx_susp_zmap.yml new file mode 100644 index 0000000..40185f3 --- /dev/null +++ b/charts/timesketch/configs/sigma/rules/lnx_susp_zmap.yml @@ -0,0 +1,22 @@ +title: Suspicious Installation of ZMap +id: 5266a592-b793-11ea-b3de-0242ac130004 +description: Detects suspicious installation of ZMap +references: + - https://rmusser.net/docs/ATT&CK-Stuff/ATT&CK/Discovery.html +author: Alexander Jaeger +date: 2020/06/26 +modified: 2020/06/26 +tags: + - attack.discovery + - attack.t1046 +logsource: + product: linux + service: shell +detection: + keywords: + # Generic suspicious commands + - '*apt-get install zmap*' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/charts/timesketch/configs/sigma/rules/win_powershell_susp_1.yaml b/charts/timesketch/configs/sigma/rules/win_powershell_susp_1.yaml new file mode 100644 index 0000000..9267f95 --- /dev/null +++ b/charts/timesketch/configs/sigma/rules/win_powershell_susp_1.yaml @@ -0,0 +1,20 @@ +title: General Powershell line suspiciousness +id: 7d4282f2-7794-416b-b632-d27bc88c8585 +description: Broad rule to detect suspicious Powershell artifacts +status: stable +references: https://github.com/SigmaHQ/sigma/blob/master/other/godmode_sigma_rule.yml +author: Alexander Jaeger +date: 2022/11/17 +modified: 2022/11/17 +level: high +detection: + # Different suspicious or malicious powershell command line parameters + selection_plain: + CommandLine|contains: + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' -decode ' # Used with certutil + - ' /decode ' # Used with certutil + - '.downloadstring(' # PowerShell download command + - '.downloadfile(' # PowerShell download command + condition: 1 of them diff --git a/charts/timesketch/configs/sigma/rules/win_suspicious_keywords.yml b/charts/timesketch/configs/sigma/rules/win_suspicious_keywords.yml new file mode 100644 index 0000000..c8f98f4 --- /dev/null +++ b/charts/timesketch/configs/sigma/rules/win_suspicious_keywords.yml @@ -0,0 +1,21 @@ +title: General suspicious keywords +id: 9532df7b-ac88-4706-a764-9bbc9c2b2d5f +description: 'Broad rule to detect common bad terms. Warning: Can be noisy' +status: stable +references: + - https://github.com/SigmaHQ/sigma/blob/master/other/godmode_sigma_rule.yml + - https://twitter.com/hela_luc/status/1592934231583621121 +author: Alexander Jaeger +date: 2022/11/17 +modified: 2022/11/17 +level: high +detection: + # Different suspicious or malicious command line parameters + selection_plain: + message: + - ' mimi' # Mimikatz + - 'lsass.dmp' # Attempt to dump the lsass process + - 'powershell -nop -w hidden -encodedcommand' # often used to obfuscate powershell + - 'vssadmin' # Attempt to work with volume shadow copies + - '.dmp full' # Process dumping method apart from procdump + condition: 1 of them diff --git a/charts/timesketch/templates/deployment-frontend.yaml b/charts/timesketch/templates/deployment-frontend.yaml index f761f16..fa60589 100644 --- a/charts/timesketch/templates/deployment-frontend.yaml +++ b/charts/timesketch/templates/deployment-frontend.yaml @@ -32,7 +32,7 @@ spec: {{- toYaml .Values.frontend.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["sh", "-c", "gunicorn --bind 0.0.0.0:5000 --log-file - \ + command: ["sh", "-c", "update-ca-certificates && cp /var/timesketch.conf /etc/ && gunicorn --bind 0.0.0.0:8080 --log-file - \ --error-logfile - --log-level info \ --capture-output --timeout 600 --limit-request-line 8190 \ --workers 4 timesketch.wsgi:application"] @@ -46,6 +46,8 @@ spec: fieldRef: fieldPath: metadata.name apiVersion: v1 + - name: SSL_CERT_FILE + value: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }} - name: TIMESKETCH_USER_USERNAME valueFrom: secretKeyRef: @@ -64,8 +66,12 @@ spec: mountPath: /config readOnly: true - name: timesketch-conf - mountPath: /etc/timesketch.conf + mountPath: /var/timesketch.conf subPath: timesketch.conf + readOnly: false + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }} + subPath: {{ .Values.caCert.existingConfigMapKey }} readOnly: true ports: - containerPort: {{ .Values.metrics.port }} @@ -85,6 +91,10 @@ spec: secret: secretName: {{ .Values.config.existingConfSecret }} optional: true + - name: ca-cert + configMap: + name: {{ .Values.caCert.existingConfigMapName }} + optional: true nodeSelector: {{- toYaml .Values.frontend.nodeSelector | nindent 8 }} affinity: diff --git a/charts/timesketch/templates/deployment-worker.yaml b/charts/timesketch/templates/deployment-worker.yaml index 7025521..4716153 100644 --- a/charts/timesketch/templates/deployment-worker.yaml +++ b/charts/timesketch/templates/deployment-worker.yaml @@ -32,7 +32,7 @@ spec: {{- toYaml .Values.worker.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["sh", "-c", "celery -A timesketch.lib.tasks worker \ + command: ["sh", "-c", "update-ca-certificates && cp /var/timesketch.conf /etc/ && celery -A timesketch.lib.tasks worker \ --loglevel=DEBUG"] env: - name: POD_NAME @@ -42,6 +42,8 @@ spec: apiVersion: v1 - name: WORKER_LOG_LEVEL value: "DEBUG" + - name: SSL_CERT_FILE + value: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }} - name: TIMESKETCH_USER_USERNAME valueFrom: secretKeyRef: @@ -60,9 +62,13 @@ spec: mountPath: /config readOnly: true - name: timesketch-conf - mountPath: /etc/timesketch.conf + mountPath: /var/timesketch.conf subPath: timesketch.conf readOnly: true + - name: ca-cert + mountPath: /usr/local/share/ca-certificates/extra/{{ .Values.caCert.existingConfigMapKey }} + subPath: {{ .Values.caCert.existingConfigMapKey }} + readOnly: true ports: - containerPort: {{ .Values.metrics.port }} - containerPort: 5000 @@ -81,6 +87,10 @@ spec: secret: secretName: {{ .Values.config.existingConfSecret }} optional: false + - name: ca-cert + configMap: + name: {{ .Values.caCert.existingConfigMapName }} + optional: true nodeSelector: {{- toYaml .Values.worker.nodeSelector | nindent 8 }} affinity: diff --git a/charts/timesketch/templates/service.yaml b/charts/timesketch/templates/service.yaml index 142052d..52e7754 100644 --- a/charts/timesketch/templates/service.yaml +++ b/charts/timesketch/templates/service.yaml @@ -10,7 +10,7 @@ spec: ports: - port: 8080 protocol: TCP - targetPort: 5000 + targetPort: 8080 selector: app.kubernetes.io/component: frontend {{- include "timesketch.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/timesketch/values.yaml b/charts/timesketch/values.yaml index 3989524..2c6bcac 100644 --- a/charts/timesketch/values.yaml +++ b/charts/timesketch/values.yaml @@ -48,3 +48,7 @@ resources: metrics: enabled: true port: 9001 + +caCert: + existingConfigMapName: cluster-certificates + existingConfigMapKey: opensearch-ca.crt