Digital Shadows SearchLight
Overview
Digital Shadows SearchLight continuously searches and identifies any unwanted exposures, and provides contextualised alerts to better understand the associated risks.
- Vendor: Digital Shadows
- Plan: Defend Core & Defend Prime
- Supported environment: SaaS
- Detection based on: Alert
- Supported application or feature: Social media monitoring, File monitoring
Step-by-Step Configuration Procedure
In this documentation we will explain how to collect and send SearchLight logs to Sekoia.io.
Instructions on the 3rd Party Solution
First of all, you will have to retrieve configuration information.
To do so, connect to the Digital Shadows portal to get an API key under the heading api > "tored Objects > Portal > Searchlight API doc.
Then, you will need to retrieve the following information from the portal:
API URLBasicauth keyBasicauth secret- Your Searchlight
account ID
You now have all information to configure the Digital Shadows Searchlight module and its Send events action to Sekoia.io.
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create. - You will be redirected to the Intake listing page, where you will find a new line with the name you gave to the Intake.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Configure Your Playbook
This section will assist you in pulling remote logs from Sekoia and sending them to the intake you previously created.
- Go to the Sekoia playbook page.
- Click on the
+ New playbookbutton at the top right of the page. - Select
Create a playbook from scratch, and clickNext. - Give it a Name and a Description, and click
Next. - Choose a trigger from the list by searching for the name of the product, and click
Create. - A new Playbook page will be displayed. Click on the module in the center of the page, then click on the Configure icon.
- On the right panel, click on the
Configurationtab. - Select an existing Trigger Configuration (from the account menu) or create a new one by clicking on
+ Create new configuration. - Configure the Trigger based on the Actions Library (for instance, see here for AWS modules), then click
Save. - Click on
Saveat the top right of the playbook page. - Activate the playbook by clicking on the "On / Off" toggle button at the top right corner of the page.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"id": "00a8bc91-bd77-45d5-bf45-213c6b7fee19",
"portal-id": "XXXXXX",
"classification": "impersonating-domain-alert",
"risk-assessment": {
"risk-level": "low"
},
"risk-factors": [
"Has assets in content",
"Hosting content",
"Has a DNS record",
"Newly registered when raised"
],
"title": "Impersonating Domain example.info",
"description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n",
"assets": [
{
"id": "76ab3f96-c12c-428d-b213-446f17b7ab9b"
},
{
"id": "5fa68b35-a58f-40de-b2af-74be78b45b2d"
},
{
"id": "1647634f-d3e4-4150-991a-a99d5682644b"
},
{
"id": "1bf42c15-4d9d-40cc-b63a-e6e9a08151dc"
}
],
"raised": "2019-12-05T21:03:10.433Z",
"updated": "2022-03-03T13:03:51.044370Z"
}
{
"id": 8484455,
"classification": "exposed-port-incident",
"risk-level": "low",
"title": "Exposed open port",
"description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n",
"impact-description": "Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\n",
"mitigation": "Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\t\n",
"assets": [
{
"id": "7332ea8f-cfbf-4bcf-8a1b-3b0991258dac"
}
],
"raised": "2022-03-15T19:16:06.981Z",
"updated": "2022-03-15T19:16:06.981Z"
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Social media monitoring |
Digital Shadows monitors Twitter, Youtube, Facebook |
File monitoring |
Digital Shadows monitors open file storage (Public NAS, Public AWS S3 Buckets, Public FTP/SMB, RSYNC) |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | threat |
| Type | indicator |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{ \"id\": \"00a8bc91-bd77-45d5-bf45-213c6b7fee19\", \"portal-id\": \"XXXXXX\", \"classification\": \"impersonating-domain-alert\", \"risk-assessment\": { \"risk-level\": \"low\" }, \"risk-factors\": [ \"Has assets in content\", \"Hosting content\", \"Has a DNS record\", \"Newly registered when raised\" ], \"title\": \"Impersonating Domain example.info\", \"description\": \"A domain that is possibly impersonating your assets was detected.\\n\\nRisk Level: Low\\nImpersonating Domain: example.info\\nLast Registered: \\n\\nRisk Factors:\\n* Has assets in content\\n* Hosting content\\n* Has a DNS record\\n* Newly registered when raised\\n\\nMatched Assets:\\n* example\\n* example.biz\\n* example.eu\\n* example.fr\\n\\n\\nWHOIS records provide the following information:\\nRegistrar: Epik, Inc.\\nRegistrar abuse contact email: donuts@epik.com\\nRegistrar abuse contact phone: 425-765-0077\\nCreated: 19 Feb 2021 16:35\\nLast updated: 21 Feb 2022 09:35\\nRegistrar registration expiration date: 19 Feb 2023 16:35\\n\\nDNS Record\\nA - 185.255.121.5\\nNS - ns3.epik.com.\\nNS - ns4.epik.com.\\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\\nTXT - \\\"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\\\"\\nTXT - \\\"dan-ownership-verification=54z0h1kj\\\"\\nTXT - \\\"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\\\"\\n\\nAlert Raised: 05 Dec 2019 21:03\\nAlert Updated: 03 Mar 2022 13:03\\n\\nSearchlight Portal ID: XXXXX\\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\\n\", \"assets\": [ { \"id\": \"76ab3f96-c12c-428d-b213-446f17b7ab9b\" }, { \"id\": \"5fa68b35-a58f-40de-b2af-74be78b45b2d\" }, { \"id\": \"1647634f-d3e4-4150-991a-a99d5682644b\" }, { \"id\": \"1bf42c15-4d9d-40cc-b63a-e6e9a08151dc\" } ], \"raised\": \"2019-12-05T21:03:10.433Z\", \"updated\": \"2022-03-03T13:03:51.044370Z\" }",
"event": {
"action": "impersonating-domain-alert",
"category": [
"threat"
],
"end": "2022-03-03T13:03:51.044370Z",
"kind": "alert",
"outcome": "success",
"reason": "Impersonating Domain example.info",
"start": "2019-12-05T21:03:10.433000Z",
"type": [
"indicator"
]
},
"digital_shadows_searchlight": {
"description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n",
"event": {
"id": "00a8bc91-bd77-45d5-bf45-213c6b7fee19"
},
"portal_id": "XXXXXX",
"risk_factors": [
"Has a DNS record",
"Has assets in content",
"Hosting content",
"Newly registered when raised"
],
"risk_level": "low"
}
}
{
"message": "{\"id\":8484455,\"classification\":\"exposed-port-incident\",\"risk-level\":\"low\",\"title\":\"Exposed open port\",\"description\":\"The following ports have been detected on IP 11.22.33.44\\nPort 123\\n\",\"impact-description\":\"Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\\n\",\"mitigation\":\"Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\\t\\n\",\"assets\":[{\"id\":\"7332ea8f-cfbf-4bcf-8a1b-3b0991258dac\"}],\"raised\":\"2022-03-15T19:16:06.981Z\",\"updated\":\"2022-03-15T19:16:06.981Z\"}",
"event": {
"action": "exposed-port-incident",
"category": [
"threat"
],
"end": "2022-03-15T19:16:06.981000Z",
"kind": "alert",
"outcome": "success",
"reason": "Exposed open port",
"start": "2022-03-15T19:16:06.981000Z",
"type": [
"indicator"
]
},
"digital_shadows_searchlight": {
"description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n",
"event": {
"id": "8484455"
},
"impact_description": "Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\n",
"mitigation": "Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\t\n",
"risk_level": "low"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
digital_shadows_searchlight.description |
text |
|
digital_shadows_searchlight.event.id |
keyword |
Event ID associated with the alert in Digital Shadows SearchLight |
digital_shadows_searchlight.impact_description |
keyword |
|
digital_shadows_searchlight.mitigation |
keyword |
|
digital_shadows_searchlight.portal_id |
keyword |
|
digital_shadows_searchlight.risk_factors |
text |
Risks associated with the alert in Digital Shadows SearchLight |
digital_shadows_searchlight.risk_level |
keyword |
Risks level associated with the alert in Digital Shadows SearchLight |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.