SigmaHQ/tools/config/thor.yml

title: THOR
order: 20
backends:
  - thor
# this configuration differs from other configurations and can not be used
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
logsources:
  # log source configurations for generic sigma rules
  process_creation_1:
    category: process_creation
    product: windows
    conditions:
      EventID: 1
    rewrite:
      product: windows
      service: sysmon
  process_creation_2:
    category: process_creation
    product: windows
    conditions:
      EventID: 4688
    rewrite:
      product: windows
      service: security
    fieldmappings:
      Image: NewProcessName
      ParentImage: ParentProcessName
  # target system configurations
  windows-application:
    product: windows
    service: application
    sources:
      - 'WinEventLog:Application'
  windows-security:
    product: windows
    service: security
    sources:
      - 'WinEventLog:Security'
  windows-system:
    product: windows
    service: system
    sources:
      - 'WinEventLog:System'
  windows-ntlm:
    product: windows
    service: ntlm
    sources:
      - 'WinEventLog:Microsoft-Windows-NTLM/Operational'
  windows-sysmon:
    product: windows
    service: sysmon
    sources:
      - 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
  windows-powershell:
    product: windows
    service: powershell
    sources:
      - 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
  windows-taskscheduler:
    product: windows
    service: taskscheduler
    sources:
      - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
  windows-wmi:
    product: windows
    service: wmi
    sources:
      - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
  windows-dhcp:
    product: windows
    service: dhcp
    sources:
      - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
  windows-applocker:
    product: windows
    service: applocker
    conditions:
      sources:
        - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
        - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
        - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
        - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
  apache:
    category: webserver
    sources:
      - 'File:/var/log/apache/*.log'
      - 'File:/var/log/apache2/*.log'
      - 'File:/var/log/httpd/*.log'
  linux-auth:
    product: linux
    service: auth
    sources:
      - 'File:/var/log/auth.log'
      - 'File:/var/log/auth.log.?'
  linux-syslog:
    product: linux
    service: syslog
    sources:
      - 'File:/var/log/syslog'
      - 'File:/var/log/syslog.?'
  logfiles:
    category: logfile
    sources:
      - 'File:*.log'
Added title to all configurations 2019-05-16 21:33:51 +00:00			`title: THOR`
Check for valid configuration/backend combinations 2019-05-19 23:00:33 +00:00			`order: 20`
			`backends:`
			`- thor`
Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 06:15:50 +00:00			`# this configuration differs from other configurations and can not be used`
			`# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`logsources:`
Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 06:15:50 +00:00			`# log source configurations for generic sigma rules`
			`process_creation_1:`
			`category: process_creation`
			`product: windows`
			`conditions:`
			`EventID: 1`
			`rewrite:`
			`product: windows`
			`service: sysmon`
			`process_creation_2:`
			`category: process_creation`
			`product: windows`
			`conditions:`
			`EventID: 4688`
			`rewrite:`
			`product: windows`
			`service: security`
			`fieldmappings:`
			`Image: NewProcessName`
			`ParentImage: ParentProcessName`
			`# target system configurations`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`windows-application:`
			`product: windows`
			`service: application`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:Application'`
			`windows-security:`
			`product: windows`
			`service: security`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:Security'`
fix: SPARK config duplicate identifier 2018-11-27 13:05:13 +00:00			`windows-system:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`product: windows`
			`service: system`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:System'`
fix: missing NTLM log source in THOR 2020-07-06 15:07:06 +00:00			`windows-ntlm:`
			`product: windows`
			`service: ntlm`
			`sources:`
			`- 'WinEventLog:Microsoft-Windows-NTLM/Operational'`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:Microsoft-Windows-Sysmon/Operational'`
			`windows-powershell:`
			`product: windows`
			`service: powershell`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:Microsoft-Windows-PowerShell/Operational'`
fix: SPARK config duplicate identifier 2018-11-27 13:05:13 +00:00			`windows-taskscheduler:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`product: windows`
			`service: taskscheduler`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'`
			`windows-wmi:`
			`product: windows`
			`service: wmi`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`- 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'`
Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 06:23:48 +00:00			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`sources:`
Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 06:23:48 +00:00			`- 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'`
Added AppLocker log source 2020-07-13 20:23:42 +00:00			`windows-applocker:`
			`product: windows`
			`service: applocker`
			`conditions:`
			`sources:`
fix: thor sources for applocker with wrong prefix 2021-01-07 11:27:31 +00:00			`- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'`
			`- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`apache:`
			`category: webserver`
			`sources:`
			`- 'File:/var/log/apache/*.log'`
			`- 'File:/var/log/apache2/*.log'`
			`- 'File:/var/log/httpd/*.log'`
			`linux-auth:`
			`product: linux`
			`service: auth`
			`sources:`
			`- 'File:/var/log/auth.log'`
Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 06:15:50 +00:00			`- 'File:/var/log/auth.log.?'`
Config file for SPARK scanner 2018-06-29 14:42:16 +00:00			`linux-syslog:`
			`product: linux`
			`service: syslog`
			`sources:`
			`- 'File:/var/log/syslog'`
Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 06:15:50 +00:00			`- 'File:/var/log/syslog.?'`
			`logfiles:`
			`category: logfile`
			`sources:`
Added AppLocker log source 2020-07-13 20:23:42 +00:00			`- 'File:*.log'`