From 4dc4d71afc257cb8903cccac3b24bef82c003604 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 6 Jan 2022 17:47:36 +0000
Subject: [PATCH 1/5] removing hawk translation of Details to object_target

---
 tools/config/hawk.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index fc464ce91..9db72671b 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -459,7 +459,6 @@ fieldmappings:
   ObjectValueName: object_name
   ObjectName: object_name
   DeviceClassName: object_name
-  Details: object_target
   CallTrace: calltrace
   IpAddress: ip_src
   WorkstationName: hostname_src

From a9ada3210248cbfd26b4f41d75441f311a69dc78 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 11 Jan 2022 15:05:52 +0000
Subject: [PATCH 2/5] reducing scores

---
 tools/sigma/backends/hawk.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py
index 7a61fe1e6..d5ab6c1bb 100644
--- a/tools/sigma/backends/hawk.py
+++ b/tools/sigma/backends/hawk.py
@@ -673,7 +673,7 @@ class HAWKBackend(SingleTextQueryBackend):
             record["tags"] = record['tags'] + [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags']]
 
         if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental':
-            record['correlation_action'] += 10.0;
+            record['correlation_action'] += 5.0;
         elif 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] == 'experimental':
             record["tags"].append("qa")
         if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1:
@@ -687,7 +687,7 @@ class HAWKBackend(SingleTextQueryBackend):
             elif self.sigmaparser.parsedyaml['level'].lower() == 'medium':
                 record['correlation_action'] += 5.0;
             elif self.sigmaparser.parsedyaml['level'].lower() == 'low':
-                record['correlation_action'] -= 5.0;
+                record['correlation_action'] -= 10.0;
             elif self.sigmaparser.parsedyaml['level'].lower() == 'informational':
                 record['correlation_action'] -= 15.0;
        

From 3c115408b639ad6204d464a8618f59b75e8a1033 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 18 Jan 2022 15:47:53 +0000
Subject: [PATCH 3/5] Adding translation for Imphash

---
 tools/config/hawk.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index 9db72671b..b6ab8f5bd 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -418,6 +418,7 @@ fieldmappings:
   ProcessCommandLine: command
   ParentCommandLine: parent_command
   IMPHASH: file_hash_imphash
+  Imphash: file_hash_imphash
   SHA256: file_hash_sha256
   MD5: file_hash_md5
   SHA1: file_hash_sha1

From 8dae288ff81eb387afebe20dbee2c1ecc4026169 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Fri, 28 Jan 2022 00:24:20 +0000
Subject: [PATCH 4/5] reducing medium scores

---
 tools/sigma/backends/hawk.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py
index d5ab6c1bb..7b04b76c9 100644
--- a/tools/sigma/backends/hawk.py
+++ b/tools/sigma/backends/hawk.py
@@ -685,7 +685,8 @@ class HAWKBackend(SingleTextQueryBackend):
             elif self.sigmaparser.parsedyaml['level'].lower() == 'high':
                 record['correlation_action'] += 10.0;
             elif self.sigmaparser.parsedyaml['level'].lower() == 'medium':
-                record['correlation_action'] += 5.0;
+                # record['correlation_action'] += 0.0;
+                pass
             elif self.sigmaparser.parsedyaml['level'].lower() == 'low':
                 record['correlation_action'] -= 10.0;
             elif self.sigmaparser.parsedyaml['level'].lower() == 'informational':

From fe95c8abaf008196df03aa4b93ae5b872b4fa5b7 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Mon, 7 Feb 2022 14:15:16 +0000
Subject: [PATCH 5/5]  setting minimum value of record score to zero

---
 tools/sigma/backends/hawk.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py
index 7b04b76c9..10c8b8766 100644
--- a/tools/sigma/backends/hawk.py
+++ b/tools/sigma/backends/hawk.py
@@ -691,6 +691,9 @@ class HAWKBackend(SingleTextQueryBackend):
                 record['correlation_action'] -= 10.0;
             elif self.sigmaparser.parsedyaml['level'].lower() == 'informational':
                 record['correlation_action'] -= 15.0;
+
+        if record['correlation_action'] < 0.0:
+            record['correlation_action'] = 0.0
        
         return json.dumps(record)