diff --git a/Makefile b/Makefile index ed5ffaaa9..b3517a025 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,7 @@ test-sigmac: ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'foo=bar' rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c elk-windows -t es-qs rules/ > /dev/null + ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c elk-windows -t splunk rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index b2f111ed8..10946c14f 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -1,5 +1,7 @@ title: ArcSight order: 20 +backends: + - arcsight logsources: linux: product: linux diff --git a/tools/config/elk-defaultindex-filebeat.yml b/tools/config/elk-defaultindex-filebeat.yml index 237ca0d86..b38a2c07a 100644 --- a/tools/config/elk-defaultindex-filebeat.yml +++ b/tools/config/elk-defaultindex-filebeat.yml @@ -1,4 +1,10 @@ title: Elastic Filebeat default index name order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert defaultindex: - filebeat-* diff --git a/tools/config/elk-defaultindex-logstash.yml b/tools/config/elk-defaultindex-logstash.yml index cf774a6ed..3fed6bf0e 100644 --- a/tools/config/elk-defaultindex-logstash.yml +++ b/tools/config/elk-defaultindex-logstash.yml @@ -1,4 +1,10 @@ title: Generic Logstash index prefix order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert defaultindex: - logstash-* diff --git a/tools/config/elk-defaultindex.yml b/tools/config/elk-defaultindex.yml index 8f8103830..37f25e353 100644 --- a/tools/config/elk-defaultindex.yml +++ b/tools/config/elk-defaultindex.yml @@ -1,5 +1,11 @@ title: Elastic Logstash and Filebeat default index patterns order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert defaultindex: - logstash-* - filebeat-* diff --git a/tools/config/elk-linux.yml b/tools/config/elk-linux.yml index 7299431dd..b82c88172 100644 --- a/tools/config/elk-linux.yml +++ b/tools/config/elk-linux.yml @@ -1,5 +1,11 @@ title: Logstash Linux project (https://github.com/thomaspatzke/logstash-linux) order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert logsources: apache: category: webserver diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 079ba08de..88e7486d6 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -1,5 +1,11 @@ title: Logstash Windows common log sources order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert logsources: windows: product: windows diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 5cceffd32..7bf64c962 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -1,5 +1,11 @@ title: Elastic Winlogbeat index pattern and field mapping order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert logsources: windows: product: windows diff --git a/tools/config/helk.yml b/tools/config/helk.yml index 8b0289b98..14af0ff54 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -1,5 +1,11 @@ title: HELK index patterns and OSSEM field mappings order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert logsources: windows-application: product: windows diff --git a/tools/config/logpoint-windows-all.yml b/tools/config/logpoint-windows-all.yml index e3a775f9c..f777dea12 100644 --- a/tools/config/logpoint-windows-all.yml +++ b/tools/config/logpoint-windows-all.yml @@ -1,5 +1,7 @@ title: Logpoint order: 20 +backends: + - logpoint logsources: windows-security: product: windows diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml index 120860078..69ce69e47 100644 --- a/tools/config/netwitness.yml +++ b/tools/config/netwitness.yml @@ -1,5 +1,7 @@ title: NetWitness order: 20 +backends: + - netwitness logsources: linux: product: linux diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml index f4f270de4..1c96adc82 100644 --- a/tools/config/powershell-windows-all.yml +++ b/tools/config/powershell-windows-all.yml @@ -1,5 +1,7 @@ title: Logsource to LogName mappings for PowerShell backend order: 20 +backends: + - powershell logsources: windows-application: product: windows diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 2a7cf55d0..d477684d0 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -1,4 +1,6 @@ title: QRadar +backends: + - qradar order: 20 logsources: apache: diff --git a/tools/config/qualys.yml b/tools/config/qualys.yml index 8dad989e4..400124fb8 100644 --- a/tools/config/qualys.yml +++ b/tools/config/qualys.yml @@ -1,5 +1,7 @@ title: Qualys order: 20 +backends: + - qualys fieldmappings: dst: - network.remote.address.ip diff --git a/tools/config/splunk-windows-all-index.yml b/tools/config/splunk-windows-all-index.yml index 97e9e5de0..cf1959abf 100644 --- a/tools/config/splunk-windows-all-index.yml +++ b/tools/config/splunk-windows-all-index.yml @@ -1,5 +1,8 @@ title: Splunk Windows index and EventID field mapping order: 20 +backends: + - splunk + - splunkxml logsources: windows: product: windows diff --git a/tools/config/splunk-windows-all.yml b/tools/config/splunk-windows-all.yml index 318ce22cb..a7b45bb4e 100644 --- a/tools/config/splunk-windows-all.yml +++ b/tools/config/splunk-windows-all.yml @@ -1,5 +1,8 @@ title: Splunk Windows log source conditions order: 20 +backends: + - splunk + - splunkxml logsources: windows-application: product: windows diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 68c08028b..954c7b0eb 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -1,5 +1,7 @@ title: SumoLogic order: 20 +backends: + - sumologic # Sumulogic mapping depends on customer configuration. Adapt to your context! # typically rule on _sourceCategory, _index or Field Extraction Rules (FER) # supposing existing FER for service, EventChannel, EventID diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 57421ec63..d640ce053 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -1,4 +1,7 @@ title: THOR +order: 20 +backends: + - thor # this configuration differs from other configurations and can not be used # with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK. logsources: diff --git a/tools/sigmac b/tools/sigmac index 89cf3d54e..c5cfb9b4a 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -52,6 +52,7 @@ ERR_NO_TARGET = 10 ERR_RULE_FILTER_PARSING = 11 ERR_CONFIG_REQUIRED = 20 ERR_CONFIG_ORDER = 21 +ERR_CONFIG_BACKEND = 22 ERR_NOT_IMPLEMENTED = 42 ERR_PARTIAL_FIELD_MATCH = 80 ERR_FULL_FIELD_MATCH = 90 @@ -164,6 +165,13 @@ if cmdargs.config: sys.exit(ERR_CONFIG_ORDER) order = sigmaconfig.order + try: + if cmdargs.target not in sigmaconfig.config["backends"]: + print("The configuration '{}' is not valid for backend '{}'. Valid choices are: {}".format(conf_name, cmdargs.target, ", ".join(sigmaconfig.config["backends"])), file=sys.stderr) + sys.exit(ERR_CONFIG_ORDER) + except KeyError: + pass + sigmaconfigs.append(sigmaconfig) except OSError as e: print("Failed to open Sigma configuration file %s: %s" % (conf_name, str(e)), file=sys.stderr)