Skip to content

Commit a853066

Browse files
Jgigantino31sabbanactions-user
authored
Cleanup Bitwarden collection (#1419)
* Update bitwarden.md The parser for this collection is intended to read the logs from /etc/bitwarden/logs/identity.log which contain timestamps. There is also a log file at /var/log/bitwarden/identity.log but it has no timestamps for failed login attempts. * Create bitwarden-logs.md * Update bitwarden-logs.yaml Simplify parser * Create bitwarden-bf.md * Update bitwarden-bf.yaml Make consistent * Update bitwarden.yaml Remove extra whitespace * Update bitwarden-logs.yaml Remove extra whitespaces * Update bitwarden-bf.yaml * Update parser.assert * Update scenario.assert * Update blockers meta --------- Co-authored-by: Manuel Sabban <[email protected]> Co-authored-by: GitHub Action <[email protected]>
1 parent 0f5fde7 commit a853066

File tree

9 files changed

+86
-71
lines changed

9 files changed

+86
-71
lines changed

.tests/bitwarden-bf/scenario.assert

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,37 +4,37 @@ results[0].Overflow.Sources["207.96.38.254"].IP == "207.96.38.254"
44
results[0].Overflow.Sources["207.96.38.254"].Range == ""
55
results[0].Overflow.Sources["207.96.38.254"].GetScope() == "Ip"
66
results[0].Overflow.Sources["207.96.38.254"].GetValue() == "207.96.38.254"
7-
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "bitwarden-bf.log"
7+
basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "bitwarden-bf.log"
88
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
99
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "bitwarden_failed_auth"
1010
results[0].Overflow.Alert.Events[0].GetMeta("service") == "bitwarden"
1111
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "207.96.38.254"
1212
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-04-24T13:06:36.295Z"
13-
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "bitwarden-bf.log"
13+
basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "bitwarden-bf.log"
1414
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
1515
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "bitwarden_failed_auth"
1616
results[0].Overflow.Alert.Events[1].GetMeta("service") == "bitwarden"
1717
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "207.96.38.254"
1818
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-04-24T13:06:37.124Z"
19-
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "bitwarden-bf.log"
19+
basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "bitwarden-bf.log"
2020
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
2121
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "bitwarden_failed_auth"
2222
results[0].Overflow.Alert.Events[2].GetMeta("service") == "bitwarden"
2323
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "207.96.38.254"
2424
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-04-24T13:06:37.235Z"
25-
results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "bitwarden-bf.log"
25+
basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "bitwarden-bf.log"
2626
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
2727
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "bitwarden_failed_auth"
2828
results[0].Overflow.Alert.Events[3].GetMeta("service") == "bitwarden"
2929
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "207.96.38.254"
3030
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-04-24T13:06:38.215Z"
31-
results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "bitwarden-bf.log"
31+
basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "bitwarden-bf.log"
3232
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
3333
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "bitwarden_failed_auth"
3434
results[0].Overflow.Alert.Events[4].GetMeta("service") == "bitwarden"
3535
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "207.96.38.254"
3636
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-04-24T13:06:39.391Z"
37-
results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "bitwarden-bf.log"
37+
basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "bitwarden-bf.log"
3838
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
3939
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "bitwarden_failed_auth"
4040
results[0].Overflow.Alert.Events[5].GetMeta("service") == "bitwarden"
@@ -48,42 +48,42 @@ results[1].Overflow.Sources["207.96.38.253"].IP == "207.96.38.253"
4848
results[1].Overflow.Sources["207.96.38.253"].Range == ""
4949
results[1].Overflow.Sources["207.96.38.253"].GetScope() == "Ip"
5050
results[1].Overflow.Sources["207.96.38.253"].GetValue() == "207.96.38.253"
51-
results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "bitwarden-bf.log"
51+
basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "bitwarden-bf.log"
5252
results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
53-
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "bitwarden_failed_auth_2fa"
53+
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "bitwarden_failed_auth"
5454
results[1].Overflow.Alert.Events[0].GetMeta("service") == "bitwarden"
5555
results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "207.96.38.253"
5656
results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-04-23T22:07:05.311Z"
57-
results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "bitwarden-bf.log"
57+
basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "bitwarden-bf.log"
5858
results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
59-
results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "bitwarden_failed_auth_2fa"
59+
results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "bitwarden_failed_auth"
6060
results[1].Overflow.Alert.Events[1].GetMeta("service") == "bitwarden"
6161
results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "207.96.38.253"
6262
results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-04-23T22:07:06.436Z"
63-
results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "bitwarden-bf.log"
63+
basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "bitwarden-bf.log"
6464
results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
65-
results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "bitwarden_failed_auth_2fa"
65+
results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "bitwarden_failed_auth"
6666
results[1].Overflow.Alert.Events[2].GetMeta("service") == "bitwarden"
6767
results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "207.96.38.253"
6868
results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-04-23T22:07:07.436Z"
69-
results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "bitwarden-bf.log"
69+
basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "bitwarden-bf.log"
7070
results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
71-
results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "bitwarden_failed_auth_2fa"
71+
results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "bitwarden_failed_auth"
7272
results[1].Overflow.Alert.Events[3].GetMeta("service") == "bitwarden"
7373
results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "207.96.38.253"
7474
results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-04-23T22:07:08.436Z"
75-
results[1].Overflow.Alert.Events[4].GetMeta("datasource_path") == "bitwarden-bf.log"
75+
basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "bitwarden-bf.log"
7676
results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
77-
results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "bitwarden_failed_auth_2fa"
77+
results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "bitwarden_failed_auth"
7878
results[1].Overflow.Alert.Events[4].GetMeta("service") == "bitwarden"
7979
results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "207.96.38.253"
8080
results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2023-04-23T22:07:09.436Z"
81-
results[1].Overflow.Alert.Events[5].GetMeta("datasource_path") == "bitwarden-bf.log"
81+
basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "bitwarden-bf.log"
8282
results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
83-
results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "bitwarden_failed_auth_2fa"
83+
results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "bitwarden_failed_auth"
8484
results[1].Overflow.Alert.Events[5].GetMeta("service") == "bitwarden"
8585
results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "207.96.38.253"
8686
results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2023-04-23T22:07:09.436Z"
8787
results[1].Overflow.Alert.GetScenario() == "MariuszKociubinski/bitwarden-bf"
8888
results[1].Overflow.Alert.Remediation == true
89-
results[1].Overflow.Alert.GetEventsCount() == 6
89+
results[1].Overflow.Alert.GetEventsCount() == 6

.tests/bitwarden-logs/parser.assert

Lines changed: 28 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -3,23 +3,27 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 4
33
results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
44
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-04-23 21:53:37.311 -05:00 [WRN] Failed login attempt, 2FA invalid. 207.96.38.253"
55
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "bitwarden"
6-
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
6+
basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
77
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
8+
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false
89
results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
910
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "2023-04-23 21:53:54.706 -05:00 [ERR] Request to https://push.bitwarden.com/push/register is unsuccessful with status of \"BadRequest\"-Bad Request"
1011
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "bitwarden"
11-
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
12+
basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
1213
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
14+
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false
1315
results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true
1416
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253"
1517
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "bitwarden"
16-
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
18+
basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
1719
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file"
20+
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false
1821
results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true
19-
results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "bitwarden"
2022
results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "2023-04-24 16:10:32.219 -05:00 [INF] Identity started."
21-
results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
23+
results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "bitwarden"
24+
basename(results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
2225
results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file"
26+
results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false
2327
len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 4
2428
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
2529
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
@@ -35,26 +39,28 @@ results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["message
3539
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["program"] == "bitwarden"
3640
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["source_ip"] == "207.96.38.253"
3741
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Parsed["timestamp"] == "2023-04-23 21:53:37.311"
42+
basename(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
43+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_type"] == "file"
44+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["log_type"] == "bitwarden_failed_auth"
3845
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["service"] == "bitwarden"
3946
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["source_ip"] == "207.96.38.253"
40-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
41-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["datasource_type"] == "file"
42-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Meta["log_type"] == "bitwarden_failed_auth_2fa"
47+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][0].Evt.Whitelisted == false
4348
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][1].Success == false
4449
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Success == true
45-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["program"] == "bitwarden"
46-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["source_ip"] == "207.96.38.253"
47-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295"
4850
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_day"] == "24"
4951
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_month"] == "04"
5052
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_time"] == "13:06:35.295"
5153
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["exim_year"] == "2023"
5254
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253"
53-
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
55+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["program"] == "bitwarden"
56+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["source_ip"] == "207.96.38.253"
57+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295"
58+
basename(results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
5459
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["datasource_type"] == "file"
5560
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["log_type"] == "bitwarden_failed_auth"
5661
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["service"] == "bitwarden"
5762
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Meta["source_ip"] == "207.96.38.253"
63+
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][2].Evt.Whitelisted == false
5864
results["s01-parse"]["MariuszKociubinski/bitwarden-logs"][3].Success == false
5965
len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2
6066
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
@@ -66,27 +72,29 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"]
6672
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "bitwarden"
6773
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "207.96.38.253"
6874
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-04-23 21:53:37.311"
69-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
75+
basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
7076
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
71-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "bitwarden_failed_auth_2fa"
77+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "bitwarden_failed_auth"
7278
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "bitwarden"
7379
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "207.96.38.253"
7480
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-04-23T21:53:37.311Z"
7581
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-04-23T21:53:37.311Z"
82+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
7683
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
77-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253"
78-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "bitwarden"
79-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "207.96.38.253"
80-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295"
8184
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_day"] == "24"
8285
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_month"] == "04"
8386
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_time"] == "13:06:35.295"
8487
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["exim_year"] == "2023"
85-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "bitwarden-logs.log"
88+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "2023-04-24 13:06:35.295 -05:00 [WRN] Failed login attempt. 207.96.38.253"
89+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "bitwarden"
90+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "207.96.38.253"
91+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "2023-04-24 13:06:35.295"
92+
basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "bitwarden-logs.log"
8693
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
8794
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "bitwarden_failed_auth"
8895
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "bitwarden"
8996
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "207.96.38.253"
9097
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2023-04-24T13:06:35.295Z"
9198
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2023-04-24T13:06:35.295Z"
92-
len(results["success"][""]) == 0
99+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
100+
len(results["success"][""]) == 0

0 commit comments

Comments
 (0)