diff --git a/.tests/authelia-bf/scenario.assert b/.tests/authelia-bf/scenario.assert index 11e82928258..8adc497eb89 100644 --- a/.tests/authelia-bf/scenario.assert +++ b/.tests/authelia-bf/scenario.assert @@ -12,6 +12,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("service") == "authelia" results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "5.5.5.6" results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2022-02-16T12:31:49+02:00" results[0].Overflow.Alert.Events[0].GetMeta("user") == "fakeuser1@example.com" +results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "fakeuser1@example.com" basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "authelia-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_format") == "JSON" @@ -1566,4 +1567,4 @@ results[27].Overflow.Alert.Events[5].GetMeta("timestamp") == "2022-02-14T13:47:5 results[27].Overflow.Alert.Events[5].GetMeta("user") == "fakeuser6" results[27].Overflow.Alert.GetScenario() == "LePresidente/authelia-bf" results[27].Overflow.Alert.Remediation == true -results[27].Overflow.Alert.GetEventsCount() == 6 \ No newline at end of file +results[27].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/authelia-logs/parser.assert b/.tests/authelia-logs/parser.assert index 4feaee0f827..105ea38bdec 100644 --- a/.tests/authelia-logs/parser.assert +++ b/.tests/authelia-logs/parser.assert @@ -223,6 +223,7 @@ results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["log_type"] == "a results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["service"] == "authelia" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["source_ip"] == "1.1.1.1" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["user"] == "fakeuser" +results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Meta["target_user"] == "fakeuser" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["method"] == "POST" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["msg"] == "Error occurred getting details for user with username input 'fakeuser' which usually indicates they do not exist" results["s01-parse"]["LePresidente/authelia-logs"][0].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" @@ -809,6 +810,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] = results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-03-13T14:01:02+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "fakeuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "fakeuser" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-03-13T14:01:02+02:00" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["authelia"]["path"] == "/api/firstfactor" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" @@ -1441,4 +1443,4 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["aut results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["path"] == "/api/secondfactor/duo" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Unmarshaled["authelia"]["remote_ip"] == "1.1.1.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][29].Evt.Whitelisted == false -len(results["success"][""]) == 0 \ No newline at end of file +len(results["success"][""]) == 0 diff --git a/parsers/s01-parse/LePresidente/authelia-logs.yaml b/parsers/s01-parse/LePresidente/authelia-logs.yaml index f8e8e228193..68a60b9d334 100644 --- a/parsers/s01-parse/LePresidente/authelia-logs.yaml +++ b/parsers/s01-parse/LePresidente/authelia-logs.yaml @@ -39,6 +39,8 @@ nodes: statics: - meta: user expression: evt.Parsed.user + - meta: target_user + expression: evt.Parsed.user - target: evt.StrTime expression: evt.Unmarshaled.authelia.time - meta: source_ip diff --git a/scenarios/LePresidente/authelia-bf.yaml b/scenarios/LePresidente/authelia-bf.yaml index 9cbc4f0e52d..43e8702bf8c 100644 --- a/scenarios/LePresidente/authelia-bf.yaml +++ b/scenarios/LePresidente/authelia-bf.yaml @@ -24,7 +24,7 @@ name: LePresidente/authelia-bf_user-enum description: "Detect authelia user enum bruteforce" filter: "evt.Meta.service == 'authelia' && evt.Meta.log_type == 'auth_failed'" groupby: evt.Meta.source_ip -distinct: evt.Meta.user +distinct: evt.Meta.target_user leakspeed: 10s capacity: 5 blackhole: 1m