Skip to content

Digital Shadows SearchLight

Overview

Digital Shadows SearchLight continuously searches and identifies any unwanted exposures, and provides contextualised alerts to better understand the associated risks.

  • Vendor: Digital Shadows
  • Supported environment: SaaS
  • Detection based on: Alert
  • Supported application or feature: Social media monitoring, File monitoring

Step-by-Step Configuration Procedure

In this documentation we will explain how to collect and send SearchLight logs to Sekoia.io.

Instructions on the 3rd Party Solution

First of all, you will have to retrieve configuration information. To do so, connect to the Digital Shadows portal to get an API key under the heading api > "tored Objects > Portal > Searchlight API doc.

Then, you will need to retrieve the following information from the portal:

  • API URL
  • Basicauth key
  • Basicauth secret
  • Your Searchlight account ID

You now have all information to configure the Digital Shadows Searchlight module and its Send events action to Sekoia.io.

Instruction on Sekoia

Configure Your Intake

This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.

  1. Go to the Sekoia Intake page.
  2. Click on the + New Intake button at the top right of the page.
  3. Search for your Intake by the product name in the search bar.
  4. Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
  5. Click on Create.
  6. You will be redirected to the Intake listing page, where you will find a new line with the name you gave to the Intake.

Note

For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.

Configure Your Playbook

This section will assist you in pulling remote logs from Sekoia and sending them to the intake you previously created.

  1. Go to the Sekoia playbook page.
  2. Click on the + New playbook button at the top right of the page.
  3. Select Create a playbook from scratch, and click Next.
  4. Give it a Name and a Description, and click Next.
  5. Choose a trigger from the list by searching for the name of the product, and click Create.
  6. A new Playbook page will be displayed. Click on the module in the center of the page, then click on the Configure icon.
  7. On the right panel, click on the Configuration tab.
  8. Select an existing Trigger Configuration (from the account menu) or create a new one by clicking on + Create new configuration.
  9. Configure the Trigger based on the Actions Library (for instance, see here for AWS modules), then click Save.
  10. Click on Save at the top right of the playbook page.
  11. Activate the playbook by clicking on the "On / Off" toggle button at the top right corner of the page.

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "id": "00a8bc91-bd77-45d5-bf45-213c6b7fee19",
    "portal-id": "XXXXXX",
    "classification": "impersonating-domain-alert",
    "risk-assessment": {
        "risk-level": "low"
    },
    "risk-factors": [
        "Has assets in content",
        "Hosting content",
        "Has a DNS record",
        "Newly registered when raised"
    ],
    "title": "Impersonating Domain example.info",
    "description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n",
    "assets": [
        {
            "id": "76ab3f96-c12c-428d-b213-446f17b7ab9b"
        },
        {
            "id": "5fa68b35-a58f-40de-b2af-74be78b45b2d"
        },
        {
            "id": "1647634f-d3e4-4150-991a-a99d5682644b"
        },
        {
            "id": "1bf42c15-4d9d-40cc-b63a-e6e9a08151dc"
        }
    ],
    "raised": "2019-12-05T21:03:10.433Z",
    "updated": "2022-03-03T13:03:51.044370Z"
}
{
    "id": 8484455,
    "classification": "exposed-port-incident",
    "risk-level": "low",
    "title": "Exposed open port",
    "description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n",
    "impact-description": "Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\n",
    "mitigation": "Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\t\n",
    "assets": [
        {
            "id": "7332ea8f-cfbf-4bcf-8a1b-3b0991258dac"
        }
    ],
    "raised": "2022-03-15T19:16:06.981Z",
    "updated": "2022-03-15T19:16:06.981Z"
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

No related built-in rules was found. This message is automatically generated.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Social media monitoring Digital Shadows monitors Twitter, Youtube, Facebook
File monitoring Digital Shadows monitors open file storage (Public NAS, Public AWS S3 Buckets, Public FTP/SMB, RSYNC)

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category threat
Type indicator

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{ \"id\": \"00a8bc91-bd77-45d5-bf45-213c6b7fee19\", \"portal-id\": \"XXXXXX\", \"classification\": \"impersonating-domain-alert\", \"risk-assessment\": { \"risk-level\": \"low\" }, \"risk-factors\": [ \"Has assets in content\", \"Hosting content\", \"Has a DNS record\", \"Newly registered when raised\" ], \"title\": \"Impersonating Domain example.info\", \"description\": \"A domain that is possibly impersonating your assets was detected.\\n\\nRisk Level: Low\\nImpersonating Domain: example.info\\nLast Registered: \\n\\nRisk Factors:\\n* Has assets in content\\n* Hosting content\\n* Has a DNS record\\n* Newly registered when raised\\n\\nMatched Assets:\\n* example\\n* example.biz\\n* example.eu\\n* example.fr\\n\\n\\nWHOIS records provide the following information:\\nRegistrar: Epik, Inc.\\nRegistrar abuse contact email: donuts@epik.com\\nRegistrar abuse contact phone: 425-765-0077\\nCreated: 19 Feb 2021 16:35\\nLast updated: 21 Feb 2022 09:35\\nRegistrar registration expiration date: 19 Feb 2023 16:35\\n\\nDNS Record\\nA - 185.255.121.5\\nNS - ns3.epik.com.\\nNS - ns4.epik.com.\\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\\nTXT - \\\"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\\\"\\nTXT - \\\"dan-ownership-verification=54z0h1kj\\\"\\nTXT - \\\"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\\\"\\n\\nAlert Raised: 05 Dec 2019 21:03\\nAlert Updated: 03 Mar 2022 13:03\\n\\nSearchlight Portal ID: XXXXX\\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\\n\", \"assets\": [ { \"id\": \"76ab3f96-c12c-428d-b213-446f17b7ab9b\" }, { \"id\": \"5fa68b35-a58f-40de-b2af-74be78b45b2d\" }, { \"id\": \"1647634f-d3e4-4150-991a-a99d5682644b\" }, { \"id\": \"1bf42c15-4d9d-40cc-b63a-e6e9a08151dc\" } ], \"raised\": \"2019-12-05T21:03:10.433Z\", \"updated\": \"2022-03-03T13:03:51.044370Z\" }",
    "event": {
        "action": "impersonating-domain-alert",
        "category": [
            "threat"
        ],
        "end": "2022-03-03T13:03:51.044370Z",
        "kind": "alert",
        "outcome": "success",
        "reason": "Impersonating Domain example.info",
        "start": "2019-12-05T21:03:10.433000Z",
        "type": [
            "indicator"
        ]
    },
    "digital_shadows_searchlight": {
        "description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n",
        "event": {
            "id": "00a8bc91-bd77-45d5-bf45-213c6b7fee19"
        },
        "portal_id": "XXXXXX",
        "risk_factors": [
            "Has a DNS record",
            "Has assets in content",
            "Hosting content",
            "Newly registered when raised"
        ],
        "risk_level": "low"
    }
}
{
    "message": "{\"id\":8484455,\"classification\":\"exposed-port-incident\",\"risk-level\":\"low\",\"title\":\"Exposed open port\",\"description\":\"The following ports have been detected on IP 11.22.33.44\\nPort 123\\n\",\"impact-description\":\"Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\\n\",\"mitigation\":\"Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\\t\\n\",\"assets\":[{\"id\":\"7332ea8f-cfbf-4bcf-8a1b-3b0991258dac\"}],\"raised\":\"2022-03-15T19:16:06.981Z\",\"updated\":\"2022-03-15T19:16:06.981Z\"}",
    "event": {
        "action": "exposed-port-incident",
        "category": [
            "threat"
        ],
        "end": "2022-03-15T19:16:06.981000Z",
        "kind": "alert",
        "outcome": "success",
        "reason": "Exposed open port",
        "start": "2022-03-15T19:16:06.981000Z",
        "type": [
            "indicator"
        ]
    },
    "digital_shadows_searchlight": {
        "description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n",
        "event": {
            "id": "8484455"
        },
        "impact_description": "Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\n",
        "mitigation": "Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\t\n",
        "risk_level": "low"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
digital_shadows_searchlight.description text
digital_shadows_searchlight.event.id keyword Event ID associated with the alert in Digital Shadows SearchLight
digital_shadows_searchlight.impact_description keyword
digital_shadows_searchlight.mitigation keyword
digital_shadows_searchlight.portal_id keyword
digital_shadows_searchlight.risk_factors text Risks associated with the alert in Digital Shadows SearchLight
digital_shadows_searchlight.risk_level keyword Risks level associated with the alert in Digital Shadows SearchLight
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.outcome keyword The outcome of the event. The lowest level categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.start date event.start contains the date when the event started or when the activity was first observed.
event.type keyword Event type. The third categorization field in the hierarchy.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.