valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Neo23x0/sigma

Browse Source
This commit is contained in:
Thomas Patzke 2019-01-14 22:12:37 +01:00
commit 8336b47530
5 changed files with 58 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.yamllint
View File

@ -1,4 +1,12 @@
--- ---
# https://yamllint.readthedocs.io/en/latest/configuration.html # https://yamllint.readthedocs.io/en/latest/configuration.html
extends: default
rules: rules:
comments: disable
comments-indentation: disable
document-start: disable document-start: disable
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: disable
line-length: disable
new-line-at-end-of-file: disable
trailing-spaces: disable

3
tools/config/qradar.yml
View File

@ -26,6 +26,8 @@ logsources:
index: flows index: flows
fieldmappings: fieldmappings:
EventID:
- Event ID Code
dst: dst:
- destinationIP - destinationIP
dst_ip: dst_ip:
@ -34,3 +36,4 @@ fieldmappings:
- sourceIP - sourceIP
src_ip: src_ip:
- sourceIP - sourceIP
ServiceFileName: Service Name

39
tools/sigma/backends/qradar.py
View File

@ -108,7 +108,7 @@ class QRadarBackend(SingleTextQueryBackend):
def generateNotNULLValueNode(self, node): def generateNotNULLValueNode(self, node):
return self.notNullExpression % (node.item) return self.notNullExpression % (node.item)
def generateAggregation(self, agg): def generateAggregation(self, agg, timeframe='00'):
if agg == None: if agg == None:
return "" return ""
if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR: if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR:
@ -117,11 +117,36 @@ class QRadarBackend(SingleTextQueryBackend):
self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, agg.aggfield, self.aql_database) self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.aggfield, agg.cond_op, agg.condition) self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.aggfield, agg.cond_op, agg.condition)
return self.qradarPrefixAgg, self.qradarSuffixAgg return self.qradarPrefixAgg, self.qradarSuffixAgg
elif agg.groupfield != None and timeframe == '00':
self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
return self.qradarPrefixAgg, self.qradarSuffixAgg
elif agg.groupfield != None and timeframe != None:
for key, duration in self.generateTimeframe(timeframe).items():
self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
self.qradarSuffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (agg.groupfield, agg.cond_op, agg.condition, duration, key)
return self.qradarPrefixAgg, self.qradarSuffixAgg
else: else:
self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database) self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition) self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
return self.qradarPrefixAgg, self.qradarSuffixAgg return self.qradarPrefixAgg, self.qradarSuffixAgg
def generateTimeframe(self, timeframe):
time_unit = timeframe[-1:]
duration = timeframe[:-1]
timeframe_object = {}
if time_unit == "s":
timeframe_object['seconds'] = int(duration)
elif time_unit == "m":
timeframe_object['minutes'] = int(duration)
elif time_unit == "h":
timeframe_object['hours'] = int(duration)
elif time_unit == "d":
timeframe_object['days'] = int(duration)
else:
timeframe_object['months'] = int(duration)
return timeframe_object
def generate(self, sigmaparser): def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
for parsed in sigmaparser.condparsed: for parsed in sigmaparser.condparsed:
@ -147,10 +172,20 @@ class QRadarBackend(SingleTextQueryBackend):
else: else:
aql_database = "events" aql_database = "events"
qradarPrefix = "SELECT UTF8(payload) as search_payload from %s where " % (aql_database) qradarPrefix = "SELECT UTF8(payload) as search_payload from %s where " % (aql_database)
if parsed.parsedAgg:
try:
timeframe = sigmaparser.parsedyaml['detection']['timeframe']
except:
timeframe = None
if parsed.parsedAgg and timeframe == None:
(qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg) (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg)
result = qradarPrefix + result result = qradarPrefix + result
result += qradarSuffixAgg result += qradarSuffixAgg
elif parsed.parsedAgg != None and timeframe != None:
(qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe)
result = qradarPrefix + result
result += qradarSuffixAgg
else: else:
result = qradarPrefix + result result = qradarPrefix + result
return result return result