Alert to list commands associated with an ssh session to a remote host

Alert to list commands associated with an ssh session to a remote host

In this article we show how to configure an alert that fires whenever someone starts an ssh session to a remote machine from a Bastion Host using ssh. We then show how to build a context query, to list all the commands run on the remote machine, by that user, during the ssh session. 


1. Add a Javascript event rule to capture the ssh session:



   
   

    
    
     
     

      
      
       
       
Query
       
       

     
     

     
     

      
      
       
       

        
        
 const events = [];

        

        
        
 const desc = 'User sudo ssh from bastion host';

        

        
        

         
 records.forEach(record => {
  if (cmd.startsWith('sudo ssh')) {
    // split the cmdline into parts and parse the target hostname as the 3 part 
    parts = record.columns['cmdline'].split(" ");
    targetHostname = parts[2];
    const event = {
      severity: 'low',
      description: desc,
      time: record.unixTime,
      key: 'user and time',
      value: record.columns['uname'] + " " + record.unixTime,
      cmdline: record.columns['cmdline'],
      pid: record.columns['pid'],
      uname: record.columns['uname'],
    target_hostname: targetHostname
    };
    events.push(event);
  }
});
return events;

Note the "value" field in the above rule = "uname + time" so that each alert value is unique and thus sent to our SIEM. 


2. Add a corresponding alert rule (make sure Event code trigger matches the code used in the creation of the event rule). The boilerplate Javascript for this alert rule is: 

   
   

    
    
     
     

      
      
       
       
Query
       
       

     
     

     
     

      
      
       
       

        
        
 const alerts = [];
 events.forEach(event => {
  const alert = {
    description: event.description,
    severity: event.severity,
    assetId: event.assetId,
    eventId: event.eventId,
    key: event.key,
    value: event.value,
    alertTime: event.eventTime,
    indicatorId: event.indicatorId
  };

  if (event.metadata) {
    Object.keys(event.metadata).forEach(key => {
      if (!alert[key]) {
        alert[key] = event.metadata[key];
      }
    });
  }

  alerts.push(alert);
 });
 return { context, alerts };

       
       

     
     

    
    
   
   

3. Add the following context query to the alert rule: 

 

target_hostname TEXT
alertTime DATETIME
pid NUMBER
assetId TEXT 


  
  

   
   
    
    

     
     
      
      
Query
      
      

    
    

    
    

     
     
      
      

       
       
 with ssh_session as (
  select min(end_time) end_time from ( 
    select upt_time end_time 
    from processes where pid = :pid
    and upt_asset_id = :assetId  
    and upt_added = False 
    and upt_day = CAST(date_format(:alertTime,'%Y%m%d') AS INTEGER) 
	  UNION 
	--the ssh session may still be open, so we add the current datetime as an alternate cutoff 
    select current_timestamp end_time 
    from os_version where upt_asset_id = :assetId )
 ) 
 select distinct upt_hostname, uname, cmdline 
 from process_events pe, ssh_session ssh
 where pe.upt_day = CAST(date_format(:alertTime,'%Y%m%d') AS INTEGER) 
 and upt_hostname = :target_hostname
 and uname = 'root'
 and upt_time between :alertTime and ssh.end_time + interval '2' minute
 and cmdline not in ('/usr/bin/tput colors','/usr/bin/hostname','/usr/bin/dircolors --sh /etc/DIR_COLORS', '/usr/bin/tty -s', '/usr/bin/id -un', '/usr/bin/id -u', '/bin/sh /usr/libexec/grepconf.sh -c','/usr/bin/grep -qi ^COLOR.*none /etc/DIR_COLORS', 'grep -qsi ^COLOR.*none /etc/GREP_COLORS', '/usr/sbin/unix_chkpwd root nonull', '/usr/sbin/sshd -D -R')

Now we will test by logging into our Bastion Host (draco) and starting an ssh session to a remote machine (uptycs-centos1). Note osquery needs to be installed on both machines for this use case to succeed. 


Once logged into the remote machine, we run a few commands...


Check Uptycs for the alert: 


Click on the "Alert Detail" column for that alert row...

...then click on the "COMMANDS FOR SSH SESSION" context query...

...to get the list of commands run on the remote host (during the ssh session):





    • Related Articles

    • Sample JSON alert format

      Following fields are generated for all alerts     host_name     severity     description     alert_time     key     value     metadata - contains fields / values generated for the alert rule other than mandatory fields. Sample JSON {     ...

    • Setup Alert rule context queries

      Alert rule context queries provide the capability to define queries based Alert metadata. These queries can be used to retrieve additional information related to an alert. Alert rule context queries can be defined for each alert using the following ...

    • Monitor files on assets by hash

      This article shows how to create an alert that monitors the presence of the files and configuration items on the assets that need to be there. Create CSV file using the following naming convention: SHA-256 hash as indicator SHA-256 as indicator_type ...

    • Working mechanism of Cloud Rules

      Generally, we will have 3 types of rules(either in alert/event rules) in cloud they are builder rule, SQL rule, placeholder rules. In SQL type rules, when ever there is a data match to particular query , that rule gets triggered & hence we will be ...