Merge pull request #390 from juju4/devel-sumo2

sumologic backend: fix index and full mapping coverage

tools/config/sumologic.yml

@@ -6,6 +6,9 @@ backends:
 # typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
 # supposing existing FER for service, EventChannel, EventID
 logsources:
+  unix:
+    product: unix
+    index: UNIX
   linux:
     product: linux
     index: LINUX
@@ -58,7 +61,47 @@ logsources:
     product: apache
     service: apache
     index: WEBSERVER
+  apache2:
+    product: apache
+    index: WEBSERVER
+  webserver:
+    category: webserver
+    index: WEBSERVER
   firewall:
+    category: firewall
+    index: FIREWALL
+  firewall2:
     product: firewall
     index: FIREWALL
+  network-dns:
+    category: dns
+    index: DNS
+  network-dns2:
+    product: dns
+    index: DNS
+  proxy:
+    category: proxy
+    index: PROXY
+  antivirus:
+    product: antivirus
+    index: ANTIVIRUS
+  application-sql:
+    product: sql
+    index: DATABASE
+  application-python:
+    product: python
+    index: APPLICATIONS
+  application-django:
+    product: django
+    index: DJANGO
+  application-rails:
+    product: rails
+    index: RAILS
+  application-rails:
+    category: application
+    product: ruby_on_rails
+    index: RAILS
+  application-spring:
+    product: spring
+    index: SPRING
 # if no index, search in all indexes

tools/sigma/backends/sumologic.py

@@ -78,23 +78,6 @@ class SumoLogicBackend(SingleTextQueryBackend):
         # not required but makes query faster, especially if no FER or _index/_sourceCategory
         if self.logname:
             return "%s " % self.logname
-        # FIXME! don't get backend config mapping through generate() => mapping inside script
-        if not self.indices and self.product == 'windows' and self.service:
-            return "_index=WINDOWS %s " % (self.service)
-        if not self.indices and self.product == 'windows':
-            return "_index=WINDOWS "
-        if not self.indices and self.product == 'linux' and self.service == 'auditd':
-            return "_index=AUDITD "
-        if not self.indices and self.product == 'linux' and self.service == 'osqueryd':
-            return "_index=OSQUERY "
-        if not self.indices and self.product == 'linux':
-            return "_index=LINUX "
-        if self.product == 'antivirus':
-            return "_index=ANTIVIRUS "
-        if self.category == 'firewall':
-            return "_index=FIREWALL "
-        if self.indices:
-            return "_index=%s " % self.indices
         return ""
 
     def generate(self, sigmaparser):
@@ -147,7 +130,7 @@ class SumoLogicBackend(SingleTextQueryBackend):
         super().__init__(*args, **kwargs)
         # TODO/FIXME! depending on deployment configuration, existing FER must be populate here (or backend config?)
         # aFL = ["EventID"]
-        aFL = ["EventID", "sourcename", "CommandLine", "NewProcessName", "Image", "ParentImage", "ParentCommandLine", "ParentProcessName"]
+        aFL = ["_index", "_sourceCategory", "_view", "EventID", "sourcename", "CommandLine", "NewProcessName", "Image", "ParentImage", "ParentCommandLine", "ParentProcessName"]
         for item in self.sigmaconfig.fieldmappings.values():
             if item.target_type is list:
                 aFL.extend(item.target)
@@ -248,7 +231,7 @@ class SumoLogicBackend(SingleTextQueryBackend):
                 val = re.sub(r'\\"\*$', '\\\\\\"*', val)
         # if not key and not (val.startswith('"') and val.endswith('"')) and not (val.startswith('(') and val.endswith(')')) and not ('|' in val) and val:
         # apt_babyshark.yml
-        if not (val.startswith('"') and val.endswith('"')) and not (val.startswith('(') and val.endswith(')')) and not ('|' in val) and not ('*' in val) and val:
+        if not (val.startswith('"') and val.endswith('"')) and not (val.startswith('(') and val.endswith(')')) and not ('|' in val) and not ('*' in val) and val and not '_index' in key and not '_sourceCategory' in key and not '_view' in key:
             val = '"%s"' % val
         return val