Merge branch 'master' of https://github.com/Neo23x0/sigma

2024-11-07 01:45:21 +00:00 · 2019-01-14 22:12:37 +01:00 · 2019-01-14 22:12:37 +01:00 · 8336b47530
commit 8336b47530
parent cc4b806b94 5cba0b9946
5 changed files with 58 additions and 12 deletions
--- a/.yamllint
+++ b/.yamllint
@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
  document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable
--- a/tools/config/qradar.yml
+++ b/tools/config/qradar.yml
@ -26,6 +26,8 @@ logsources:
   index: flows

 fieldmappings:
+    EventID:
+        - Event ID Code
    dst:
        - destinationIP
    dst_ip:
@ -34,3 +36,4 @@ fieldmappings:
        - sourceIP
    src_ip:
        - sourceIP
+    ServiceFileName: Service Name
--- a/tools/sigma/backends/qradar.py
+++ b/tools/sigma/backends/qradar.py
@ -108,7 +108,7 @@ class QRadarBackend(SingleTextQueryBackend):
    def generateNotNULLValueNode(self, node):
        return self.notNullExpression % (node.item)

-    def generateAggregation(self, agg):
+    def generateAggregation(self, agg, timeframe='00'):
        if agg == None:
            return ""
        if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR:
@ -117,11 +117,36 @@ class QRadarBackend(SingleTextQueryBackend):
            self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
            self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.aggfield, agg.cond_op, agg.condition)
            return self.qradarPrefixAgg, self.qradarSuffixAgg
+        elif agg.groupfield != None and timeframe == '00':
+                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
+                self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
+                return self.qradarPrefixAgg, self.qradarSuffixAgg
+        elif agg.groupfield != None and timeframe != None:
+            for key, duration in self.generateTimeframe(timeframe).items():
+                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
+                self.qradarSuffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (agg.groupfield, agg.cond_op, agg.condition, duration, key)
+                return self.qradarPrefixAgg, self.qradarSuffixAgg
        else:
            self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
            self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
            return self.qradarPrefixAgg, self.qradarSuffixAgg

+    def generateTimeframe(self, timeframe):
+        time_unit = timeframe[-1:]
+        duration = timeframe[:-1]
+        timeframe_object = {}
+        if time_unit == "s":
+            timeframe_object['seconds'] = int(duration)
+        elif time_unit == "m":
+            timeframe_object['minutes'] = int(duration)
+        elif time_unit == "h":
+            timeframe_object['hours'] = int(duration)
+        elif time_unit == "d":
+            timeframe_object['days'] = int(duration)
+        else:
+            timeframe_object['months'] = int(duration)
+        return timeframe_object
+
    def generate(self, sigmaparser):
        """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
        for parsed in sigmaparser.condparsed:
@ -147,10 +172,20 @@ class QRadarBackend(SingleTextQueryBackend):
        else:
            aql_database = "events"
        qradarPrefix = "SELECT UTF8(payload) as search_payload from %s where " % (aql_database)
-        if parsed.parsedAgg:
+
+        try:
+            timeframe = sigmaparser.parsedyaml['detection']['timeframe']
+        except:
+            timeframe = None
+
+        if parsed.parsedAgg and timeframe == None:
            (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg)
            result = qradarPrefix + result
            result += qradarSuffixAgg
+        elif parsed.parsedAgg != None and timeframe != None:
+            (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe)
+            result = qradarPrefix + result
+            result += qradarSuffixAgg
        else:
            result = qradarPrefix + result
        return result