Feature Request: Add known applications + risk score field based off destination.port fields

Question

Feature Request: Add known applications + risk score field based off destination.port fields

ryanpodonnell1 opened this issue 3 years ago · 2 comments

User Story - details

As a SIEM engineer I want to know port numbers associated with the destination.port field. This will allow me to quickly identify potential applications communicating on the session and also the risk of the traffic Im observing

Tasks

Create a port lookup translation.
Add risk category score to application (scale of 1-10 or severity name).

Examples:

3389 -> Remote Desktop Protocol (high risk)
22 - Secure Shell (high risk)
3306 - MySQL (medium risk)
6881-6889 - Bit Torrent (high risk)

Answer 1 · 2021-09-10T19:24:37.000Z

We added this didn't we?
https://github.com/Cargill/OpenSIEM-Logstash-Parsing/blob/master/config/enrichments/96_lookup_iana_protocol.conf
I know you have another enrichment you wanted but this one is completed? Or is this the mapping to Palo Alto risk score

Answer 2 · 2022-08-29T14:11:27.000Z

Enrichment has been updated with Protocols and transport lookups