Merge pull request #2656 from redsand/hawk

Hawk backend - adjust risk score rules and remove translation
2022-02-08 09:01:29 +01:00
parent 121b28c419 fe95c8abaf
commit 0889a1fc3b
2 changed files with 8 additions and 4 deletions
@@ -423,6 +423,7 @@ fieldmappings:
  ProcessCommandLine: command
  ParentCommandLine: parent_command
  IMPHASH: file_hash_imphash
+  Imphash: file_hash_imphash
  SHA256: file_hash_sha256
  MD5: file_hash_md5
  SHA1: file_hash_sha1
@@ -464,7 +465,6 @@ fieldmappings:
  ObjectValueName: object_name
  ObjectName: object_name
  DeviceClassName: object_name
-  Details: object_target
  CallTrace: calltrace
  IpAddress: ip_src
  WorkstationName: hostname_src
@@ -673,7 +673,7 @@ class HAWKBackend(SingleTextQueryBackend):
            record["tags"] = record['tags'] + [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags']]

        if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental':
-            record['correlation_action'] += 10.0;
+            record['correlation_action'] += 5.0;
        elif 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] == 'experimental':
            record["tags"].append("qa")
        if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1:
@@ -685,11 +685,15 @@ class HAWKBackend(SingleTextQueryBackend):
            elif self.sigmaparser.parsedyaml['level'].lower() == 'high':
                record['correlation_action'] += 10.0;
            elif self.sigmaparser.parsedyaml['level'].lower() == 'medium':
-                record['correlation_action'] += 5.0;
+                # record['correlation_action'] += 0.0;
+                pass
            elif self.sigmaparser.parsedyaml['level'].lower() == 'low':
-                record['correlation_action'] -= 5.0;
+                record['correlation_action'] -= 10.0;
            elif self.sigmaparser.parsedyaml['level'].lower() == 'informational':
                record['correlation_action'] -= 15.0;
+
+        if record['correlation_action'] < 0.0:
+            record['correlation_action'] = 0.0
       
        return json.dumps(record)