HELK/docker/helk-jupyter/notebooks/sigma/appframework_django_exceptions.ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Django framework exceptions\n",
    "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Rule Content\n",
    "```\n",
    "- title: Django framework exceptions\n",
    "  id: fd435618-981e-4a7c-81f8-f78ce480d616\n",
    "  description: Detects suspicious Django web application framework exceptions that\n",
    "    could indicate exploitation attempts\n",
    "  author: Thomas Patzke\n",
    "  references:\n",
    "  - https://docs.djangoproject.com/en/1.11/ref/exceptions/\n",
    "  - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security\n",
    "  logsource:\n",
    "    category: application\n",
    "    product: django\n",
    "    service: null\n",
    "  detection:\n",
    "    keywords:\n",
    "    - SuspiciousOperation\n",
    "    - DisallowedHost\n",
    "    - DisallowedModelAdminLookup\n",
    "    - DisallowedModelAdminToField\n",
    "    - DisallowedRedirect\n",
    "    - InvalidSessionKey\n",
    "    - RequestDataTooBig\n",
    "    - SuspiciousFileOperation\n",
    "    - SuspiciousMultipartForm\n",
    "    - SuspiciousSession\n",
    "    - TooManyFieldsSent\n",
    "    - PermissionDenied\n",
    "    condition: keywords\n",
    "  falsepositives:\n",
    "  - Application bugs\n",
    "  - Penetration testing\n",
    "  level: medium\n",
    "\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Querying Elasticsearch"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Import Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from elasticsearch import Elasticsearch\n",
    "from elasticsearch_dsl import Search\n",
    "import pandas as pd"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Initialize Elasticsearch client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
    "searchContext = Search(using=es, index='logs-*', doc_type='doc')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Run Elasticsearch Query"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "s = searchContext.query('query_string', query='\\*.keyword:(*SuspiciousOperation* OR *DisallowedHost* OR *DisallowedModelAdminLookup* OR *DisallowedModelAdminToField* OR *DisallowedRedirect* OR *InvalidSessionKey* OR *RequestDataTooBig* OR *SuspiciousFileOperation* OR *SuspiciousMultipartForm* OR *SuspiciousSession* OR *TooManyFieldsSent* OR *PermissionDenied*)')\n",
    "response = s.execute()\n",
    "if response.success():\n",
    "    df = pd.DataFrame((d.to_dict() for d in s.scan()))"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Show Results"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "df.head()"
   ]
  }
 ],
 "metadata": {},
 "nbformat": 4,
 "nbformat_minor": 4
}