notebook.community

Edit and run

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Rule Content

- action: global
  title: Cleartext Protocol Usage
  id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
  description: Ensure that all account usernames and authentication credentials are
    transmitted across networks using encrypted channels. Ensure that an encryption
    is used for all sensitive information in transit. Ensure that an encrypted channels
    is used  for all administrative account access.
  references:
  - https://www.cisecurity.org/controls/cis-controls-list/
  - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  author: Alexandr Yampolskyi, SOC Prime
  status: stable
  date: 2019/03/26
  falsepositives:
  - unknown
  level: low
  tags:
  - CSC4
  - CSC4.5
  - CSC14
  - CSC14.4
  - CSC16
  - CSC16.5
  - NIST CSF 1.1 PR.AT-2
  - NIST CSF 1.1 PR.MA-2
  - NIST CSF 1.1 PR.PT-3
  - NIST CSF 1.1 PR.AC-1
  - NIST CSF 1.1 PR.AC-4
  - NIST CSF 1.1 PR.AC-5
  - NIST CSF 1.1 PR.AC-6
  - NIST CSF 1.1 PR.AC-7
  - NIST CSF 1.1 PR.DS-1
  - NIST CSF 1.1 PR.DS-2
  - NIST CSF 1.1 PR.PT-3
  - NIST CSF 1.1 PR.PT-3
  - ISO 27002-2013 A.9.2.1
  - ISO 27002-2013 A.9.2.2
  - ISO 27002-2013 A.9.2.3
  - ISO 27002-2013 A.9.2.4
  - ISO 27002-2013 A.9.2.5
  - ISO 27002-2013 A.9.2.6
  - ISO 27002-2013 A.9.3.1
  - ISO 27002-2013 A.9.4.1
  - ISO 27002-2013 A.9.4.2
  - ISO 27002-2013 A.9.4.3
  - ISO 27002-2013 A.9.4.4
  - ISO 27002-2013 A.8.3.1
  - ISO 27002-2013 A.9.1.1
  - ISO 27002-2013 A.10.1.1
  - PCI DSS 3.2 2.1
  - PCI DSS 3.2 8.1
  - PCI DSS 3.2 8.2
  - PCI DSS 3.2 8.3
  - PCI DSS 3.2 8.7
  - PCI DSS 3.2 8.8
  - PCI DSS 3.2 1.3
  - PCI DSS 3.2 1.4
  - PCI DSS 3.2 4.3
  - PCI DSS 3.2 7.1
  - PCI DSS 3.2 7.2
  - PCI DSS 3.2 7.3
- logsource:
    product: netflow
  detection:
    selection:
      destination.port:
      - 8080
      - 21
      - 80
      - 23
      - 50000
      - 1521
      - 27017
      - 1433
      - 11211
      - 3306
      - 15672
      - 5900
      - 5901
      - 5902
      - 5903
      - 5904
    condition: selection
- logsource:
    product: firewall
  detection:
    selection1:
      destination.port:
      - 8080
      - 21
      - 80
      - 23
      - 50000
      - 1521
      - 27017
      - 3306
      - 1433
      - 11211
      - 15672
      - 5900
      - 5901
      - 5902
      - 5903
      - 5904
    selection2:
      action:
      - forward
      - accept
      - 2
    condition: selection1 AND selection2

Querying Elasticsearch

Import Libraries





In [ ]:



    


from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client





In [ ]:



    


es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query





In [ ]:



    


s = searchContext.query('query_string', query='destination.port:("8080" OR "21" OR "80" OR "23" OR "50000" OR "1521" OR "27017" OR "1433" OR "11211" OR "3306" OR "15672" OR "5900" OR "5901" OR "5902" OR "5903" OR "5904")')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))



    











In [ ]:



    


s = searchContext.query('query_string', query='(destination.port:("8080" OR "21" OR "80" OR "23" OR "50000" OR "1521" OR "27017" OR "3306" OR "1433" OR "11211" OR "15672" OR "5900" OR "5901" OR "5902" OR "5903" OR "5904") AND action:("forward" OR "accept" OR "2"))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results





In [ ]:



    


df.head()

Content source: Cyb3rWard0g/HELK

Similar notebooks:

notebook.community | gallery | about