maravedi
fa6f75f07e
The commit from vihreb on October 6, 2020 (https://github.com/Neo23x0/sigma/commit/51df5ad8764cd6896a3ef83ad388aebc136d5815) removed some items from the allowed fields list for the sumologic backend (https://github.com/Neo23x0/sigma/blob/51df5ad8764cd6896a3ef83ad388aebc136d5815/tools/sigma/backends/sumologic.py#L161) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable." I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic. Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
118 lines
2.3 KiB
YAML
118 lines
2.3 KiB
YAML
title: SumoLogic
|
|
order: 20
|
|
backends:
|
|
- sumologic
|
|
afl_fields:
|
|
- _index
|
|
- EventID
|
|
- CommandLine
|
|
- NewProcessName
|
|
- Image
|
|
- ParentImage
|
|
- ParentCommandLine
|
|
- ParentProcessName
|
|
# Sumulogic mapping depends on customer configuration. Adapt to your context!
|
|
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
|
|
# supposing existing FER for service, EventChannel, EventID
|
|
logsources:
|
|
unix:
|
|
product: unix
|
|
index: UNIX
|
|
linux:
|
|
product: linux
|
|
index: LINUX
|
|
linux-sshd:
|
|
product: linux
|
|
service: sshd
|
|
index: LINUX
|
|
linux-auth:
|
|
product: linux
|
|
service: auth
|
|
index: LINUX
|
|
linux-clamav:
|
|
product: linux
|
|
service: clamav
|
|
index: LINUX
|
|
windows:
|
|
product: windows
|
|
index: WINDOWS
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
conditions:
|
|
EventChannel: Microsoft-Windows-Sysmon
|
|
index: WINDOWS
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
conditions:
|
|
EventChannel: Security
|
|
index: WINDOWS
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
conditions:
|
|
EventChannel: Microsoft-Windows-Powershell
|
|
index: WINDOWS
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
conditions:
|
|
EventChannel: System
|
|
index: WINDOWS
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
conditions:
|
|
EventChannel: Microsoft-Windows-DHCP-Server
|
|
index: WINDOWS
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
conditions:
|
|
EventChannel: 'Microsoft-Windows-NTLM/Operational'
|
|
apache:
|
|
product: apache
|
|
service: apache
|
|
index: WEBSERVER
|
|
apache2:
|
|
product: apache
|
|
index: WEBSERVER
|
|
webserver:
|
|
category: webserver
|
|
index: WEBSERVER
|
|
firewall:
|
|
category: firewall
|
|
index: FIREWALL
|
|
firewall2:
|
|
product: firewall
|
|
index: FIREWALL
|
|
network-dns:
|
|
category: dns
|
|
index: DNS
|
|
network-dns2:
|
|
product: dns
|
|
index: DNS
|
|
proxy:
|
|
category: proxy
|
|
index: PROXY
|
|
antivirus:
|
|
product: antivirus
|
|
index: ANTIVIRUS
|
|
application-sql:
|
|
product: sql
|
|
index: DATABASE
|
|
application-python:
|
|
product: python
|
|
index: APPLICATIONS
|
|
application-django:
|
|
product: django
|
|
index: DJANGO
|
|
application-rails:
|
|
product: rails
|
|
index: RAILS
|
|
application-spring:
|
|
product: spring
|
|
index: SPRING
|
|
# if no index, search in all indexes
|