valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

_index in aFL and mappings working!

Browse Source
This commit is contained in:
juju4 2019-07-06 08:57:27 -04:00
parent 2b062a0de7
commit b358d38e68
1 changed files with 2 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
tools/sigma/backends/sumologic.py
View File

@ -78,23 +78,6 @@ class SumoLogicBackend(SingleTextQueryBackend):
# not required but makes query faster, especially if no FER or _index/_sourceCategory
if self.logname:
return "%s " % self.logname
# FIXME! don't get backend config mapping through generate() => mapping inside script
if not self.indices and self.product == 'windows' and self.service:
return "_index=WINDOWS %s " % (self.service)
if not self.indices and self.product == 'windows':
return "_index=WINDOWS "
if not self.indices and self.product == 'linux' and self.service == 'auditd':
return "_index=AUDITD "
if not self.indices and self.product == 'linux' and self.service == 'osqueryd':
return "_index=OSQUERY "
if not self.indices and self.product == 'linux':
return "_index=LINUX "
if self.product == 'antivirus':
return "_index=ANTIVIRUS "
if self.category == 'firewall':
return "_index=FIREWALL "
if self.indices:
return "_index=%s " % self.indices
return ""
def generate(self, sigmaparser):
@ -147,7 +130,7 @@ class SumoLogicBackend(SingleTextQueryBackend):
super().__init__(*args, **kwargs)
# TODO/FIXME! depending on deployment configuration, existing FER must be populate here (or backend config?)
# aFL = ["EventID"]
aFL = ["EventID", "sourcename", "CommandLine", "NewProcessName", "Image", "ParentImage", "ParentCommandLine", "ParentProcessName"]
aFL = ["_index", "EventID", "sourcename", "CommandLine", "NewProcessName", "Image", "ParentImage", "ParentCommandLine", "ParentProcessName"]
for item in self.sigmaconfig.fieldmappings.values():
if item.target_type is list:
aFL.extend(item.target)
@ -248,7 +231,7 @@ class SumoLogicBackend(SingleTextQueryBackend):
val = re.sub(r'\\"\*$', '\\\\\\"*', val)
# if not key and not (val.startswith('"') and val.endswith('"')) and not (val.startswith('(') and val.endswith(')')) and not ('|' in val) and val:
# apt_babyshark.yml
if not (val.startswith('"') and val.endswith('"')) and not (val.startswith('(') and val.endswith(')')) and not ('|' in val) and not ('*' in val) and val:
if not (val.startswith('"') and val.endswith('"')) and not (val.startswith('(') and val.endswith(')')) and not ('|' in val) and not ('*' in val) and val and not '_index' in key:
val = '"%s"' % val
return val