Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: integrate community-id #103

Merged
merged 21 commits into from
Sep 26, 2024
Merged

feat: integrate community-id #103

merged 21 commits into from
Sep 26, 2024

Conversation

qjerome
Copy link
Member

@qjerome qjerome commented Sep 24, 2024

This PR aims at integrating community-id ( https://github.com/corelight/community-id-spec) into some of the kunai logs:

This feature is valuable on the following aspects:

  • it allows to correlate kunai log with external log/alert sources such as IDS or traffic analysis tools
  • given a community-id from an external source and thanks to the task UUIDs used in kunai it is possible to find the exact root (application, parents and all ancestors) of such traffic.

Fields of applications:

  • Incident Response
  • Threat-Hunting
  • Network alert investigation
  • Understand which application generate which traffic

Limitations:

  • NAT traffic (often used in Linux containers) won't produce community-id that can be correlated with traffic analysis tools

fix #74

@qjerome qjerome merged commit dd28431 into main Sep 26, 2024
1 check passed
@qjerome qjerome deleted the feat-community-id branch September 26, 2024 08:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Implement community ID for network related events
1 participant