Kibana: [SIEM] Add Another Reputation Link

Created on 13 Nov 2019  路  5Comments  路  Source: elastic/kibana

This ticket is to keep track of the discussion of adding custom reputation link, the original question can be found here: here

siem_reputation

SIEM
Source
picture angorayc

Most helpful comment

Me and @angorayc chatted on Slack. To summarize:

The setting could be an array of dicts, something like this:

[
  {"name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}"},
  {"name": "talosintelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}"},
  {"name": "custom", "url_template": "https://mysite.com/{{ip}}"}
]

The name of the setting should be "SIEM IP Reputation Links".

The description could be something like: "Array of URL templates to build the list of reputation URLs to be displayed on the IP Details page."

The array should probably be limited to 5 items or so, to avoid layout issues.

Besides that, I'm only worried about the potential of abuse here. Angela, it would be good to check that the IP field doesn't contain any non-IP characters (/, etc.) and that the template itself is not more than an URL (to avoid injecting JS or other tricks).

picture tsg on 21 Nov 2019
👍2

All 5 comments

Pinging @elastic/siem (Team:SIEM)

elasticmachine picture elasticmachine on 13 Nov 2019

@tsg , to make sure that I implement correctly, does it means that we are going to add one more configuration under Kibana's Advanced settings?

angorayc picture angorayc on 21 Nov 2019

Me and @angorayc chatted on Slack. To summarize:

The setting could be an array of dicts, something like this:

[
  {"name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}"},
  {"name": "talosintelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}"},
  {"name": "custom", "url_template": "https://mysite.com/{{ip}}"}
]

The name of the setting should be "SIEM IP Reputation Links".

The description could be something like: "Array of URL templates to build the list of reputation URLs to be displayed on the IP Details page."

The array should probably be limited to 5 items or so, to avoid layout issues.

Besides that, I'm only worried about the potential of abuse here. Angela, it would be good to check that the IP field doesn't contain any non-IP characters (/, etc.) and that the template itself is not more than an URL (to avoid injecting JS or other tricks).

tsg picture tsg on 21 Nov 2019
👍2

@tsg, Found that virustotal link is reused by zeekRowRenderer. Therefore would like to know if we are going to apply the same change for zeekRowRenderer as well?

angorayc picture angorayc on 18 Feb 2020

After having a chat on slack with Tudor, put my summary here:
We just put the first item which appears in the reputation link config here in zeekRowRenderer.

angorayc picture angorayc on 18 Feb 2020
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timroes picture timroes  路  3Comments
stacey-gammon picture stacey-gammon  路  3Comments
ynux picture ynux  路  3Comments
bradvido picture bradvido  路  3Comments
celesteking picture celesteking  路  3Comments