security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3296 from redsand/hawk_backend_update

Browse Source 
Backend: hawk update to support boolean comparison values and some co…
This commit is contained in:
frack113
2022-07-30 09:07:52 +02:00
committed by GitHub
parent 231777eac8 b39ec30d06
commit 18d2f4e188
2 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/config/hawk.yml
+13 -11
View File
@@ -93,7 +93,7 @@ logsources:
msexchange-management:
service: msexchange-management
conditions:
channel: "MSExchange Management"
product_name: "MSExchange Management"
windows:
product: windows
index: windows
@@ -127,7 +127,7 @@ logsources:
product: windows
service: bits-client
conditions:
channel: "Microsoft-Windows-Bits-Client/Operational"
event_channel: "Microsoft-Windows-Bits-Client/Operational"
windows-network-connection:
product: windows
category: network_connection
@@ -209,12 +209,12 @@ logsources:
product: windows
category: ldap_query
conditions:
channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
windows-ldap-debug:
product: windows
category: ldap_debug
conditions:
channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
windows-driver-load:
product: windows
category: driver_load
@@ -545,12 +545,14 @@ logsources:
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "signInAudits"
azure-auditlogs:
product: azure
service: auditlogs
conditions:
vendor_name: "Microsoft"
product_name: "Azure"
product_source: "directoryAudits"
azure-activitylogs:
product: azure
service: activitylogs
@@ -567,22 +569,22 @@ logsources:
product: windows
service: microsoft-servicebus-client
conditions:
channel: 'Microsoft-ServiceBus-Client'
event_channel: 'Microsoft-ServiceBus-Client'
windows-application:
product: windows
service: application
conditions:
channel: 'Application'
event_channel: 'Application'
windows-security:
product: windows
service: security
conditions:
channel: 'Security'
event_channel: 'Security'
windows-system:
product: windows
service: system
conditions:
channel: 'System'
event_channel: 'System'
windows-sysmon:
product: windows
service: sysmon
@@ -612,12 +614,12 @@ logsources:
product: windows
service: dns-server
conditions:
channel: 'DNS Server'
product_name: 'DNS Server'
windows-dns-server-audit:
product: windows
service: dns-server-audit
conditions:
channel: 'DNS Server'
product_name: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
@@ -687,7 +689,7 @@ logsources:
product: windows
service: msexchange-management
conditions:
channel: 'MSExchange Management'
product_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
tools/sigma/backends/hawk.py
+11 -1
View File
@@ -193,7 +193,7 @@ class HAWKBackend(SingleTextQueryBackend):
nodeRet["args"]["comparison"]["value"] = "!="
nodeRet['rule_id'] = str(uuid.uuid4())
key, value = node
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if self.mapListsSpecialHandling == False and type(value) in (str, int, list, bool) or self.mapListsSpecialHandling == True and type(value) in (str, int, bool):
nodeRet['key'] = self.cleanKey(key).lower()
nodeRet['description'] = key
if key.lower() in ("logname","source"):
@@ -267,6 +267,16 @@ class HAWKBackend(SingleTextQueryBackend):
#return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True))
#return json.dumps(nodeRet)
return nodeRet
elif type(value) is bool:
nodeRet['return'] = "bool"
nodeRet['args']['bool'] = { "value" : value }
if notNode:
nodeRet["args"]["comparison"]["value"] = "!="
else:
nodeRet['args']['comparison']['value'] = "="
del nodeRet['args']['str']
return nodeRet
else:
if nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username':