[BBOT] New Integration - Bighuge BLS OSINT Tool ASM Data

[CarsonHrusovsky]

• Enhancement

• Added BBOT Integration

• WHAT: BBOT is an OSINT ASM tool that is available to the general public. The link for this tool can be found here: https://github.com/blacklanternsecurity/bbot

• WHY: This allows ingest of ASM findings into Elastic, allowing for review and analysis.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Currently the pictures uploaded are not the official logo of Black Lantern Security. It would be nice if we could get the official logo on this down the road.

Screenshots

[cla-checker-service]

❌ Author of the following commits did not sign a Contributor Agreement:
, , , , , , , , , , , , , , , , , , , , 698ae39, a94f1f9, 2489705,

Please, read and sign the above mentioned agreement if you want to contribute to this project

[nicpenning]

@jamiehynds - Can we check with Black Lantern Security for usage of their logo for the integration?

https://www.blacklanternsecurity.com/

[CarsonHrusovsky]

This is ready to be reviewed and tested. 👍

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

Please add a line to .github/CODEOWNERS.

[efd6]

Final new line.

[efd6]

nl

[efd6]

nl

[efd6]

Please lowercase the keys.

[efd6]

Are these to be filled?

[CarsonHrusovsky]

This is still being worked on.

[CarsonHrusovsky]

Okay this is ready for review again. A few points I will make here as far as changes:

• I have left the keys in the format they are in (bbot.data.THISISCAPS.fnding). My reasoning is that within BBOT, the capitalization is a reference for an event type, so having this data is useful for an analyst. If this is something that cannot be ignored and must be lowercased, I will do this however.
• Added additional documentation for users to learn more about the tool in the manifest.
• Filled out data descriptions in fields.yml.
• Updated pipeline with other suggestions.

[nicpenning]

@efd6 Any updates on this? Looks like it's ready for another review.

[efd6]

I have left the keys in the format they are in (bbot.data.THISISCAPS.fnding). My reasoning is that within BBOT, the capitalization is a reference for an event type, so having this data is useful for an analyst. If this is something that cannot be ignored and must be lowercased, I will do this however.

From looking at the BBOT docs and the events here, I can't find any cases where they are lower cased. Given this, there is apparently no information provided by the case. If this is the case, please lower-case them. If it's not the case, please point me to documentation explaining the semantics.

[efd6]

Not fixed.

[nicpenning]

On the file path, would you recommend that in the integration readme it states an example of executing bbot with an example path and use that?

BBOT docs https://www.blacklanternsecurity.com/bbot/scanning/output/

You are correct that the agent is running a different user than the integration which is usually system.

Example in the readme today:
bbot -t elastic.co --strict-scope -f safe passive -c output_modules.json.siem_friendly=true -om json

Perhaps it can be added in docs with the --output to read as:
bbot -t elastic.co --strict-scope -f safe passive -c output_modules.json.siem_friendly=true -om json --output \var\logs\bbot_scans\*.ndjson

Then the path could align with the example?

The problem is in the BBOT docs they drop it by default in the user that ran the scan.

[CarsonHrusovsky]

Fields have been lowercased. Marked for review once more :D - Thanks for all the help on this @efd6

[efd6]

/test

[efd6]

Please fix up the cases where there is no final new line in the files (all except json for generated test expectations and sample events).

[efd6]

/test

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 610da48

Failed CI Steps

• Check integrations bbot

History

• 💔 Build #10504 failed ea3c349

[efd6]

Please run elastic-package build and then check and commit the changes.

[aconite33]

@jamiehynds - Can we check with Black Lantern Security for usage of their logo for the integration?

https://www.blacklanternsecurity.com/

I spoke with Jamie. We're good having our logo used for the integration.

I'm one of the principals behind BLS, we appreciate the integration and team work!

[CarsonHrusovsky]

Lets give it another go!

[TheTechromancer]

Hey guys thanks for your work on this. Since this is an open source effort, you have approval from the owners to use our official logos on this project:

[nicpenning]

Awesome, thank you @TheTechromancer !

Do you happen to have SVG versions of your logos? The icon usage on the integrations website and in Kibana requires an SVG according to the package manifest spec. Unless @efd6 knows of a way to use a PNG for the icon (today you see the rising Phoenix populated in the initial screenshot).

[nicpenning]

Also, Techro, do y'all have a preference of which logo to use for the integration? It will only be 1 logo that is needed. The Phoenix I referenced earlier is where it will live. Plus it will be here in time: https://www.elastic.co/integrations/data-integrations

[TheTechromancer]

Hmm, we don't have a version of the BBOT one that will look good on a white background. The best one to use might be this one:

[CarsonHrusovsky]

Thoughts? @TheTechromancer @aconite33

Proof of concept currently.

[efd6]

There is a commit here that has a name that has not signed the CLA. Can all the contributors to this PR please check that they have signed with the email addresses that appear in the author email field of the commit they contributed.

[nicpenning]

There is a commit here that has a name that has not signed the CLA. Can all the contributors to this PR please check that they have signed with the email addresses that appear in the author email field of the commit they contributed.

Bummer:

Looks like the local git blew away Carson's user info so it doesn't recognize his email.

[CarsonHrusovsky]

@efd6 Is something like this possible?

icons:
  - src: /img/Black_Lantern_Light-Mode.svg
    title: BBOT Logo light-mode
    size: 32x32
    type: image/svg+xml
    dark_mode: false
  - src: /img/Black_Lantern_Dark-Mode.svg
    title: BBOT Logo dark-mode
    size: 32x32
    type: image/svg+xml
    dark_mode: true

Seems like the dark_mode: tag for icons doesn't work / is unpredictable.

[nicpenning]

@efd6 Is something like this possible?

icons:
  - src: /img/Black_Lantern_Light-Mode.svg
    title: BBOT Logo light-mode
    size: 32x32
    type: image/svg+xml
    dark_mode: false
  - src: /img/Black_Lantern_Dark-Mode.svg
    title: BBOT Logo dark-mode
    size: 32x32
    type: image/svg+xml
    dark_mode: true

Seems like the dark_mode: tag for icons does work, but I've had trouble testing this as when I make icon changes and build/install the package, it seems unpredictable if these changes are reflected in elastic. If I take the stack down and put it back up it does update.

I think this is not a feature or it is broken. In the Okta Entity Analytics, it is not using the dark mode SVG.

icons:

• src: /img/okta-logo.svg
  title: Okta Logo
  size: 32x32
  type: image/svg+xml
• src: /img/okta-logo-dark.svg
  title: Okta Logo
  size: 32x32
  type: image/svg+xml
  dark_mode: true

The solution is here is applying a white background to the img which seems trivial to do in SVG.

[nicpenning]

IE

[CarsonHrusovsky]

IE

Implemented.

[CarsonHrusovsky]

I think this PR is dead. I will open another and mention this one, I am afraid if I keep trying to undo commits I will break something else.

[CarsonHrusovsky]

I think this PR is dead. I will open another and mention this one, I am afraid if I keep trying to undo commits I will break something else.