valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
94035e1e11
SigmaHQ/tools/config/humio.yml

626 lines
14 KiB
YAML
Raw Normal View History

Added Humio, Crowdstrike, Corelight
2020-05-08 10:41:52 +00:00
title: Humio log source conditions
order: 20
backends:
- humio
Updated config
2020-05-20 09:35:00 +00:00
logsources:
zeek:
product: zeek
zeek-category-accounting:
category: accounting
rewrite:
product: zeek
service: syslog
zeek-category-firewall:
category: firewall
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-category-webserver:
category: webserver
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
'@stream': conn
zeek-conn_long:
product: zeek
service: conn_long
conditions:
'@stream': conn_long
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
'@stream': dce_rpc
zeek-dns:
product: zeek
service: dns
conditions:
'@stream': dns
zeek-dnp3:
product: zeek
service: dnp3
conditions:
'@stream': dnp3
zeek-dpd:
product: zeek
service: dpd
conditions:
'@stream': dpd
zeek-files:
product: zeek
service: files
conditions:
'@stream': files
zeek-ftp:
product: zeek
service: ftp
conditions:
'@stream': ftp
zeek-gquic:
product: zeek
service: gquic
conditions:
'@stream': gquic
zeek-http:
product: zeek
service: http
conditions:
'@stream': http
zeek-http2:
product: zeek
service: http2
conditions:
'@stream': http2
zeek-intel:
product: zeek
service: intel
conditions:
'@stream': intel
zeek-irc:
product: zeek
service: irc
conditions:
'@stream': irc
zeek-kerberos:
product: zeek
service: kerberos
conditions:
'@stream': kerberos
zeek-known_certs:
product: zeek
service: known_certs
conditions:
'@stream': known_certs
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
'@stream': known_hosts
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
'@stream': known_modbus
zeek-known_services:
product: zeek
service: known_services
conditions:
'@stream': known_services
zeek-modbus:
product: zeek
service: modbus
conditions:
'@stream': modbus
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
'@stream': modbus_register_change
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
'@stream': mqtt_connect
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
'@stream': mqtt_publish
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
'@stream': mqtt_subscribe
zeek-mysql:
product: zeek
service: mysql
conditions:
'@stream': mysql
zeek-notice:
product: zeek
service: notice
conditions:
'@stream': notice
zeek-ntlm:
product: zeek
service: ntlm
conditions:
'@stream': ntlm
zeek-ntp:
product: zeek
service: ntp
conditions:
'@stream': ntp
zeek-ocsp:
product: zeek
service: ntp
conditions:
'@stream': ocsp
zeek-pe:
product: zeek
service: pe
conditions:
'@stream': pe
zeek-pop3:
product: zeek
service: pop3
conditions:
'@stream': pop3
zeek-radius:
product: zeek
service: radius
conditions:
'@stream': radius
zeek-rdp:
product: zeek
service: rdp
conditions:
'@stream': rdp
zeek-rfb:
product: zeek
service: rfb
conditions:
'@stream': rfb
zeek-sip:
product: zeek
service: sip
conditions:
'@stream': sip
zeek-smb_files:
product: zeek
service: smb_files
conditions:
'@stream': smb_files
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
'@stream': smb_mapping
zeek-smtp:
product: zeek
service: smtp
conditions:
'@stream': smtp
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
'@stream': smtp_links
zeek-snmp:
product: zeek
service: snmp
conditions:
'@stream': snmp
zeek-socks:
product: zeek
service: socks
conditions:
'@stream': socks
zeek-software:
product: zeek
service: software
conditions:
'@stream': software
zeek-ssh:
product: zeek
service: ssh
conditions:
'@stream': ssh
zeek-ssl:
product: zeek
service: ssl
conditions:
'@stream': ssl
zeek-tls: # In case people call it TLS even though orig log is called ssl
product: zeek
service: tls
conditions:
'@stream': ssl
zeek-syslog:
product: zeek
service: syslog
conditions:
'@stream': syslog
zeek-tunnel:
product: zeek
service: tunnel
conditions:
'@stream': tunnel
zeek-traceroute:
product: zeek
service: traceroute
conditions:
'@stream': traceroute
zeek-weird:
product: zeek
service: weird
conditions:
'@stream': weird
zeek-x509:
product: zeek
service: x509
conditions:
'@stream': x509
zeek-ip_search:
product: zeek
service: network
conditions:
'@stream':
- conn
- conn_long
- dce_rpc
- dhcp
- dnp3
- dns
- ftp
- gquic
- http
- irc
- kerberos
- modbus
- mqtt_connect
- mqtt_publish
- mqtt_subscribe
- mysql
- ntlm
- ntp
- radius
- rfb
- sip
- smb_files
- smb_mapping
- smtp
- smtp_links
- snmp
- socks
- ssh
- tls #SSL
- tunnel
- weird
Added Humio, Crowdstrike, Corelight
2020-05-08 10:41:52 +00:00
fieldmappings:
Updated config
2020-05-20 09:35:00 +00:00
# Deep mappings Taxonomy for overall/general fields
dst_ip:
product=windows: winlog.event_data.DestinationIp
product=zeek: id.resp_h
src_ip:
product=windows: winlog.event_data.SourceIp
product=zeek: id.orig_h
dst_port:
product=windows: winlog.event_data.DestinationPort
product=zeek: id.resp_p
src_port:
product=windows: winlog.event_data.SourcePort
product=zeek: id.orig_p
network_protocol:
product=zeek: proto
# Deep mappings Taxonomy for DNS Category and DNS service
answer:
product=zeek: answers
#question_length: # product=zeek: # Does not exist in open source version
record_type:
product=zeek: qtype_name
#parent_domain: #product=zeek: # Does not exist in open source version
# Deep mappings Taxonomy for HTTP, Webserver category, and Proxy category
cs-bytes:
product=zeek: request_body_len
cs-cookie:
product=zeek: cookie
r-dns:
product=zeek: host
sc-bytes:
product=zeek: response_body_len
sc-status:
product=zeek: status_code
c-uri:
product=zeek: uri
c-uri-extension:
product=zeek: uri
c-uri-query:
product=zeek: uri
c-uri-stem:
product=zeek: uri
c-useragent:
product=zeek: user_agent
cs-host:
product=zeek: host
cs-method:
product=zeek: method
cs-referrer:
product=zeek: referrer
cs-version:
product=zeek: version
# Windows / WEF / Winlogbeat
Added Humio, Crowdstrike, Corelight
2020-05-08 10:41:52 +00:00
EventID: winlog.event_id
Event_ID: winlog.event_id
eventId: winlog.event_id
event_id: winlog.event_id
event-id: winlog.event_id
eventid: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
SourceIp: winlog.event_data.SourceIp
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
Targetfilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
BSSID: winlog.event_data.BSSID
BSSType: winlog.event_data.BSSType
CipherAlgorithm: winlog.event_data.CipherAlgorithm
ConnectionId: winlog.event_data.ConnectionId
ConnectionMode: winlog.event_data.ConnectionMode
InterfaceDescription: winlog.event_data.InterfaceDescription
InterfaceGuid: winlog.event_data.InterfaceGuid
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
Updated config
2020-05-20 09:35:00 +00:00
# Zeek Deep Mappings
# Temporary one off rule name fields
agent.version:
product=zeek: version
c-cookie:
product=zeek: cookie
c-ip:
product=zeek: id.orig_h
cs-uri:
product=zeek: uri
clientip:
product=zeek: id.orig_h
clientIP:
product=zeek: id.orig_h
dest_domain:
product=zeek: host
#- query
#- server_name
dest_ip:
product=zeek: id.resp_h
dest_port:
product=zeek: id.resp_p
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname:
product=zeek: host
#- query
#- server_name
DestinationAddress:
product=zeek: id.resp_h
dst-ip:
product=zeek: id.resp_h
dstip:
product=zeek: id.resp_h
dstport:
product=zeek: id.resp_p
Host:
product=zeek: host
#- query
#- server_name
http_host:
product=zeek: host
#- query
#- server_name
http_uri:
product=zeek: uri
http_url:
product=zeek: uri
http_user_agent:
product=zeek: user_agent
http.request.url-query-params:
product=zeek: uri
HttpMethod:
product=zeek: method
in_url:
product=zeek: uri
post_url_parameter:
product=zeek: uri
Request Url:
product=zeek: uri
request_url:
product=zeek: uri
request_URL:
product=zeek: uri
RequestUrl:
product=zeek: uri
response:
product=zeek: status_code
resource.url:
product=zeek: uri
resource.URL:
product=zeek: uri
sc_status:
product=zeek: status_code
service.response_code:
product=zeek: status_code
source:
product=zeek: id.orig_h
SourceAddr:
product=zeek: id.orig_h
SourceAddress:
product=zeek: id.orig_h
SourceIP:
product=zeek: id.orig_h
SourceNetworkAddress:
product=zeek: id.orig_h
SourcePort:
product=zeek: id.orig_p
srcip:
product=zeek: id.orig_h
status:
product=zeek: status_code
url:
product=zeek: uri
URL:
product=zeek: uri
url_query:
product=zeek: uri
url.query:
product=zeek: uri
uri_path:
product=zeek: uri
user_agent:
product=zeek: user_agent
user_agent.name:
product=zeek: user_agent
user-agent:
product=zeek: user_agent
User-Agent:
product=zeek: user_agent
useragent:
product=zeek: user_agent
UserAgent:
product=zeek: user_agent
User Agent:
product=zeek: user_agent
web_dest:
product=zeek: host
#- query
#- server_name
web.dest:
product=zeek: host
#- query
#- server_name
Web.dest:
product=zeek: host
#- query
#- server_name
web.host:
product=zeek: host
#- query
#- server_name
Web.host:
product=zeek: host
#- query
#- server_name
web_method:
product=zeek: method
Web_method:
product=zeek: method
web.method:
product=zeek: method
Web.method:
product=zeek: method
web_src:
product=zeek: id.orig_h
web_status:
product=zeek: status_code
Web_status:
product=zeek: status_code
web.status:
product=zeek: status_code
Web.status:
product=zeek: status_code
web_uri:
product=zeek: uri
web_url:
product=zeek: uri
# Already
destination.ip:
product=zeek: id.resp_h
destination.port:
product=zeek: id.resp_p
http.request.body.content:
product=zeek: post_body
#source.domain:
source.ip:
product=zeek: id.orig_h
source.port:
product=zeek: id.orig_p
Reference in New Issue Copy Permalink