Digital Shadows SearchLight

Overview

Digital Shadows SearchLight continuously searches and identifies any unwanted exposures, and provides contextualised alerts to better understand the associated risks.

In this documenation we will explain how to collect and send SearchLight logs to Sekoia.io.

The following Sekoia.io built-in rules match the intake ReliaQuest GreyMatter/ Digital Shadows SearchLight. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x ReliaQuest GreyMatter/ Digital Shadows SearchLight on ATT&CK Navigator

Jumpcloud Policy Modified

Detects when a Jumpcloud policy is modified.

Effort: intermediate

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
`Social media monitoring`	Digital Shadows monitors Twitter, Youtube, Facebook
`File monitoring`	Digital Shadows monitors open file storage (Public NAS, Public AWS S3 Buckets, Public FTP/SMB, RSYNC)

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	`alert`
Category	`threat`
Type	`indicator`

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

searchlight_alerts.jsonsearchlight_incident.json

{
    "message": "{ \"id\": \"00a8bc91-bd77-45d5-bf45-213c6b7fee19\", \"portal-id\": \"XXXXXX\", \"classification\": \"impersonating-domain-alert\", \"risk-assessment\": { \"risk-level\": \"low\" }, \"risk-factors\": [ \"Has assets in content\", \"Hosting content\", \"Has a DNS record\", \"Newly registered when raised\" ], \"title\": \"Impersonating Domain example.info\", \"description\": \"A domain that is possibly impersonating your assets was detected.\\n\\nRisk Level: Low\\nImpersonating Domain: example.info\\nLast Registered: \\n\\nRisk Factors:\\n* Has assets in content\\n* Hosting content\\n* Has a DNS record\\n* Newly registered when raised\\n\\nMatched Assets:\\n* example\\n* example.biz\\n* example.eu\\n* example.fr\\n\\n\\nWHOIS records provide the following information:\\nRegistrar: Epik, Inc.\\nRegistrar abuse contact email: donuts@epik.com\\nRegistrar abuse contact phone: 425-765-0077\\nCreated: 19 Feb 2021 16:35\\nLast updated: 21 Feb 2022 09:35\\nRegistrar registration expiration date: 19 Feb 2023 16:35\\n\\nDNS Record\\nA - 185.255.121.5\\nNS - ns3.epik.com.\\nNS - ns4.epik.com.\\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\\nTXT - \\\"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\\\"\\nTXT - \\\"dan-ownership-verification=54z0h1kj\\\"\\nTXT - \\\"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\\\"\\n\\nAlert Raised: 05 Dec 2019 21:03\\nAlert Updated: 03 Mar 2022 13:03\\n\\nSearchlight Portal ID: XXXXX\\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\\n\", \"assets\": [ { \"id\": \"76ab3f96-c12c-428d-b213-446f17b7ab9b\" }, { \"id\": \"5fa68b35-a58f-40de-b2af-74be78b45b2d\" }, { \"id\": \"1647634f-d3e4-4150-991a-a99d5682644b\" }, { \"id\": \"1bf42c15-4d9d-40cc-b63a-e6e9a08151dc\" } ], \"raised\": \"2019-12-05T21:03:10.433Z\", \"updated\": \"2022-03-03T13:03:51.044370Z\" }",
    "event": {
        "action": "impersonating-domain-alert",
        "category": [
            "threat"
        ],
        "end": "2022-03-03T13:03:51.044370Z",
        "kind": "alert",
        "reason": "Impersonating Domain example.info",
        "start": "2019-12-05T21:03:10.433000Z",
        "type": [
            "indicator"
        ]
    },
    "digital_shadows_searchlight": {
        "description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n",
        "event": {
            "id": "00a8bc91-bd77-45d5-bf45-213c6b7fee19"
        },
        "portal_id": "XXXXXX",
        "risk_factors": [
            "Has a DNS record",
            "Has assets in content",
            "Hosting content",
            "Newly registered when raised"
        ],
        "risk_level": "low"
    }
}

{
    "message": "{\"id\":8484455,\"classification\":\"exposed-port-incident\",\"risk-level\":\"low\",\"title\":\"Exposed open port\",\"description\":\"The following ports have been detected on IP 11.22.33.44\\nPort 123\\n\",\"impact-description\":\"Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\\n\",\"mitigation\":\"Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\\t\\n\",\"assets\":[{\"id\":\"7332ea8f-cfbf-4bcf-8a1b-3b0991258dac\"}],\"raised\":\"2022-03-15T19:16:06.981Z\",\"updated\":\"2022-03-15T19:16:06.981Z\"}",
    "event": {
        "action": "exposed-port-incident",
        "category": [
            "threat"
        ],
        "end": "2022-03-15T19:16:06.981000Z",
        "kind": "alert",
        "reason": "Exposed open port",
        "start": "2022-03-15T19:16:06.981000Z",
        "type": [
            "indicator"
        ]
    },
    "digital_shadows_searchlight": {
        "description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n",
        "event": {
            "id": "8484455"
        },
        "impact_description": "Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\n",
        "mitigation": "Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\t\n",
        "risk_level": "low"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
`digital_shadows_searchlight.description`	`text`
`digital_shadows_searchlight.event.id`	`keyword`	Event ID associated with the alert in Digital Shadows SearchLight
`digital_shadows_searchlight.impact_description`	`keyword`
`digital_shadows_searchlight.mitigation`	`keyword`
`digital_shadows_searchlight.portal_id`	`keyword`
`digital_shadows_searchlight.risk_factors`	`text`	Risks associated with the alert in Digital Shadows SearchLight
`digital_shadows_searchlight.risk_level`	`keyword`	Risks level associated with the alert in Digital Shadows SearchLight
`event.action`	`keyword`	The action captured by the event.
`event.category`	`keyword`	Event category. The second categorization field in the hierarchy.
`event.end`	`date`	event.end contains the date when the event ended or when the activity was last observed.
`event.kind`	`keyword`	The kind of the event. The highest categorization field in the hierarchy.
`event.outcome`	`keyword`	The outcome of the event. The lowest level categorization field in the hierarchy.
`event.reason`	`keyword`	Reason why this event happened, according to the source
`event.start`	`date`	event.start contains the date when the event started or when the activity was first observed.
`event.type`	`keyword`	Event type. The third categorization field in the hierarchy.

Configure

First of all, you will have to retrieve configuration information. To do so, connect to the Digital Shadows portal to get an API key under the heading "api" > "Stored Objects" > "Portal" > "Searchlight API doc". Then, you will need to retrieve the following information from the portal:

API URL
Basicauth key
Basicauth secret
Your Searchlight account ID

You now have all information to configure the Digital Shadows Searchlight module and its Send events action to Sekoia.io.

To start your playbook with a template, go to: "Create a new playbook" > "Use a template" > Search for Searchlight.

You can also create your own on the same basis. A typical playbook to retrieve and send Searchlight logs to Sekoia.io will use this kind of chain:

A "Pull alerts from Searchlight" trigger
An action that sends events to Sekoia.io