Merge pull request #3963 from maximelb/lc-expand-rules

Expand rule support and bug fix for LimaCharlie
2023-01-27 17:57:32 +01:00
parent 1948b1cb6d f294be60b8
commit 4e46d36c59
1 changed files with 63 additions and 2 deletions
@@ -138,6 +138,20 @@ _allFieldMappings = {
            postOpMapper = _mapProcessCreationOperations,
            isCaseSensitive = []
        ),
+        "windows/dns_query/": SigmaLCConfig(
+            topLevelParams = {
+                "event": "DNS_REQUEST",
+            },
+            preConditions = None,
+            fieldMappings = {
+                "QueryName": "event/DOMAIN_NAME",
+                "Image": "event/FILE_PATH",
+            },
+            isAllStringValues = False,
+            keywordField = None,
+            postOpMapper = None,
+            isCaseSensitive = []
+        ),
        "dns//": SigmaLCConfig(
            topLevelParams = {
                "event": "DNS_REQUEST",
@@ -151,7 +165,7 @@ _allFieldMappings = {
            postOpMapper = None,
            isCaseSensitive = []
        ),
-        "linux//": SigmaLCConfig(
+        "linux/process_creation/": SigmaLCConfig(
            topLevelParams = {
                "events": [
                    "NEW_PROCESS",
@@ -164,12 +178,39 @@ _allFieldMappings = {
            fieldMappings = {
                "exe": "event/FILE_PATH",
                "type": None,
+                "CommandLine": "event/COMMAND_LINE",
+                "Image": "event/FILE_PATH",
+                "ParentImage": "event/PARENT/FILE_PATH",
+                "ParentCommandLine": "event/PARENT/COMMAND_LINE",
+                "User": "event/USER_NAME",
+                "OriginalFileName": "event/ORIGINAL_FILE_NAME",
+                "OriginalFilename": "event/ORIGINAL_FILE_NAME",
            },
            isAllStringValues = False,
            keywordField = 'event/COMMAND_LINE',
            postOpMapper = None,
            isCaseSensitive = ['event/FILE_PATH']
        ),
+        "linux/file_event/": SigmaLCConfig(
+            topLevelParams = {
+                "events": [
+                    "FILE_CREATE",
+                    "FILE_DELETE",
+                    "FILE_MODIFIED",
+                    "NEW_DOCUMENT",
+                ]
+            },
+            preConditions = {
+                "op": "is linux",
+            },
+            fieldMappings = {
+                "TargetFilename": "event/FILE_PATH",
+            },
+            isAllStringValues = False,
+            keywordField = None,
+            postOpMapper = None,
+            isCaseSensitive = ['event/FILE_PATH']
+        ),
        "unix//": SigmaLCConfig(
            topLevelParams = {
                "events": [
@@ -250,6 +291,26 @@ _allFieldMappings = {
            postOpMapper = _mapProcessCreationOperations,
            isCaseSensitive = ['event/FILE_PATH']
        ),
+        "macos/file_event/": SigmaLCConfig(
+            topLevelParams = {
+                "events": [
+                    "FILE_CREATE",
+                    "FILE_DELETE",
+                    "FILE_MODIFIED",
+                    "NEW_DOCUMENT",
+                ]
+            },
+            preConditions = {
+                "op": "is mac",
+            },
+            fieldMappings = {
+                "TargetFilename": "event/FILE_PATH",
+            },
+            isAllStringValues = False,
+            keywordField = None,
+            postOpMapper = None,
+            isCaseSensitive = ['event/FILE_PATH']
+        ),
    },
    "artifact": {
        "windows//": SigmaLCConfig(
@@ -558,7 +619,7 @@ class LimaCharlieBackend(BaseBackend):
                result = {
                    "op": "matches",
                    "path": fieldname,
-                    "re": re.compile(value),
+                    "re": str(value),
                }
                if self._postOpMapper is not None:
                    result = self._postOpMapper(result)