Merge branch 'master' of https://github.com/tileo/sigma into pr-658

CHANGELOG.md

@@ -89,7 +89,7 @@ from version 0.14.0.
 ### Added
 
 * Index mappings for Sumologic
-* Malicious cmdlets in wdatp
+* Malicious cmdlets in mdatp
 * QRadar support for keyword searches
 * QRadar mapping improvements
 * QRadar field selection

Makefile

@@ -33,7 +33,7 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null

README.md

@@ -100,7 +100,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
 
 ```
 usage: sigmac [-h] [--recurse] [--filter FILTER]
-              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}]
               [--target-list] [--config CONFIG] [--output OUTPUT]
               [--backend-option BACKEND_OPTION] [--defer-abort]
               [--ignore-backend-errors] [--verbose] [--debug]
@@ -125,7 +125,7 @@ optional arguments:
                         tag that must appear in the rules tag list, case-
                         insensitive matching. Multiple log source
                         specifications are AND linked.
-  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}
                         Output target format
   --target-list, -l     List available output target formats
   --config CONFIG, -c CONFIG
@@ -191,7 +191,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
 * [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
-* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* [Microsoft Defender Advanced Threat Protection (MDATP)](https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp)
 * [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/)
 * [Sumologic](https://www.sumologic.com/)
 * [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)

rules/windows/process_creation/win_apt_tropictrooper.yml

@@ -1,6 +1,6 @@
 title: TropicTrooper Campaign November 2018
 id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
-author: '@41thexplorer, Windows Defender ATP'
+author: '@41thexplorer, Microsoft Defender ATP'
 status: stable
 date: 2019/11/12
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia

rules/windows/process_creation/win_apt_unidentified_nov_18.yml

@@ -6,7 +6,7 @@ description: A sigma rule detecting an unidetefied attacker who used phishing em
     YYTRIUM/APT29 campaign in 2016.
 references:
     - https://twitter.com/DrunkBinary/status/1063075530180886529
-author: '@41thexplorer, Windows Defender ATP'
+author: '@41thexplorer, Microsoft Defender ATP'
 date: 2018/11/20
 modified: 2018/12/11
 tags:

tools/sigma/backends/mdatp.py

@@ -19,8 +19,8 @@ from .base import SingleTextQueryBackend
 from .exceptions import NotSupportedError
 
 class WindowsDefenderATPBackend(SingleTextQueryBackend):
-    """Converts Sigma rule into Windows Defender ATP Hunting Queries."""
-    identifier = "wdatp"
+    """Converts Sigma rule into Microsoft Defender ATP Hunting Queries."""
+    identifier = "mdatp"
     active = True
     config_required = False
 
@@ -52,7 +52,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
                 # (replacement, ): Replaces field occurrence with static string
                 "AccountName"               : (self.id_mapping, self.default_value_mapping),
                 "CommandLine"               : ("ProcessCommandLine", self.default_value_mapping),
-                "ComputerName"              : (self.id_mapping, self.default_value_mapping),
+                "DeviceName"                : (self.id_mapping, self.default_value_mapping),
                 "DestinationHostname"       : ("RemoteUrl", self.default_value_mapping),
                 "DestinationIp"             : ("RemoteIP", self.default_value_mapping),
                 "DestinationIsIpv6"         : ("RemoteIP has \":\"", ),
@@ -137,17 +137,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
             self.service = None
 
         if (self.category, self.product, self.service) == ("process_creation", "windows", None):
-            self.table = "ProcessCreationEvents"
+            self.table = "DeviceProcessEvents"
         elif (self.category, self.product, self.service) == (None, "windows", "powershell"):
-            self.table = "MiscEvents"
+            self.table = "DeviceEvents"
             self.orToken = ", "
 
         return super().generate(sigmaparser)
 
     def generateBefore(self, parsed):
         if self.table is None:
-            raise NotSupportedError("No WDATP table could be determined from Sigma rule")
-        if self.table == "MiscEvents" and self.service == "powershell":
+            raise NotSupportedError("No MDATP table could be determined from Sigma rule")
+        if self.table == "DeviceEvents" and self.service == "powershell":
             return "%s | where tostring(extractjson('$.Command', AdditionalFields)) in~ " % self.table
         return "%s | where " % self.table
 
@@ -165,26 +165,26 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
             if self.product == "windows":
                 if self.service == "sysmon" and value == 1 \
                     or self.service == "security" and value == 4688:    # Process Execution
-                    self.table = "ProcessCreationEvents"
+                    self.table = "DeviceProcessEvents"
                     return None
                 elif self.service == "sysmon" and value == 3:      # Network Connection
-                    self.table = "NetworkCommunicationEvents"
+                    self.table = "DeviceNetworkEvents"
                     return None
                 elif self.service == "sysmon" and value == 7:      # Image Load
-                    self.table = "ImageLoadEvents"
+                    self.table = "DeviceImageLoadEvents"
                     return None
                 elif self.service == "sysmon" and value == 8:      # Create Remote Thread
-                    self.table = "MiscEvents"
+                    self.table = "DeviceEvents"
                     return "ActionType == \"CreateRemoteThreadApiCall\""
                 elif self.service == "sysmon" and value == 11:     # File Creation
-                    self.table = "FileCreationEvents"
+                    self.table = "DeviceFileEvents"
                     return None
                 elif self.service == "sysmon" and value == 13 \
                     or self.service == "security" and value == 4657:    # Set Registry Value
-                    self.table = "RegistryEvents"
+                    self.table = "DeviceRegistryEvents"
                     return "ActionType == \"RegistryValueSet\""
                 elif self.service == "security" and value == 4624:
-                    self.table = "LogonEvents"
+                    self.table = "DeviceLogonEvents"
                     return None
         elif type(value) in (str, int):     # default value processing
             try: