-
Notifications
You must be signed in to change notification settings - Fork 19
/
scope.yml
62 lines (55 loc) · 2.22 KB
/
scope.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#
# This is the Network Flight Recorder (NFR) monitoring scope file. Here you create
# arbitrary groups of systems to monitor. For each group you should then define:
#
# - Source IP address ranges to monitor events from
# - Source IP address ranges to exclude from scoring (if any)
# - Trusted destination domains to whitelist (e.g. internal domains)
# - Trusted destination IP ranges to whitelist (e.g. known good destinations)
#
# Only network events from the source addresses within scope to non-whitelisted
# destinations are sent to the AlphaSOC Analytics Engine for scoring.
#
# Please contact [email protected] if you have any questions
#
groups:
# Short arbitrary label for the group (e.g. default:, pci_zone:, guest_wifi:)
default:
# Long label describing the group, for use in alerts and UI elements
label: "Default"
# Source IP ranges of networks in scope, in CIDR slash-notation format
# We default to internal private ranges here, but you can use 0.0.0.0/0 to
# monitor all of the things.
in_scope:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- fc00::/7
# Source IP ranges of systems to exclude from monitoring in CIDR
# slash-notation format (i.e. use "- 1.2.3.4/32" to suppress a single system),
# written as a list in the same format as the in_scope section above.
# This exclusion list is intended to suppress scoring of events from
# recursive resolvers, mail servers, proxies, and other systems that
# generating noise or repeating queries that are being captured elsewhere.
out_scope:
# Trusted destination domains which are whitelisted and ignored by the
# DNS analytics module. Use this list to whitelist your internal domains, etc.
trusted_domains:
- "*.arpa"
- "*.lan"
- "*.local"
- "*.internal"
# Trusted destination IP ranges (in CIDR slash-notation format) which are
# whitelisted and ignored by the IP analytics module. By default these are
# private networks, so that we process Internet-bound traffic to flag anomalies.
trusted_ips:
- 10.0.0.0/8
- 127.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.168.0.0/16
- 224.0.0.0/8
- 255.255.255.255/32
- fc00::/7
- fe80::/10
- ff00::/8