blue-team-tools/tools/config/fortisiem/FortiSIEM_EventAttributeMapping.csv at e91fc4486e57fc40e30d12253694de4c80a9e4ea

Files

T

Mei Liu b85482a9bc Example:

-O:
attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file.
ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex}
ruleType: It's used to set rule id in XML rule.

1. Generate rule for one YML file
    a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
    b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
   Output:
      <Rules>
      <Rule group="PH_SYS_RULE_THREAT_HUNTING" natural_id="PH_Rule_Windows_SIGMA_0"  phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
         <Name>Python Initiated Connection </Name>
         <IncidentTitle>Python Initiated Connection</IncidentTitle>
         <active>true</active>
         <Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
         <SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
         <CustomerScope groupByEachCustomer="true">
            <Include all="true"/>
           <Exclude/>
         </CustomerScope>
         <IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
           <ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
         </IncidentDef>
         <PatternClause window="300">
           <SubPattern displayName="Filter" name="Filter">
               <SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
               <GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
               <GroupEvtConstr> COUNT(*) &gt;= 1 </GroupEvtConstr>
           </SubPattern>
         </PatternClause>
         <TriggerEventDisplay>
           <AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
         </TriggerEventDisplay>
       </Rule>
       </Rules>

2. Generate rules for YML files under rules/windows
   a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
   b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
   Generate rules for YML files under rules/windows

3. Find files that is modified after some date.
  a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
  b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
  Output:
     rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
     rules/windows/wmi_event/TestFile.yml, No date

2022-03-09 11:26:07 -08:00

4.1 KiB

Raw Blame History

1	##YmlAttributeName,FortiSIEMAttributeName,FortiSIEMAttributeType
2	##need define new inter attribute for it
3	DestinationIsIpv6,isIpv6
4	Initiated,isInitialed
5	AllowedToDelegateTo,isAllowedToDelegateTo
6	##not find in WinOSWmiParser.xml
7	TargetDetails,details
8	Account_Name,user
9	Computer_Name,computer
10	Originating_Computer,srcName
11	FileHash,hashCode
12	FilePath,filePath
13	Fqbn,hostName
14	RuleId,ruleId,int
15	RuleName,ruleName
16	CallTrace,procPath
17	IntegrityLevel,integrityLevel
18	ParentIntegrityLevel,procTrustLevel,int
19	Company,company
20	ParentProcessGuid,procOwner
21	LogonGuid,uuid
22	ParentUser,userGrp
23	Hashes,hashCode
24	Imphash,hashIMP
25	OriginalFilename,srcFileName
26	OriginalFileName,srcFileName
27	ParentProcess,parentProcName
28	Product,product
29	sha1,hashSHA1
30	DestPort,destIpPort,int
31	Destination,destIpAddr,ip
32	destination.port,destIpPort,int
33	HostApplication,appName
34	TargetName,targetName
35	TargetProcessAddress,destMACAddr
36	Service,serviceName
37	Source,eventSource
38	ImagePath,procPath
39	Path,procPath
40	Payload,dataPayload
41	Properties,propName
42	QueryName,queryId
43	QueryResults,actionResult
44	QueryStatus,status
45	LogonProcessName,procName
46	ServicePrincipalNames,principal
47	HostVersion,version
48	FailureCode,errorNoInt,int
49	EngineVersion,version
50	DeviceClassName,deviceType
51	DeviceDescription,description
52	Status,status
53	AccessList,srcIpAddrList
54	AccessMask,fileAccess
55	AttributeLDAPDisplayName,propName
56	ContextInfo,lineContent
57	AttributeValue,propValue
58	GroupSid,groupID
59	AuditPolicyChanges,actionName
60	CallingProcessName,procName
61	GrantedAccess,accessKeyId
62	KeyLength,msgLen
63	keywords,msg
64	Keywords,msg
65	LayerRTID,permissionLevelID
66	Level,permissionLevelType
67	LDAPDisplayName,propName
68	Value,propValue
69	ObjectClass,osObjType
70	ObjectServer,serverName
71	ObjectValueName,osObjValue
72	PipeName,vpnTunnelName
73	PrivilegeList,privName
74	RelativeTargetName,targetName
75	SAMAccountName,accountName
76	ScriptBlockText,script
77	ShareName,fileName
78	SidHistory,essId
79	Signed,authResult
80	StartFunction,funName
81	StartModule,module
82	TicketEncryptionType,encryptAlgo
83	TicketOptions,paraName
84	IpAddress,srcIpAddr,ip
85	HiveName,procName
86	##find in WinOSWmiParser.xml
87	ComputerName,computer
88	CurrentDirectory,dirName
89	Description,description
90	FileVersion,fileVersion
91	GroupName,targetUserGrp
92	LogonId,winLogonId
93	NewName,newObjValue
94	ProcessName,procName
95	QNAME,destName
96	TargetFilename,fileName
97	User,user
98	Image,procName
99	ParentImage,parentProcName
100	CommandLine,command
101	TaskName,task
102	ServiceName,winSrvcName
103	TargetObject,regKeyPath
104	EventType,osObjAction
105	EventID,eventType
106	EventCode,eventType
107	Details,details
108	ParentCommandLine,parentCommand
109	Message,msg
110	HostName,hostName
111	FileName,fileName
112	TargetImage,targetProcName
113	Accesses,osObjAccessType
114	AccountName,user
115	DestinationIp,destIpAddr,ip
116	DestinationPort,destIpPort,int
117	DestinationHostname,destName
118	DestinationAddress,destIpAddr,ip
119	ObjectType,osObjType
120	ObjectName,osObjName
121	SourceImage,procName
122	SourceAddress,srcIpAddr,ip
123	SourcePort,srcIpPort,int
124	SourceNetworkAddress,srcIpAddr,ip
125	SourceWorkstation,srcName
126	TargetUserName,targetUser
127	UserName,user
128	SubjectDomainName,targetDomain
129	SubjectLogonId,winLogonId
130	SubjectUserName,user
131	SubjectUserSid,userId
132	Workstation,computer
133	WorkstationName,computer
134	ServiceFileName,serviceFileName
135	Signature,signatureName
136	ImageLoaded,loadedProcName
137	LogonType,winLogonType,int
138	AuthenticationPackage,procName
139	AuthenticationPackageName,procName
140	Device,deviceIdentification
141	PolicyName,policyName
142	TargetProcessId,targetProcId
143	TargetUser,targetUser
144	NewValue,newObjValue
145	SubjectAccountName,user
146	ClientAddress,srcIpAddr,ip
147	ProcessID,procId
148	TargetFileName,fileName
149	AccountDomain,domain
150	Computer,computer
151	DomainName,targetDomain
152	#network
153	dst_ip,destIpAddr,ip
154	src_ip,srcIpAddr,ip
155	dst_port,destIpPort,int
156	src_port,srcIpPort,int
157	dns_query,uriQuery
158	uri_query,uriQuery
159	parent_domain,domain
160	record_type,type
161	query,queryId
162	action,activityName
163	operation,opName
164	c-useragent,httpUserAgent
165	c-uri,httpEndUri
166	endpoint,targetName
167	service,serviceName
168	path,procPath
169	name,procName
170	cipher,password
171	request_type,type
172	answer,actionResult
173	resp_mime_types,type
174	message_size,msgLen,int
175	question_length,size,int
176	cs-method,httpMethod
177	sc-status,status
178	method,httpMethod
179	referer,httpReferrer
180	useragent,httpUserAgent
181	clientip,srcIpAddr,ip
182	MachineName,hostName

4.1 KiB Raw Blame History

4.1 KiB

Raw Blame History