security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5bdd18d8d4ea69c6f4e7c50b027b858c5de621d
blue-team-tools/tools
T
History
Maxime Thiebaut c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
2020-03-19 19:40:18 +01:00
..
config
Add Winlogbeat's RuleName field to mapping
2020-03-19 19:40:18 +01:00
sigma
Splunk XML backend rule title
2020-03-01 22:23:35 +01:00
tests
add .keyword on aggs; add extra unit test
2019-11-14 14:34:50 +01:00
merge_sigma
Fixes for parser split
2018-07-27 00:02:07 +02:00
README.md
Sigma tools release 0.11
2019-05-30 22:56:38 +02:00
requirements-devel.txt
added unit test
2019-11-12 14:06:10 +01:00
requirements-misp.txt
Added requirements
2018-10-22 22:43:59 +02:00
requirements.txt
Intermediate refactoring commit: moving code into package
2017-12-08 21:45:05 +01:00
setup.cfg
Intermediate refactoring commit: moving code into package
2017-12-08 21:45:05 +01:00
setup.py
Release 0.16.0
2020-02-25 22:19:52 +01:00
sigma2attack
Add sigma2attack
2019-12-19 00:00:13 +01:00
sigma2genericsigma
Added sigma-uuid tool
2019-11-11 23:35:16 +01:00
sigma2misp
Update sigma2misp
2020-02-20 18:55:10 +09:00
sigma-similarity
sigma-similarity: primary rule set for restriction of comparison
2019-11-08 21:15:13 +01:00
sigma-uuid
Added hint on failed UUID check
2019-11-12 23:37:28 +01:00
sigmac
Sorting of backend and configuration lists
2020-02-24 22:59:59 +01:00

README.md

This package contains libraries for processing of Sigma rules and the following command line tools:

  • sigmac: converter between Sigma rules and SIEM queries:
    • Elasticsearch query strings
    • Kibana JSON with searches
    • Splunk SPL queries
    • Elasticsearch X-Pack Watcher
    • Logpoint queries
  • merge_sigma: Merge Sigma collections into simple Sigma rules.
  • sigma2misp: Import Sigma rules to MISP events.
Reference in New Issue View Git Blame Copy Permalink