BOTES Dataset
  • Boss of the SOC (BOTS) Dataset
  • BOTES : Boss of the Elastic SOC
  • BOTES Prerequisites
  • ECS & BOTES
  • BOTES Fields
  • Data Sanitization
  • BOTES Enrichement
    • SIEM : Data enrichment
    • Streaming architecture
    • POC Prerequisites
    • POC Code
    • POC Enhancement
  • Complex Event Processing : SIEM Detection rules
    • POCs Prerequisites
    • CVE 2019-0708 : BlueKeep
Powered by GitBook
On this page

Was this helpful?

Last updated 5 years ago

POC code can be find on Github here:

Code details

Code contains few comments but let's explain some parts

AsyncDataStream

The following line is used to create an asynchronous DataStream :

Asynchronous DataStream options/parameters are the following :

  • unorderedwait: with this mode, results of async functions are emitted as soon as the async requests finish. So order will maybe not conserved.

  • logsStreamFile: it's the source DataStream used to create the new AsyncDataSteam.

  • new AsyncRedisFileEnrichment(): It's the asynchronous function which wil be called for processing logic on stream.

  • 5000, TimeUnit.MILLISECONDS: Time after an asynchronous call is declared as timed out.

  • setParallelism: set the parallelism for the asynchronous function.

AsynHttpRequest

Purpose of this code is to make asynchronous API call to get result on an IP or File hash.

  • Line 1: Create AsyncHttpClient

  • Line 2: Launch a request on Onyphe API to get result on IP address.

  • Line 5: Get the result of API call from Response Body.

  • Line 6 -11: Check if response contains results or if response is not null (In case of no more credits to call API).

  • Line 12-13: Call "processOnypheGetResult" function to extract relevant information from Onyphe (JSON) results and return a new JSON with fields formatted to be compliant with ECS format.

Comments this section if you want more details on specific parts of code.

https://github.com/NybbleHub/BOTES-Enrichment
DataStream<String> enrichmentStreamFile = AsyncDataStream.unorderedWait
    (logsStreamFile, new AsyncRedisFileEnrichment(), 
    5000, TimeUnit.MILLISECONDS).setParallelism(4);
  • Code details
  • AsyncDataStream
  • AsynHttpRequest
PreviousPOC PrerequisitesNextPOC Enhancement
  1. BOTES Enrichement

POC Code

This page provide link and details about POC Java code.

AsyncHttpClient onypheAsyncClient = asyncHttpClient();
Future<Response> onypheGetRequest = onypheAsyncClient.prepareGet(
    "https://www.onyphe.io/api/ip/" + onypheQueryIP + "?apikey=" + onypheAPIKey).execute();

onypheGetBody = mapper.readValue(onypheGetRequest.get().getResponseBody(), ObjectNode.class);
if (!onypheGetBody.has("results")) {
    return "{}";
} else {
    if (!onypheGetBody.get("results").hasNonNull(1)) {
        return "{}";
    } else {
        onypheResult = processOnypheGetResult(onypheGetBody);
        return onypheResult;
    }
}