diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index dcd45ca33..af73ccd18 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -93,7 +93,7 @@ logsources: msexchange-management: service: msexchange-management conditions: - channel: "MSExchange Management" + product_name: "MSExchange Management" windows: product: windows index: windows @@ -127,7 +127,7 @@ logsources: product: windows service: bits-client conditions: - channel: "Microsoft-Windows-Bits-Client/Operational" + event_channel: "Microsoft-Windows-Bits-Client/Operational" windows-network-connection: product: windows category: network_connection @@ -209,12 +209,12 @@ logsources: product: windows category: ldap_query conditions: - channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW" windows-ldap-debug: product: windows category: ldap_debug conditions: - channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW" windows-driver-load: product: windows category: driver_load @@ -545,12 +545,14 @@ logsources: conditions: vendor_name: "Microsoft" product_name: "Azure" + product_source: "signInAudits" azure-auditlogs: product: azure service: auditlogs conditions: vendor_name: "Microsoft" product_name: "Azure" + product_source: "directoryAudits" azure-activitylogs: product: azure service: activitylogs @@ -567,22 +569,22 @@ logsources: product: windows service: microsoft-servicebus-client conditions: - channel: 'Microsoft-ServiceBus-Client' + event_channel: 'Microsoft-ServiceBus-Client' windows-application: product: windows service: application conditions: - channel: 'Application' + event_channel: 'Application' windows-security: product: windows service: security conditions: - channel: 'Security' + event_channel: 'Security' windows-system: product: windows service: system conditions: - channel: 'System' + event_channel: 'System' windows-sysmon: product: windows service: sysmon @@ -612,12 +614,12 @@ logsources: product: windows service: dns-server conditions: - channel: 'DNS Server' + product_name: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: - channel: 'DNS Server' + product_name: 'DNS Server' windows-driver-framework: product: windows service: driver-framework @@ -687,7 +689,7 @@ logsources: product: windows service: msexchange-management conditions: - channel: 'MSExchange Management' + product_name: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 1dc2ece6b..dd8556970 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -193,7 +193,7 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet["args"]["comparison"]["value"] = "!=" nodeRet['rule_id'] = str(uuid.uuid4()) key, value = node - if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): + if self.mapListsSpecialHandling == False and type(value) in (str, int, list, bool) or self.mapListsSpecialHandling == True and type(value) in (str, int, bool): nodeRet['key'] = self.cleanKey(key).lower() nodeRet['description'] = key if key.lower() in ("logname","source"): @@ -267,6 +267,16 @@ class HAWKBackend(SingleTextQueryBackend): #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet + elif type(value) is bool: + nodeRet['return'] = "bool" + nodeRet['args']['bool'] = { "value" : value } + + if notNode: + nodeRet["args"]["comparison"]["value"] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" + del nodeRet['args']['str'] + return nodeRet else: if nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username':