security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ading a bit more of early support for netflow and some linux exe.

Browse Source
This commit is contained in:
Maxime Lamothe-Brassard
2019-10-27 15:48:28 -05:00
parent a57a7b58cf
commit d019cef439
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/limacharlie.py
+9 -1
View File
@@ -79,6 +79,14 @@ _allFieldMappings = {
"op": "is linux",
}, {
"keywords": "event/COMMAND_LINE",
"exe": "event/FILE_PATH",
"type": None,
}, False, True),
"netflow//": ({
"event": "NETWORK_CONNECTIONS",
}, None, {
"destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT",
"source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT",
}, False, True)
}
@@ -111,7 +119,7 @@ class LimaCharlieBackend(BaseBackend):
service = ""
mappingKey = "%s/%s/%s" % (product, category, service)
topFilter, preCond, mappings, isAllStringValues, isKeywordsSupported = _allFieldMappings.get(mappingKey, tuple([None, None, None, None]))
topFilter, preCond, mappings, isAllStringValues, isKeywordsSupported = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None]))
if mappings is None:
raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service))