From 09475382286b05b978a6077daaff947d675f8da6 Mon Sep 17 00:00:00 2001 From: David Szili Date: Mon, 9 Mar 2020 17:12:41 +0100 Subject: [PATCH] MDATP schema changes WDATP was renamed to MDATP (Microsoft Defendre ATP). MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914 The updates reflect these changes --- CHANGELOG.md | 2 +- Makefile | 2 +- README.md | 6 ++-- .../win_apt_tropictrooper.yml | 2 +- .../win_apt_unidentified_nov_18.yml | 2 +- tools/sigma/backends/{wdatp.py => mdatp.py} | 28 +++++++++---------- 6 files changed, 21 insertions(+), 21 deletions(-) rename tools/sigma/backends/{wdatp.py => mdatp.py} (92%) diff --git a/CHANGELOG.md b/CHANGELOG.md index d55e3d3d..b072e652 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -89,7 +89,7 @@ from version 0.14.0. ### Added * Index mappings for Sumologic -* Malicious cmdlets in wdatp +* Malicious cmdlets in mdatp * QRadar support for keyword searches * QRadar mapping improvements * QRadar field selection diff --git a/Makefile b/Makefile index 389d7973..46803959 100644 --- a/Makefile +++ b/Makefile @@ -33,7 +33,7 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null - coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null diff --git a/README.md b/README.md index 6d01612b..e8ad159e 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule ``` usage: sigmac [-h] [--recurse] [--filter FILTER] - [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}] + [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}] [--target-list] [--config CONFIG] [--output OUTPUT] [--backend-option BACKEND_OPTION] [--defer-abort] [--ignore-backend-errors] [--verbose] [--debug] @@ -125,7 +125,7 @@ optional arguments: tag that must appear in the rules tag list, case- insensitive matching. Multiple log source specifications are AND linked. - --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp} + --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp} Output target format --target-list, -l List available output target formats --config CONFIG, -c CONFIG @@ -191,7 +191,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window * [Kibana](https://www.elastic.co/de/products/kibana) * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html) * [Logpoint](https://www.logpoint.com) -* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp) +* [Microsoft Defender Advanced Threat Protection (MDATP)](https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp) * [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/) * [Sumologic](https://www.sumologic.com/) * [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview) diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 6c0c932d..69697511 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -1,6 +1,6 @@ title: TropicTrooper Campaign November 2018 id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 -author: '@41thexplorer, Windows Defender ATP' +author: '@41thexplorer, Microsoft Defender ATP' status: stable date: 2019/11/12 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 57352b80..35df86b9 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -6,7 +6,7 @@ description: A sigma rule detecting an unidetefied attacker who used phishing em YYTRIUM/APT29 campaign in 2016. references: - https://twitter.com/DrunkBinary/status/1063075530180886529 -author: '@41thexplorer, Windows Defender ATP' +author: '@41thexplorer, Microsoft Defender ATP' date: 2018/11/20 modified: 2018/12/11 tags: diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/mdatp.py similarity index 92% rename from tools/sigma/backends/wdatp.py rename to tools/sigma/backends/mdatp.py index 92f46331..096ee829 100644 --- a/tools/sigma/backends/wdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -19,8 +19,8 @@ from .base import SingleTextQueryBackend from .exceptions import NotSupportedError class WindowsDefenderATPBackend(SingleTextQueryBackend): - """Converts Sigma rule into Windows Defender ATP Hunting Queries.""" - identifier = "wdatp" + """Converts Sigma rule into Microsoft Defender ATP Hunting Queries.""" + identifier = "mdatp" active = True config_required = False @@ -52,7 +52,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): # (replacement, ): Replaces field occurrence with static string "AccountName" : (self.id_mapping, self.default_value_mapping), "CommandLine" : ("ProcessCommandLine", self.default_value_mapping), - "ComputerName" : (self.id_mapping, self.default_value_mapping), + "DeviceName" : (self.id_mapping, self.default_value_mapping), "DestinationHostname" : ("RemoteUrl", self.default_value_mapping), "DestinationIp" : ("RemoteIP", self.default_value_mapping), "DestinationIsIpv6" : ("RemoteIP has \":\"", ), @@ -137,17 +137,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): self.service = None if (self.category, self.product, self.service) == ("process_creation", "windows", None): - self.table = "ProcessCreationEvents" + self.table = "DeviceProcessEvents" elif (self.category, self.product, self.service) == (None, "windows", "powershell"): - self.table = "MiscEvents" + self.table = "DeviceEvents" self.orToken = ", " return super().generate(sigmaparser) def generateBefore(self, parsed): if self.table is None: - raise NotSupportedError("No WDATP table could be determined from Sigma rule") - if self.table == "MiscEvents" and self.service == "powershell": + raise NotSupportedError("No MDATP table could be determined from Sigma rule") + if self.table == "DeviceEvents" and self.service == "powershell": return "%s | where tostring(extractjson('$.Command', AdditionalFields)) in~ " % self.table return "%s | where " % self.table @@ -165,26 +165,26 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): if self.product == "windows": if self.service == "sysmon" and value == 1 \ or self.service == "security" and value == 4688: # Process Execution - self.table = "ProcessCreationEvents" + self.table = "DeviceProcessEvents" return None elif self.service == "sysmon" and value == 3: # Network Connection - self.table = "NetworkCommunicationEvents" + self.table = "DeviceNetworkEvents" return None elif self.service == "sysmon" and value == 7: # Image Load - self.table = "ImageLoadEvents" + self.table = "DeviceImageLoadEvents" return None elif self.service == "sysmon" and value == 8: # Create Remote Thread - self.table = "MiscEvents" + self.table = "DeviceEvents" return "ActionType == \"CreateRemoteThreadApiCall\"" elif self.service == "sysmon" and value == 11: # File Creation - self.table = "FileCreationEvents" + self.table = "DeviceFileEvents" return None elif self.service == "sysmon" and value == 13 \ or self.service == "security" and value == 4657: # Set Registry Value - self.table = "RegistryEvents" + self.table = "DeviceRegistryEvents" return "ActionType == \"RegistryValueSet\"" elif self.service == "security" and value == 4624: - self.table = "LogonEvents" + self.table = "DeviceLogonEvents" return None elif type(value) in (str, int): # default value processing try: