Merge pull request #2048 from frack113/fix_config

Fix config banckends name

tools/config/carbon-black-eedr.yml

@@ -2,7 +2,6 @@ title: CarbonBlack Enterprise EDR
 order: 20
 backends:
   - carbonblack
-  - cb
 fieldmappings:
   AccountName:
     - process_username

tools/config/carbon-black.yml

@@ -2,7 +2,6 @@ title: CarbonBlack field mapping
 order: 20
 backends:
   - carbonblack
-  - cb
 fieldmappings:
   AccountName: username
   CommandLine: cmdline

tools/config/ecs-auditd.yml

@@ -11,7 +11,6 @@ backends:
   - xpack-watcher
   - elastalert
   - elastalert-dsl
-  - elasticsearch-rule
   - ee-outliers
 
 logsources:

tools/config/ecs-dns.yml

@@ -3,7 +3,7 @@ order: 20
 backends:
   - es-qs
   - es-dsl
-  - elasticsearch-rule
+  - es-rule
   - kibana
   - kibana-ndjson
   - xpack-watcher

tools/config/ecs-filebeat.yml

@@ -11,7 +11,6 @@ backends:
   - xpack-watcher
   - elastalert
   - elastalert-dsl
-  - elasticsearch-rule
   - ee-outliers
 
 defaultindex: filebeat-*

tools/config/ecs-zeek-corelight.yml

@@ -5,7 +5,7 @@ backends:
   - es-qs
   - corelight_es-qs
   - es-dsl
-  - elasticsearch-rule
+  - es-rule
   - corelight_elasticsearch-rule
   - kibana
   - kibana-ndjson

tools/config/ecs-zeek-elastic-beats-implementation.yml

@@ -4,7 +4,6 @@ backends:
   - es-qs
   - es-dsl
   - es-rule
-  - elasticsearch-rule
   - kibana
   - kibana-ndjson
   - xpack-watcher

tools/config/logstash-zeek-default-json.yml

@@ -3,7 +3,7 @@ order: 20
 backends:
   - es-qs
   - es-dsl
-  - elasticsearch-rule
+  - es-rule
   - kibana
   - kibana-ndjson
   - xpack-watcher

tools/config/winlogbeat-modules-enabled.yml

@@ -11,7 +11,6 @@ backends:
   - xpack-watcher
   - elastalert
   - elastalert-dsl
-  - elasticsearch-rule
   - ee-outliers
 logsources:
   windows:

tools/sigma/sigma_configurations_check.py

@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+# A simple Sigma Configurations checker
+# Copyright frack113
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sigma.backends.discovery as backends
+import ruamel.yaml
+from pathlib import Path
+from argparse import ArgumentParser
+import sys
+import csv
+    
+def main():
+    argparser = ArgumentParser(description="A simple Sigma Configurations checker")
+    argparser.add_argument("--verify", "-V", action="store_true", help="Verify if configuration file have valid backend name")
+    argparser.add_argument("--sumary", "-s", action="store_true", help="Give some information.")
+    argparser.add_argument("--error", "-e", action="store_true", help="Exit with error code 10 on verification failures.")
+    argparser.add_argument("--output", "-o", default=None, help="Output csv file")
+    args = argparser.parse_args()
+    
+    passed = True
+    
+    list_backend =[]
+    for backend in sorted(backends.getBackendList(), key=lambda backend: backend.identifier):
+        list_backend.append(backend.identifier)
+
+    if args.sumary: 
+        print(f"Backend found :\n{list_backend}\n")
+
+    if args.verify:
+        csv_lst = []
+        valid = 0
+        empty = 0
+        faulty = 0
+        yml_files =Path('config/').glob("*.yml")
+        for yml in yml_files:
+            print(f"Check configurations file : {yml.name}")
+            with yml.open("r",encoding="UTF-8") as f:
+                data = ruamel.yaml.load(f,Loader=ruamel.yaml.RoundTripLoader)
+                if 'backends' in data:
+                    for backend in data['backends']:
+                        if backend in list_backend:
+                            csv_lst.append([yml.name,backend,'OK'])
+                            valid += 1
+                        else:
+                            csv_lst.append([yml.name,backend,'NOK'])
+                            faulty += 1
+                            passed = False
+                else:
+                    csv_lst.append([yml.name,"no backends section",'-'])
+                    empty += 1
+                    #passed = False 
+                    #Should not be but not sure
+            
+        if args.sumary: 
+            print('-------')
+            print('Summary')
+            print(f'Valid backend name: {valid}\nInvalid backend name: {faulty}\nFile with no Backend: {empty}')
+            print('-------')
+
+        if args.output:
+            with open(args.output, 'w', newline='') as csvfile:
+                spamwriter = csv.writer(csvfile, delimiter=';',quotechar='|', quoting=csv.QUOTE_MINIMAL)
+                spamwriter.writerow(['Configurations Name','Backend Name','Result'])
+                for row in csv_lst:
+                    spamwriter.writerow(row)
+                
+        if not passed:
+            print("**************************************")
+            print("Some Configurations file are not valid")
+            print("**************************************")
+            if args.error:
+                exit(10)
+                
+
+if __name__ == "__main__":
+    main()

tools/sigma_configurations_check

@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+
+from sigma.sigma_configurations_check import main
+
+main()