When attempting to look for an incident or investigation that occurred in the past, it can be somewhat difficult. Having a search box to easily match on the content you are looking for could alleviate the issue.

When using the docker compose method of building mozdef I keep getting: Failed to connect to DBus Operation not premitted Then it won't install elasticsearch. ideas? Fixes?

https://help.github.com/en/articles/about-code-owners

Given that we have different groups of people working on different parts of the codebase (e.g. @andrewkrug and I working on CI/CD), if we define a CODEOWNERS file and then enable merging to follow that file, I can for example merge a change to CI/CD that doesn't affect the MozDef codebase without requiring @pwnbus to review and merge.

I wanted to see if this sounded ok before PRing a file for CODEOWNERS.

This would potentially have a section like

# These owners will be the default owners for everything in
# the repo. Unless a later match takes precedence,
# These users will be requested for
# review when someone opens a pull request.
*       @jeffbryner @pwnbus @mpurzynski @Phrozyn @tristanweir

# Require review by gene or andrew for cloudy MozDef stuff
/cloudy_mozdef/ @gene1wood @andrewkrug

Then we'd uncheck Restrict who can push to matching branches And add a check to Require review from Code Owners

This way

• nothing could be merged without review
• the people required for review for everything other than cloudy mozdef would be the same list of people who can merge today
• the people required for review of cloudy mozdef would be andrew and I

Thoughts @jeffbryner @pwnbus @mpurzynski @Phrozyn @tristanweir?

Hey all,

Maybe it's the holiday gremlins that got to me, but I've updated my docker instance to 1.35 and I can't get alerts working again. I'm down to the following very simple alert which is not working

#!/usr/bin/env python

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2014 Mozilla Corporation


from lib.alerttask import AlertTask
from mozdef_util.query_models import SearchQuery, TermMatch, QueryStringMatch, ExistsMatch, PhraseMatch, WildcardMatch


class AlertHelloworld(AlertTask):
    def main(self):
        # Create a query to look back the last 20 minutes
        search_query = SearchQuery(minutes=20)

        # Add search terms to our query
        search_query.add_must([
            TermMatch('category', 'helloworld'),
       #     ExistsMatch('details.sourceipaddress'),
        ])

        self.filtersManual(search_query)
        # Search aggregations on field 'sourceipaddress'
        # keep X samples of events at most
        self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=1)

    # Set alert properties
    def onAggregation(self, aggreg):
        # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
        # aggreg['value']: value of the aggregation field, ex: [email protected]
        # aggreg['events']: list of events in the aggregation
        category = 'hellocategory'
        tags = ['hello', 'world']
        severity = 'WARNING'
        summary = "My first alert!"

        # Create the alert object based on these properties
        return self.createAlertDict(summary, category, tags, aggreg['events'], severity)

with

'helloworld.AlertHelloworld': {'schedule': crontab(minute='*/1')},

in my docker/compose/mozdef_alerts/files/config.py. I'm sending simple messages to my instance with curl curl -v --header "Content-Type: application/json" --request POST --data '{"tags": ["test"],"category": "helloworld"}' http://localhost:8080/events and they are showing up in Kibana.

Is there something obvious that I'm doing wrong? Also is there some way outside of the UI that lets me determine if an alert is working?

Hey all,

I'm just getting into making alerts and I wanted to mention that if you run

make new-alert

and then try to run the associated test you will be left with a failing test due to the line

"notify_mozdefbot": False,

This is a bit confusing for people new to alert writing and being such a new person, I'm not sure if this is desired behavior or not. Either way I wanted to make a note for those searching around.

Currently the globe visualization (located at the /globe path in MozDef) doesn't display any data in MozDef out of the box. The logic to search and label an attacker is currently pretty specific to Mozilla which results in anyone else who deploys MozDef having a globe visualization with no data.

Let's make the globe's presence conditional on whatever it is we do to put data into it and by default, show no globe.

Thanks to @darakian for calling this out.

So, I'm using the docker containers as a deployment in my infrastructure and generally I really like it. However one thing that is annoying is clicking a link (say Kibana) and being sent to localhost:9090. I've make a hot edit in meteor/imports/settings.js to hard code my ip in use, but it would be really nice if I could give mozdef an ip at deploy time. ex make run my_ip=1.2.3.4 or make run config=my_overrides.txt/json or something along those line. Being able to change out the elastic search service would also be nice.

I get that I might be using the docker containers in a way that they are not designed for so if this is out of scope just let me know and I'll rework what I have based on the alternate install method.

This modifies the logo on the main page to the pre existing https://github.com/mozilla/MozDef/blob/master/meteor/public/images/logo.png . It also adds a favicon of the same logo.

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1120558 In Mozdef's incident UI (/incident/) there are tags such as impact.loss.rating.{Major,Moderate,Minor,None}.

I wondered if it would make sense to use maximum,high,medium,low instead. Same for confidence tags.

See also https://wiki.mozilla.org/Security/Standard_Levels

Hey All,

I've got a box on the current master. It's generating alerts fine, but the mozdef dash board doesn't display the alerts. I've verified that the alerts are created by looking at the ES cluster and the alerts index exists and contains the expected results. Any ideas on where I should be looking for the alert display part of the equation?

This is in the docker environment and nothing pops out at me after looking at the logs for each container.

Is there a preferred method for using data from the result a query in the alert summary? For instance, I have a PhraseMatch('summary', 'interesting string prefix') which works well, but I would like to pull out some of the summary string and have that available on the MozDef alerts dash board. I'm sure this is possible to hack together, but is there a method already in place? If so could someone point me at an example?