diff --git a/CHANGELOG.md b/CHANGELOG.md index 9eb37089d..f568a8dc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,12 +10,27 @@ from version 0.14.0. ### Added -* sigma-uuid tool +* Proxy field names to ECS mapping (ecs-proxy) configuration + +## 0.15.0 + +### Added + +* sigma-uuid tool for addition and check of Sigma rule identifiers +* Default configurations +* Restriction of compared rules in sigma-similarity +* Regular expression support in es-dsl backend +* LimaCharlie support for proxy rule category +* Source distribution for PyPI ### Changed * Type errors are now ignored with -I +### Fixed + +* Removed wrong mapping of CommandLine field mapping in THOR config + ## 0.14 ### Added diff --git a/Makefile b/Makefile index 6594f1676..d8062448e 100644 --- a/Makefile +++ b/Makefile @@ -51,6 +51,7 @@ test-sigmac: ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null @@ -92,7 +93,7 @@ test-backend-es-qs: tests/test-backend-es-qs.py build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg - cd tools && python3 setup.py bdist_wheel + cd tools && python3 setup.py bdist_wheel sdist upload-test: build twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/* diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index c3fcbb0fa..fc6985195 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -9,12 +9,12 @@ logsource: category: proxy detection: selection: - UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' r-dns: 'api.dropbox.com' condition: selection fields: - c-ip - - cs-uri + - c-uri falsepositives: - Old browsers level: high diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 550a6d65d..062f9013e 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -14,8 +14,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: critical diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 6c178c3f6..d991ba232 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -3,26 +3,26 @@ id: 953b895e-5cc9-454b-b183-7f3db555452e status: experimental description: Detects Malleable Amazon Profile references: - - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile - - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile + - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 author: Markus Neis tags: - - attack.t1102 + - attack.t1102 logsource: - category: proxy + category: proxy detection: - selection1: - UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" - HttpMethod: 'GET' - URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' - Host: 'www.amazon.com' - Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' - selection2: - UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" - HttpMethod: 'POST' - URL: '/N4215/adj/amzn.us.sr.aps' - Host: 'www.amazon.com' - condition: selection1 or selection2 + selection1: + c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + cs-method: 'GET' + c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' + cs-host: 'www.amazon.com' + cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' + selection2: + c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + cs-method: 'POST' + c-uri: '/N4215/adj/amzn.us.sr.aps' + cs-host: 'www.amazon.com' + condition: selection1 or selection2 falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 5bcf706d9..b85b71698 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -11,8 +11,8 @@ logsource: category: proxy detection: selection: - URL: '*/oscp/*' - Host: 'ocsp.verisign.com' + c-uri: '*/oscp/*' + cs-host: 'ocsp.verisign.com' condition: selection falsepositives: diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 53bd1f059..73ead895c 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -11,11 +11,11 @@ logsource: category: proxy detection: selection: - HttpMethod: 'GET' - URL: '*?manifest=wac' - Host: 'onedrive.live.com' + cs-method: 'GET' + c-uri: '*?manifest=wac' + cs-host: 'onedrive.live.com' filter: - URL: 'http*://onedrive.live.com/*' + c-uri: 'http*://onedrive.live.com/*' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index fae2afddb..f006d78e3 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -102,7 +102,7 @@ detection: condition: selection fields: - ClientIP - - URL + - c-uri falsepositives: - All kinds of software downloads level: low diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index db73cb99c..4ffee0fe9 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -50,7 +50,7 @@ detection: condition: selection and not filter fields: - ClientIP - - URL + - c-uri falsepositives: - All kind of software downloads level: low diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index b3920a644..6d0c562d7 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -10,14 +10,14 @@ logsource: category: proxy detection: selection: - UserAgent: 'Microsoft-WebDAV-MiniRedir/*' - HttpMethod: 'GET' + c-useragent: 'Microsoft-WebDAV-MiniRedir/*' + cs-method: 'GET' condition: selection fields: - ClientIP - - URL - - UserAgent - - HttpMethod + - c-uri + - c-useragent + - cs-method falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index a616d3869..baf3b1e07 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -10,12 +10,12 @@ logsource: detection: selection: # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString - UserAgent: '' + c-useragent: '' condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: medium diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index 58bc53617..ce45ca853 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -15,8 +15,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: critical diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index fe6a71773..ff1185681 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -9,12 +9,12 @@ logsource: category: proxy detection: selection: - UserAgent: '* WindowsPowerShell/*' + c-useragent: '* WindowsPowerShell/*' condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index f0e7587a4..d5d21d3be 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -16,11 +16,12 @@ detection: c-uri|contains: - '.paste.ee/r/' - '.pastebin.com/raw/' + - '.hastebin.com/raw/' condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) level: high diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index fecc08902..f2f9aa95a 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -9,13 +9,12 @@ logsource: category: proxy detection: selection: - cs-uri-query: + c-uri-query: - '*/install_flash_player.exe' - '*/flash_install.php*' filter: - cs-uri-stem: '*.adobe.com/*' + c-uri-stem: '*.adobe.com/*' condition: selection and not filter falsepositives: - Unknown flash download locations level: high - diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index 14d2902e3..3c4cdac0b 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -15,15 +15,15 @@ detection: r-dns: - 'api.telegram.org' # Often used by Bots filter: - UserAgent: + c-useragent: # Used https://core.telegram.org/bots/samples for this list - '*Telegram*' - '*Bot*' condition: selection and not filter fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Legitimate use of Telegram bots in the company level: medium diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 7aa317924..460631c95 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # APT Related - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi @@ -46,8 +46,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Old browsers level: high diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 869b97fac..c0ed66830 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -8,7 +8,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: - 'Microsoft BITS/*' falsepositives: r-dns: @@ -18,8 +18,8 @@ detection: condition: selection and not falsepositives fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca level: high diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index b0c696e94..3fad1d167 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # XMRig - 'XMRig *' # CCMiner @@ -19,8 +19,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index a47f210fd..a4c3e234d 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2 - 'Internet Explorer *' - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez @@ -46,8 +46,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index e2ab7d36f..203543ceb 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -10,7 +10,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # Vulnerbility scanner and brute force tools - '*(hydra)*' - '* arachni/*' @@ -65,8 +65,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 265b78407..de51980eb 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -13,7 +13,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # RATs - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 @@ -70,8 +70,8 @@ detection: condition: selection fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 7e2d3f091..19e5ea4ab 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - UserAgent: + c-useragent: # Badly scripted UA - 'user-agent' # User-Agent: User-Agent: - '* (compatible;MSIE *' # typical typo - missing space @@ -25,13 +25,13 @@ detection: - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html falsepositives: - UserAgent: + c-useragent: - 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content condition: selection and not falsepositives fields: - ClientIP - - URL - - UserAgent + - c-uri + - c-useragent falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml new file mode 100644 index 000000000..7d4aea955 --- /dev/null +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -0,0 +1,48 @@ +title: Ursnif Malware Download URL Pattern +id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 +status: stable +description: Detects download of Ursnif malware done by dropper documents. +author: Thomas Patzke +logsource: + category: proxy +detection: + selection: + c-uri: '*/*.php?l=*.cab' + sc-status: 200 + condition: selection +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: critical +--- +title: Ursnif Malware C2 URL Pattern +id: 932ac737-33ca-4afd-9869-0d48b391fcc9 +status: stable +description: Detects Ursnif C2 traffic. +references: + - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html +author: Thomas Patzke +logsource: + category: proxy +detection: + b64encoding: + c-uri: + - "*_2f*" + - "*_2b*" + urlpatterns: + c-uri|all: + - "*.avi" + - "*/images/*" + condition: b64encoding and urlpatterns +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml new file mode 100644 index 000000000..9d7e71e2d --- /dev/null +++ b/rules/windows/builtin/win_susp_wmi_login.yml @@ -0,0 +1,20 @@ +title: Login with WMI +id: 5af54681-df95-4c26-854f-2565e13cfab0 +status: stable +description: Detection of logins performed with WMI +author: Thomas Patzke +tags: + - attack.execution + - attack.t1047 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + ProcessName: "*\\WmiPrvSE.exe" + condition: selection +falsepositives: + - Monitoring tools + - Legitimate system administration +level: low diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml index 9ec58361e..f42c4c82d 100644 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -9,6 +9,7 @@ references: - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md tags: - attack.defense_evasion - attack.t1036 @@ -33,6 +34,8 @@ detection: - C:\Windows\security\\* - '*\RSA\MachineKeys\\*' - C:\Windows\system32\config\systemprofile\\* + - C:\Windows\Tasks\\* + - C:\Windows\System32\Tasks\\* condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 21784bf2c..158e21905 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -19,6 +19,7 @@ detection: - '*\MsMpEng.exe' - '*\Mrt.exe' - '*\rpcnet.exe' + - '*\svchost.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index 10946c14f..58c99aaba 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -53,7 +53,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: deviceVendor: Microsoft windows-system: product: windows diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml new file mode 100644 index 000000000..9e75578c7 --- /dev/null +++ b/tools/config/ecs-proxy.yml @@ -0,0 +1,24 @@ +title: Elastic Common Schema mapping for proxy logs +order: 20 +backends: + - es-qs + - es-dsl + - kibana + - xpack-watcher + - elastalert + - elastalert-dsl +logsources: + proxy: + category: proxy + index: filebeat-* +fieldmappings: + c-uri: url.original + c-uri-extension: url.extension + c-uri-query: url.query + c-uri-stem: url.original + c-useragent: user_agent.original + cs-cookie: http.cookie + cs-host: url.domain + cs-method: http.request.method + r-dns: url.domain + sc-status: http.response.status_code diff --git a/tools/config/netwitness.yml b/tools/config/netwitness.yml index 69ce69e47..e4123d546 100644 --- a/tools/config/netwitness.yml +++ b/tools/config/netwitness.yml @@ -37,7 +37,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: device.type: winevent_nic event.source: microsoft-windows-dhcp-server windows-sec: @@ -52,7 +52,7 @@ logsources: conditions: device.type: winevent_nic fieldmappings: - dst: + dst: - ip.dst dst_ip: - ip.dst @@ -72,21 +72,21 @@ fieldmappings: - user.dst c-uri-extension: - extension - UserAgent: + c-useragent: - user.agent r-dns: - alias.host DestinationHostname: - alias.host - Host: + cs-host: - alias.host c-uri-query: - web.page - URL: + c-uri: - web.page - HttpMethod: + cs-method: - action - Cookie: + cs-cookie: - web.cookie SubjectUserName: - user.dst diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 1c96adc82..5cb0ea758 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -22,12 +22,12 @@ logsources: product: windows service: sysmon conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' + LogName: 'Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell conditions: - LogName: 'Microsoft-Windows-PowerShell/Operational' + LogName: 'Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic @@ -67,5 +67,5 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: LogName: 'Microsoft-Windows-DHCP-Server/Operational' diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 4a12b9ab0..1768f96bb 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -26,29 +26,27 @@ logsources: index: flows flow: - category: flow - index: flows + category: flow + index: flows fieldmappings: - EventID: - - Event ID Code - dst: - - destinationIP - dst_ip: - - destinationIP - src: - - sourceIP - src_ip: - - sourceIP - c-ip: sourceIP - cs-ip: sourceIP - cs-uri: url - c-uri: sourceIP - c-uri-extension: file_extension - UserAgent: user_agent - c-uri-query: uri_query - HttpMethod: Method - URL: URL - r-dns: FQDN - ClientIP: sourceIP - ServiceFileName: Service Name + EventID: + - Event ID Code + dst: + - destinationIP + dst_ip: + - destinationIP + src: + - sourceIP + src_ip: + - sourceIP + c-ip: sourceIP + cs-ip: sourceIP + c-uri: url + c-uri-extension: file_extension + c-useragent: user_agent + c-uri-query: uri_query + cs-method: Method + r-dns: FQDN + ClientIP: sourceIP + ServiceFileName: Service Name diff --git a/tools/config/qualys.yml b/tools/config/qualys.yml index 400124fb8..a5cf1d924 100644 --- a/tools/config/qualys.yml +++ b/tools/config/qualys.yml @@ -3,19 +3,18 @@ order: 20 backends: - qualys fieldmappings: - dst: - - network.remote.address.ip - dst_ip: - - network.remote.address.ip - src: - - network.local.address.ip - src_ip: - - network.local.address.ip - file_hash: - - file.hash.md5 - - file.hash.sha256 - NewProcessName: process.name - ServiceName: process.name - ServiceFileName: process.name - TargetObject: registry.path - + dst: + - network.remote.address.ip + dst_ip: + - network.remote.address.ip + src: + - network.local.address.ip + src_ip: + - network.local.address.ip + file_hash: + - file.hash.md5 + - file.hash.sha256 + NewProcessName: process.name + ServiceName: process.name + ServiceFileName: process.name + TargetObject: registry.path diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index a7b45bb4e..f1373489e 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -68,7 +68,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: source: 'Microsoft-Windows-DHCP-Server/Operational' fieldmappings: - EventID: EventCode + EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index dbb7b9dca..09e83fbbe 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -54,7 +54,7 @@ logsources: windows-dhcp: product: windows service: dhcp - conditions: + conditions: EventChannel: Microsoft-Windows-DHCP-Server index: WINDOWS apache: @@ -97,10 +97,6 @@ logsources: application-rails: product: rails index: RAILS - application-rails: - category: application - product: ruby_on_rails - index: RAILS application-spring: product: spring index: SPRING diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 468a92789..7cfe52993 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -29,42 +29,42 @@ logsources: windows-application: product: windows service: application - sources: + sources: - 'WinEventLog:Application' windows-security: product: windows service: security - sources: + sources: - 'WinEventLog:Security' windows-system: product: windows service: system - sources: + sources: - 'WinEventLog:System' windows-sysmon: product: windows service: sysmon - sources: + sources: - 'WinEventLog:Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell - sources: + sources: - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' windows-taskscheduler: product: windows service: taskscheduler - sources: + sources: - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' windows-wmi: product: windows service: wmi - sources: + sources: - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' windows-dhcp: product: windows service: dhcp - sources: + sources: - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' apache: category: webserver diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a59ce36fc..8e00c9610 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -46,80 +46,80 @@ defaultindex: winlogbeat-* # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: winlog.event_id - AccessMask: winlog.event_data.AccessMask - AccountName: winlog.event_data.AccountName - AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName - AuditPolicyChanges: winlog.event_data.AuditPolicyChanges - AuthenticationPackageName: winlog.event_data.AuthenticationPackageName - CallingProcessName: winlog.event_data.CallingProcessName - CallTrace: winlog.event_data.CallTrace - CommandLine: process.args - ComputerName: winlog.ComputerName - CurrentDirectory: process.working_directory - Description: winlog.event_data.Description - DestinationHostname: destination.domain - DestinationIp: destination.ip - #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 - DestinationPort: destination.port - DestinationPortName: network.protocol - Details: winlog.event_data.Details - EngineVersion: winlog.event_data.EngineVersion - EventType: winlog.event_data.EventType - FailureCode: winlog.event_data.FailureCode - FileName: file.path - GrantedAccess: winlog.event_data.GrantedAccess - GroupName: winlog.event_data.GroupName - GroupSid: winlog.event_data.GroupSid - Hashes: winlog.event_data.Hashes - HiveName: winlog.event_data.HiveName - HostVersion: winlog.event_data.HostVersion - Image: process.executable - ImageLoaded: file.path - ImagePath: winlog.event_data.ImagePath - Imphash: winlog.event_data.Imphash - IpAddress: source.ip - IpPort: source.port - KeyLength: winlog.event_data.KeyLength - LogonProcessName: winlog.event_data.LogonProcessName - LogonType: winlog.event_data.LogonType - NewProcessName: winlog.event_data.NewProcessName - ObjectClass: winlog.event_data.ObjectClass - ObjectName: winlog.event_data.ObjectName - ObjectType: winlog.event_data.ObjectType - ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: process.parent.args - ParentProcessName: process.parent.name - ParentImage: process.parent.executable - Path: winlog.event_data.Path - PipeName: file.name - ProcessCommandLine: winlog.event_data.ProcessCommandLine - ProcessName: process.executable - Properties: winlog.event_data.Properties - SecurityID: winlog.event_data.SecurityID - ServiceFileName: winlog.event_data.ServiceFileName - ServiceName: winlog.event_data.ServiceName - ShareName: winlog.event_data.ShareName - Signature: winlog.event_data.Signature - Source: winlog.event_data.Source - SourceHostname: source.domain - SourceImage: process.executable - SourceIp: source.ip - SourcePort: source.port - #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 - StartModule: winlog.event_data.StartModule - Status: winlog.event_data.Status - SubjectDomainName: user.domain - SubjectUserName: user.name - SubjectUserSid: user.id - TargetFilename: file.path - TargetImage: winlog.event_data.TargetImage - TargetObject: winlog.event_data.TargetObject - TicketEncryptionType: winlog.event_data.TicketEncryptionType - TicketOptions: winlog.event_data.TicketOptions - TargetDomainName: user.domain - TargetUserName: user.name - TargetUserSid: user.id - User: user.name - WorkstationName: source.domain \ No newline at end of file + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: process.args + ComputerName: winlog.ComputerName + CurrentDirectory: process.working_directory + Description: winlog.event_data.Description + DestinationHostname: destination.domain + DestinationIp: destination.ip + #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + DestinationPort: destination.port + DestinationPortName: network.protocol + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: file.path + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: process.executable + ImageLoaded: file.path + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: source.ip + IpPort: source.port + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: process.parent.args + ParentProcessName: process.parent.name + ParentImage: process.parent.executable + Path: winlog.event_data.Path + PipeName: file.name + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: process.executable + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceHostname: source.domain + SourceImage: process.executable + SourceIp: source.ip + SourcePort: source.port + #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectDomainName: user.domain + SubjectUserName: user.name + SubjectUserSid: user.id + TargetFilename: file.path + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + TargetDomainName: user.domain + TargetUserName: user.name + TargetUserSid: user.id + User: user.name + WorkstationName: source.domain diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 3e7f35ac0..d381263ab 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -46,70 +46,70 @@ defaultindex: winlogbeat-* # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: event_id - AccessMask: event_data.AccessMask - AccountName: event_data.AccountName - AllowedToDelegateTo: event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName - AuditPolicyChanges: event_data.AuditPolicyChanges - AuthenticationPackageName: event_data.AuthenticationPackageName - CallingProcessName: event_data.CallingProcessName - CallTrace: event_data.CallTrace - CommandLine: event_data.CommandLine - ComputerName: event_data.ComputerName - CurrentDirectory: event_data.CurrentDirectory - Description: event_data.Description - DestinationHostname: event_data.DestinationHostname - DestinationIp: event_data.DestinationIp - DestinationIsIpv6: event_data.DestinationIsIpv6 - DestinationPort: event_data.DestinationPort - Details: event_data.Details - EngineVersion: event_data.EngineVersion - EventType: event_data.EventType - FailureCode: event_data.FailureCode - FileName: event_data.FileName - GrantedAccess: event_data.GrantedAccess - GroupName: event_data.GroupName - GroupSid: event_data.GroupSid - Hashes: event_data.Hashes - HiveName: event_data.HiveName - HostVersion: event_data.HostVersion - Image: event_data.Image - ImageLoaded: event_data.ImageLoaded - ImagePath: event_data.ImagePath - Imphash: event_data.Imphash - IpAddress: event_data.IpAddress - KeyLength: event_data.KeyLength - LogonProcessName: event_data.LogonProcessName - LogonType: event_data.LogonType - NewProcessName: event_data.NewProcessName - ObjectClass: event_data.ObjectClass - ObjectName: event_data.ObjectName - ObjectType: event_data.ObjectType - ObjectValueName: event_data.ObjectValueName - ParentCommandLine: event_data.ParentCommandLine - ParentProcessName: event_data.ParentProcessName - ParentImage: event_data.ParentImage - Path: event_data.Path - PipeName: event_data.PipeName - ProcessCommandLine: event_data.ProcessCommandLine - ProcessName: event_data.ProcessName - Properties: event_data.Properties - SecurityID: event_data.SecurityID - ServiceFileName: event_data.ServiceFileName - ServiceName: event_data.ServiceName - ShareName: event_data.ShareName - Signature: event_data.Signature - Source: event_data.Source - SourceImage: event_data.SourceImage - StartModule: event_data.StartModule - Status: event_data.Status - SubjectUserName: event_data.SubjectUserName - SubjectUserSid: event_data.SubjectUserSid - TargetFilename: event_data.TargetFilename - TargetImage: event_data.TargetImage - TargetObject: event_data.TargetObject - TicketEncryptionType: event_data.TicketEncryptionType - TicketOptions: event_data.TicketOptions - User: event_data.User - WorkstationName: event_data.WorkstationName + EventID: event_id + AccessMask: event_data.AccessMask + AccountName: event_data.AccountName + AllowedToDelegateTo: event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName + AuditPolicyChanges: event_data.AuditPolicyChanges + AuthenticationPackageName: event_data.AuthenticationPackageName + CallingProcessName: event_data.CallingProcessName + CallTrace: event_data.CallTrace + CommandLine: event_data.CommandLine + ComputerName: event_data.ComputerName + CurrentDirectory: event_data.CurrentDirectory + Description: event_data.Description + DestinationHostname: event_data.DestinationHostname + DestinationIp: event_data.DestinationIp + DestinationIsIpv6: event_data.DestinationIsIpv6 + DestinationPort: event_data.DestinationPort + Details: event_data.Details + EngineVersion: event_data.EngineVersion + EventType: event_data.EventType + FailureCode: event_data.FailureCode + FileName: event_data.FileName + GrantedAccess: event_data.GrantedAccess + GroupName: event_data.GroupName + GroupSid: event_data.GroupSid + Hashes: event_data.Hashes + HiveName: event_data.HiveName + HostVersion: event_data.HostVersion + Image: event_data.Image + ImageLoaded: event_data.ImageLoaded + ImagePath: event_data.ImagePath + Imphash: event_data.Imphash + IpAddress: event_data.IpAddress + KeyLength: event_data.KeyLength + LogonProcessName: event_data.LogonProcessName + LogonType: event_data.LogonType + NewProcessName: event_data.NewProcessName + ObjectClass: event_data.ObjectClass + ObjectName: event_data.ObjectName + ObjectType: event_data.ObjectType + ObjectValueName: event_data.ObjectValueName + ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName + ParentImage: event_data.ParentImage + Path: event_data.Path + PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine + ProcessName: event_data.ProcessName + Properties: event_data.Properties + SecurityID: event_data.SecurityID + ServiceFileName: event_data.ServiceFileName + ServiceName: event_data.ServiceName + ShareName: event_data.ShareName + Signature: event_data.Signature + Source: event_data.Source + SourceImage: event_data.SourceImage + StartModule: event_data.StartModule + Status: event_data.Status + SubjectUserName: event_data.SubjectUserName + SubjectUserSid: event_data.SubjectUserSid + TargetFilename: event_data.TargetFilename + TargetImage: event_data.TargetImage + TargetObject: event_data.TargetObject + TicketEncryptionType: event_data.TicketEncryptionType + TicketOptions: event_data.TicketOptions + User: event_data.User + WorkstationName: event_data.WorkstationName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index a63adc53c..749810caa 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -46,70 +46,70 @@ defaultindex: winlogbeat-* # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: - EventID: winlog.event_id - AccessMask: winlog.event_data.AccessMask - AccountName: winlog.event_data.AccountName - AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo - AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName - AuditPolicyChanges: winlog.event_data.AuditPolicyChanges - AuthenticationPackageName: winlog.event_data.AuthenticationPackageName - CallingProcessName: winlog.event_data.CallingProcessName - CallTrace: winlog.event_data.CallTrace - CommandLine: winlog.event_data.CommandLine - ComputerName: winlog.ComputerName - CurrentDirectory: winlog.event_data.CurrentDirectory - Description: winlog.event_data.Description - DestinationHostname: winlog.event_data.DestinationHostname - DestinationIp: winlog.event_data.DestinationIp - DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 - DestinationPort: winlog.event_data.DestinationPort - Details: winlog.event_data.Details - EngineVersion: winlog.event_data.EngineVersion - EventType: winlog.event_data.EventType - FailureCode: winlog.event_data.FailureCode - FileName: winlog.event_data.FileName - GrantedAccess: winlog.event_data.GrantedAccess - GroupName: winlog.event_data.GroupName - GroupSid: winlog.event_data.GroupSid - Hashes: winlog.event_data.Hashes - HiveName: winlog.event_data.HiveName - HostVersion: winlog.event_data.HostVersion - Image: winlog.event_data.Image - ImageLoaded: winlog.event_data.ImageLoaded - ImagePath: winlog.event_data.ImagePath - Imphash: winlog.event_data.Imphash - IpAddress: winlog.event_data.IpAddress - KeyLength: winlog.event_data.KeyLength - LogonProcessName: winlog.event_data.LogonProcessName - LogonType: winlog.event_data.LogonType - NewProcessName: winlog.event_data.NewProcessName - ObjectClass: winlog.event_data.ObjectClass - ObjectName: winlog.event_data.ObjectName - ObjectType: winlog.event_data.ObjectType - ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: winlog.event_data.ParentCommandLine - ParentProcessName: winlog.event_data.ParentProcessName - ParentImage: winlog.event_data.ParentImage - Path: winlog.event_data.Path - PipeName: winlog.event_data.PipeName - ProcessCommandLine: winlog.event_data.ProcessCommandLine - ProcessName: winlog.event_data.ProcessName - Properties: winlog.event_data.Properties - SecurityID: winlog.event_data.SecurityID - ServiceFileName: winlog.event_data.ServiceFileName - ServiceName: winlog.event_data.ServiceName - ShareName: winlog.event_data.ShareName - Signature: winlog.event_data.Signature - Source: winlog.event_data.Source - SourceImage: winlog.event_data.SourceImage - StartModule: winlog.event_data.StartModule - Status: winlog.event_data.Status - SubjectUserName: winlog.event_data.SubjectUserName - SubjectUserSid: winlog.event_data.SubjectUserSid - TargetFilename: winlog.event_data.TargetFilename - TargetImage: winlog.event_data.TargetImage - TargetObject: winlog.event_data.TargetObject - TicketEncryptionType: winlog.event_data.TicketEncryptionType - TicketOptions: winlog.event_data.TicketOptions - User: winlog.event_data.User - WorkstationName: winlog.event_data.WorkstationName + EventID: winlog.event_id + AccessMask: winlog.event_data.AccessMask + AccountName: winlog.event_data.AccountName + AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo + AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName + AuditPolicyChanges: winlog.event_data.AuditPolicyChanges + AuthenticationPackageName: winlog.event_data.AuthenticationPackageName + CallingProcessName: winlog.event_data.CallingProcessName + CallTrace: winlog.event_data.CallTrace + CommandLine: winlog.event_data.CommandLine + ComputerName: winlog.ComputerName + CurrentDirectory: winlog.event_data.CurrentDirectory + Description: winlog.event_data.Description + DestinationHostname: winlog.event_data.DestinationHostname + DestinationIp: winlog.event_data.DestinationIp + DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 + DestinationPort: winlog.event_data.DestinationPort + Details: winlog.event_data.Details + EngineVersion: winlog.event_data.EngineVersion + EventType: winlog.event_data.EventType + FailureCode: winlog.event_data.FailureCode + FileName: winlog.event_data.FileName + GrantedAccess: winlog.event_data.GrantedAccess + GroupName: winlog.event_data.GroupName + GroupSid: winlog.event_data.GroupSid + Hashes: winlog.event_data.Hashes + HiveName: winlog.event_data.HiveName + HostVersion: winlog.event_data.HostVersion + Image: winlog.event_data.Image + ImageLoaded: winlog.event_data.ImageLoaded + ImagePath: winlog.event_data.ImagePath + Imphash: winlog.event_data.Imphash + IpAddress: winlog.event_data.IpAddress + KeyLength: winlog.event_data.KeyLength + LogonProcessName: winlog.event_data.LogonProcessName + LogonType: winlog.event_data.LogonType + NewProcessName: winlog.event_data.NewProcessName + ObjectClass: winlog.event_data.ObjectClass + ObjectName: winlog.event_data.ObjectName + ObjectType: winlog.event_data.ObjectType + ObjectValueName: winlog.event_data.ObjectValueName + ParentCommandLine: winlog.event_data.ParentCommandLine + ParentProcessName: winlog.event_data.ParentProcessName + ParentImage: winlog.event_data.ParentImage + Path: winlog.event_data.Path + PipeName: winlog.event_data.PipeName + ProcessCommandLine: winlog.event_data.ProcessCommandLine + ProcessName: winlog.event_data.ProcessName + Properties: winlog.event_data.Properties + SecurityID: winlog.event_data.SecurityID + ServiceFileName: winlog.event_data.ServiceFileName + ServiceName: winlog.event_data.ServiceName + ShareName: winlog.event_data.ShareName + Signature: winlog.event_data.Signature + Source: winlog.event_data.Source + SourceImage: winlog.event_data.SourceImage + StartModule: winlog.event_data.StartModule + Status: winlog.event_data.Status + SubjectUserName: winlog.event_data.SubjectUserName + SubjectUserSid: winlog.event_data.SubjectUserSid + TargetFilename: winlog.event_data.TargetFilename + TargetImage: winlog.event_data.TargetImage + TargetObject: winlog.event_data.TargetObject + TicketEncryptionType: winlog.event_data.TicketEncryptionType + TicketOptions: winlog.event_data.TicketOptions + User: winlog.event_data.User + WorkstationName: winlog.event_data.WorkstationName diff --git a/tools/setup.py b/tools/setup.py index ef57f9bec..b9d37db1f 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.14', + version='0.15.0', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", @@ -66,6 +66,7 @@ setup( 'config/winlogbeat-modules-enabled.yml', 'config/winlogbeat.yml', 'config/winlogbeat-old.yml', + 'config/ecs-proxy.yml', 'config/limacharlie.yml', ]), ('etc/sigma/generic', [ diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index d5682d492..ce0412b38 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -177,6 +177,22 @@ _allFieldMappings = { keywordField = None, postOpMapper = None ), + "/proxy/": SigmaLCConfig( + topLevelParams = { + "event": "HTTP_REQUEST", + }, + preConditions = None, + fieldMappings = { + "c-uri|contains": "event/URL", + "c-uri": "event/URL", + "URL": "event/URL", + "cs-uri-query": "event/URL", + "cs-uri-stem": "event/URL", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None + ), } class LimaCharlieBackend(BaseBackend):