From d42409372c1fa5eed5b802a1a80306776158726f Mon Sep 17 00:00:00 2001 From: vh Date: Mon, 30 Dec 2019 16:09:19 +0200 Subject: [PATCH 1/3] Azure Sentinel backend (ala) - Fixed path in query Added new backend Azure Sentinel Rule (ala-rule) --- tools/sigma/backends/ala-rule.py | 79 ++++++++++++++++++++++++++++++++ tools/sigma/backends/ala.py | 4 ++ 2 files changed, 83 insertions(+) create mode 100644 tools/sigma/backends/ala-rule.py diff --git a/tools/sigma/backends/ala-rule.py b/tools/sigma/backends/ala-rule.py new file mode 100644 index 000000000..09c9ebec8 --- /dev/null +++ b/tools/sigma/backends/ala-rule.py @@ -0,0 +1,79 @@ +# Azure Log Analytics output backend for sigmac +# John Tuckner (@tuckner) + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import re +import xml.etree.ElementTree as xml + +from sigma.backends.ala import AzureLogAnalyticsBackend +from .base import SingleTextQueryBackend +from .data import sysmon_schema +from .exceptions import NotSupportedError + +class AzureAPIBackend(AzureLogAnalyticsBackend): + """Converts Sigma rule into Azure Log Analytics Queries.""" + identifier = "ala-rule" + active = True + options = SingleTextQueryBackend.options + ( + ("sysmon", False, "Generate Sysmon event queries for generic rules", None), + ) + + + def __init__(self, *args, **kwargs): + """Initialize field mappings""" + super().__init__(*args, **kwargs) + + + def create_rule(self, config): + tags = config.get("tags") + tactics = list() + technics = list() + for tag in tags: + tag = tag.replace("attack.", "") + if re.match("[tT][0-9]{4}", tag): + technics.append(tag.title()) + else: + if "_" in tag: + tag_list = tag.split("_") + tag_list = [item.title() for item in tag_list] + tactics.append("".join(tag_list)) + + rule = { + "analytics": + [ + { + "displayName": "{} by {}".format(config.get("title"), config.get('author')), + "description": "{} {}".format(config.get("description"), "Technics: {}.".format(",".join(technics))), + "severity": config.get("level"), + "enabled": True, + "query": config.get("translation"), + "queryFrequency": "12H", + "queryPeriod": "12H", + "triggerOperator": "GreaterThan", + "triggerThreshold": 1, + "suppressionDuration": "12H", + "suppressionEnabled": False, + "tactics": tactics + } + ] + } + return rule + + def generate(self, sigmaparser): + translation = super().generate(sigmaparser) + configs = sigmaparser.parsedyaml + configs.update({"translation": translation}) + rule = self.create_rule(configs) + return rule diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py index 422ba5a34..1f051000b 100644 --- a/tools/sigma/backends/ala.py +++ b/tools/sigma/backends/ala.py @@ -87,6 +87,10 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend): op = "endswith" val = self.cleanValue(val[1:]) + if "\\" in val: + #val = val.replace("\\", "\\\\") + return "%s @\"%s\"" % (op, val) + return "%s \"%s\"" % (op, val) def generate(self, sigmaparser): From f015c97dffebb23a69016f7d484c8c6e04f10a8d Mon Sep 17 00:00:00 2001 From: SOC Prime <37212749+socprime@users.noreply.github.com> Date: Mon, 30 Dec 2019 16:13:27 +0200 Subject: [PATCH 2/3] Update ala-rule.py --- tools/sigma/backends/ala-rule.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/ala-rule.py b/tools/sigma/backends/ala-rule.py index 09c9ebec8..e368cc689 100644 --- a/tools/sigma/backends/ala-rule.py +++ b/tools/sigma/backends/ala-rule.py @@ -23,7 +23,7 @@ from .data import sysmon_schema from .exceptions import NotSupportedError class AzureAPIBackend(AzureLogAnalyticsBackend): - """Converts Sigma rule into Azure Log Analytics Queries.""" + """Converts Sigma rule into Azure Log Analytics Rule.""" identifier = "ala-rule" active = True options = SingleTextQueryBackend.options + ( From 92bc96a308d0caae004a08046a43276250bf1f27 Mon Sep 17 00:00:00 2001 From: SOC Prime <37212749+socprime@users.noreply.github.com> Date: Mon, 30 Dec 2019 16:26:30 +0200 Subject: [PATCH 3/3] Update ala-rule.py --- tools/sigma/backends/ala-rule.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/ala-rule.py b/tools/sigma/backends/ala-rule.py index e368cc689..ebf535b0a 100644 --- a/tools/sigma/backends/ala-rule.py +++ b/tools/sigma/backends/ala-rule.py @@ -1,5 +1,4 @@ -# Azure Log Analytics output backend for sigmac -# John Tuckner (@tuckner) +# Azure Log Analytics Rule output backend for sigmac # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -49,13 +48,15 @@ class AzureAPIBackend(AzureLogAnalyticsBackend): tag_list = tag.split("_") tag_list = [item.title() for item in tag_list] tactics.append("".join(tag_list)) + else: + tactics.append(tag.title()) rule = { "analytics": [ { "displayName": "{} by {}".format(config.get("title"), config.get('author')), - "description": "{} {}".format(config.get("description"), "Technics: {}.".format(",".join(technics))), + "description": "{} {}".format(config.get("description"), "Technique: {}.".format(",".join(technics))), "severity": config.get("level"), "enabled": True, "query": config.get("translation"),