valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1325 from dennispo/align-simac-stixshifter

Browse Source 
sigmac to STIX enhancements
This commit is contained in:
Thomas Patzke 2021-03-13 18:49:12 +01:00 committed by GitHub
commit c13f3f1383
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 531 additions and 534 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -57,7 +57,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix-custom.yml -c tools/config/stix-shifter.yml -c tools/config/stix2.0.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t chronicle -c tools/config/chronicle.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null

128
tools/config/stix-custom.yml Normal file
View File

@ -0,0 +1,128 @@
title: Additional STIX mapping for future use
backends:
- stix
order: 10
fieldmappings:
record_type:
- x-dns:record_type
requestParameters.attribute:
- x-cloud:request_parameters
responseElements.publiclyAccessible:
- x-cloud:publicly_accessible
errorMessage:
- x-error:message
errorCode:
- x-error:code
responseElements:
- x-cloud:response_elements
requestParameters.userData:
- x-cloud:request_parameters
AccessMask:
- x-windows:accessmask
Accesses:
- x-windows:accesses
CallTrace:
- x-windows:calltrace
DestinationIsIpv6:
- x-windows:destisipv6
ErrorCode:
- x-error:code
ExtendedErrorCode:
- x-error:code
- x-error:id
GrantedAccess:
- x-windows:grantedaccess
GroupDomain:
- x-group:domain
GroupID:
- x-group:id
GroupName:
- x-group:name
GroupSecurityID:
- x-group:security_id
IMPHash:
- x-windows:imphash
Imphash:
- x-windows:imphash
ImageTempPath:
- process:binary_ref.x_temp_path
InitiatedConnection:
- x-windows:initiatedconnection
Initiated:
- x-windows:initiatedconnection
IntegrityLevel:
- x-windows:integritylevel
LogonType:
- x-windows:logontype
ObjectName:
- x-windows:objectname
ObjectType:
- x-windows:objecttype
PipeName:
- x-windows:pipename
QueryName:
- x-windows:queryname
QueryResults:
- x-windows:queryresults
QueryStatus:
- x-windows:querystatus
ShareName:
- x-windows:sharename
SharePath:
- x-windows:sharepath
Signature:
- x-windows:signature
SignatureStatus:
- x-windows:signaturestatus
Signed:
- x-windows:signed
SourceImageTempPath:
- x-windows:sourceimagetemppath
SourceWorkstation:
- x-windows:sourceworkstation
StartAddress:
- x-windows:startaddress
StartFunction:
- x-windows:startfunction
StartModule:
- x-windows:startmodule
TargetAccountSecurityID:
- x-windows:targetaccountsecurityid
TargetComputerDomain:
- x-windows:targetcomputerdomain
TargetComputerName:
- x-windows:targetcomputername
TargetDetails:
- x-windows:targetdetails
TargetImageName:
- x-windows:targetimagename
TargetProcessGuid:
- x-windows:targetprocessguid
TargetProcessAddress:
- x-windows:startaddress
TargetUserDomain:
- x-windows:targetuserdomain
TargetUserName:
- x-windows:targetusername
TaskName:
- x-windows:taskname
TicketEncryptionType:
- x-windows:ticketencryptiontype
event_data.PipeName:
- x-windows:pipename
event_data.ServiceFileName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
event_data.ShareName:
- x-windows:sharename
event_data.Signature:
- x-windows:signature
event_data.SourceImage:
- x-windows:sourceimage
event_data.StartModule:
- x-windows:startmodule
event_data.TargetImage:
- x-windows:targetimage
key:
- x-sigma:keywords
sc-status:
- x-web:status_code

36
tools/config/stix-linux.yml
View File

@ -1,36 +0,0 @@
title: STIX for Linux Logs
backends:
- stix
order: 40
logsources:
linux:
product: linux
fieldmappings:
type:
- x-event:action
keywords:
- artifact:payload_bin
a0:
- process:command_line
a1:
- process:command_line
name:
- file:name
a3:
- process:command_line
key:
- x-sigma:keywords
exe:
- file:name
a2:
- process:command_line
SYSCALL:
- x-event:action
pam_message:
- x-event:action
pam_user:
- user-account:user_id
pam_rhost:
- x-host:name
USER:
- user-account:user_id

51
tools/config/stix-qradar.yml
View File

@ -1,51 +0,0 @@
title: STIX for QRadar
backends:
- stix
order: 30
fieldmappings:
categoryid:
- x-ibm-ariel:category_id
categoryname:
- x-ibm-ariel:category_name
credescription:
- x-ibm-finding:description
Description:
- x-ibm-finding:description
credibility:
- x-ibm-ariel:credibility
crename:
- x-ibm-finding:name
devicetype:
- x-ibm-ariel:device_type
Device:
- x-ibm-ariel:device_type
direction:
- x-ibm-ariel:direction
domainid:
- x-ibm-ariel:domain_id
geographic:
- x-ibm-ariel:geographic
high_level_category_id:
- x-ibm-ariel:high_level_category_id
high_level_category_name:
- x-ibm-ariel:high_level_category_name
identityhostname:
- x-ibm-ariel:identity_host_name
logsourceid:
- x-ibm-ariel:log_source_id
logsourcename:
- x-ibm-ariel:log_source_name
logsourcetypename:
- x-ibm-ariel:log_source_type_name
magnitude:
- x-ibm-ariel:magnitude
qid:
- x-ibm-ariel:qid
qidname:
- x-ibm-ariel:event_name
relevance:
- x-ibm-ariel:relevance
rulenames:
- x-ibm-ariel:rule_names[*]
severity:
- x-ibm-ariel:severity

115
tools/config/stix-shifter.yml Normal file
View File

@ -0,0 +1,115 @@
title: Custom mappings for stix-shifter project
backends:
- stix
order: 30
fieldmappings:
# x-oca-event SCO
action:
- x-oca-event:action
operation:
- x-oca-event:action
event.category:
- x-oca-event:category
eventName:
- x-oca-event:action
eventType:
- x-oca-event:category
Description:
- x-oca-event:action
- x-ibm-finding:description
Event-ID:
- x-oca-event:code
EventID:
- x-oca-event:code
Event_ID:
- x-oca-event:code
event-id:
- x-oca-event:code
eventId:
- x-oca-event:code
EventType:
- x-oca-event:action
Message:
- x-oca-event:original
Details:
- windows-registry-key:values[*].data
- x-oca-event:original
event_id:
- x-oca-event:code
eventid:
- x-oca-event:code
type:
- x-oca-event:action
pam_message:
- x-oca-event:action
# x-oca-asset SCO
cs-host:
- x-oca-asset:hostname
- domain-name:value
eventSource:
- x-oca-asset:hostname
ComputerName:
- x-oca-asset:hostname
pam_rhost:
- x-oca-asset:hostname
# DNS network extension
r-dns:
- domain-name:value
- url:value
- network-traffic:extensions.'dns-ext'.question.domain_ref
query:
- domain-name:value
- url:value
- network-traffic:extensions.'dns-ext'.question.domain_ref
# x-ibm-finding object
credescription:
- x-ibm-finding:description
crename:
- x-ibm-finding:name
rulenames:
- x-ibm-finding:rule_names[*]
# x-qradar custom object
categoryid:
- x-qradar:category_id
categoryname:
- x-qradar:category_name
credibility:
- x-qradar:credibility
Device:
- x-qradar:device_type
- file:name
devicetype:
- x-qradar:device_type
direction:
- x-qradar:direction
domainid:
- x-qradar:domain_id
geographic:
- x-qradar:geographic
high_level_category_id:
- x-qradar:high_level_category_id
high_level_category_name:
- x-qradar:high_level_category_name
identityhostname:
- x-qradar:identity_host_name
logsourceid:
- x-qradar:log_source_id
logsourcename:
- x-qradar:log_source_name
logsourcetypename:
- x-qradar:log_source_type_name
magnitude:
- x-qradar:magnitude
qid:
- x-qradar:qid
qidname:
- x-qradar:event_name
relevance:
- x-qradar:relevance
severity:
- x-qradar:severity

269
tools/config/stix-windows.yml
View File

@ -1,269 +0,0 @@
title: STIX for Windows Logs
backends:
- stix
order: 40
logsources:
windows:
product: windows
fieldmappings:
AccessMask:
- x-windows:accessmask
Accesses:
- x-windows:accesses
AccountDomain:
- user-account:x_domain
AccountID:
- user-account:user_id
AccountName:
- user-account:account_login
- user-account:display_name
AccountSecurityID:
- user-account:x_security_id
CallTrace:
- x-windows:calltrace
ClientIP:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
ComputerName:
- x-host:name
Description:
- x-event:action
DestinationIsIpv6:
- x-windows:destisipv6
DestinationHostname:
- network-traffic:dst_ref.value
Device:
- file:name
ErrorCode:
- x-error:code
Event-ID:
- x-event:id
- x-event:code
EventID:
- x-event:id
- x-event:code
Event_ID:
- x-event:id
- x-event:code
EventType:
- x-event:action
ExtendedErrorCode:
- x-error:code
- x-error:id
FileDirectory:
- directory:path
FileExtension:
- file:x_extension
FileHash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
FilePath:
- file:name
Filename:
- file:name
GrantedAccess:
- x-windows:grantedaccess
GroupDomain:
- x-group:domain
GroupID:
- x-group:id
GroupName:
- x-group:name
GroupSecurityID:
- x-group:security_id
HomeDirectory:
- directory:path
IMPHash:
- x-windows:imphash
Imphash:
- x-windows:imphash
Image:
- process:image_ref.name
ImageLoadedTempPath:
- process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
ImageName:
- process:image_ref.name
ImagePath:
- process:image_ref.name
ImageTempPath:
- process:image_ref.x_temp_path
InitiatedConnection:
- x-windows:initiatedconnection
Initiated:
- x-windows:initiatedconnection
InitiatorUserName:
- user-account:user_id
- user-account:account_login
IntegrityLevel:
- x-windows:integritylevel
LoadedImage:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
LoadedImageName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
LogonType:
- x-windows:logontype
MD5Hash:
- file:hashes.MD5
Message:
- x-event:original
NewName:
- windows-registry-key:key
ObjectName:
- x-windows:objectname
ObjectType:
- x-windows:objecttype
ParentCommandLine:
- process:parent_ref.command_line
ParentImage:
- process:parent_ref.image_ref.name
ParentImageName:
- process:parent_ref.image_ref.name
ParentProcessGuid:
- process:parent_ref.x_guid
ParentProcessName:
- process:parent_ref.image_ref.name
ParentProcessPath:
- process:parent_ref.image_ref.name
PipeName:
- x-windows:pipename
ProcessCommandLine:
- process:command_line
Command:
- process:command_line
CommandLine:
- process:command_line
ProcessGuid:
- process:x_guid
ProcessId:
- process:pid
ProcessName:
- process:image_ref.name
ProcessPath:
- process:image_ref.name
QueryName:
- x-windows:queryname
QueryResults:
- x-windows:queryresults
QueryStatus:
- x-windows:querystatus
RegistryKey:
- windows-registry-key:key
RegistryValueData:
- windows-registry-key:values[*].data
RegistryValueName:
- windows-registry-key:values[*].name
SAMAccountName:
- user-account:account_login
- user-account:display_name
SHA1Hash:
- file:hashes.SHA-1
SHA256Hash:
- file:hashes.SHA-256
ServiceFileName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
ServiceName:
- process:extensions.'windows-service-ext'.service_name
ShareName:
- x-windows:sharename
SharePath:
- x-windows:sharepath
Signature:
- x-windows:signature
SignatureStatus:
- x-windows:signaturestatus
Signed:
- x-windows:signed
SourceImage:
- x-windows:sourceimage
SourceImageTempPath:
- x-windows:sourceimagetemppath
SourceWorkstation:
- x-windows:sourceworkstation
StartAddress:
- x-windows:startaddress
StartFunction:
- x-windows:startfunction
StartModule:
- x-windows:startmodule
TargetAccountSecurityID:
- x-windows:targetaccountsecurityid
TargetComputerDomain:
- x-windows:targetcomputerdomain
TargetComputerName:
- x-windows:targetcomputername
TargetDetails:
- x-windows:targetdetails
Details:
- windows-registry-key:values[*].data
- x-event:original
TargetFilename:
- file:name
TargetImage:
- x-windows:targetimage
TargetImageName:
- x-windows:targetimagename
TargetObject:
- windows-registry-key:key
TargetProcessGuid:
- x-windows:targetprocessguid
TargetProcessAddress:
- x-windows:startaddress
TargetUserDomain:
- x-windows:targetuserdomain
TargetUserName:
- x-windows:targetusername
TaskName:
- x-windows:taskname
TicketEncryptionType:
- x-windows:ticketencryptiontype
User:
- user-account:user_id
UserDomain:
- user-account:x_domain
event-id:
- x-event:id
eventId:
- x-event:id
event_data.FileName:
- file:name
event_data.Image:
- process:image_ref.name
event_data.ImageLoaded:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
ImageLoaded:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
event_data.ImagePath:
- process:image_ref.name
event_data.ParentCommandLine:
- process:parent_ref.command_line
event_data.ParentImage:
- process:parent_ref.image_ref.name
event_data.ParentProcessName:
- process:parent_ref.image_ref.name
event_data.PipeName:
- x-windows:pipename
event_data.ServiceFileName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
event_data.ShareName:
- x-windows:sharename
event_data.Signature:
- x-windows:signature
event_data.SourceImage:
- x-windows:sourceimage
event_data.StartModule:
- x-windows:startmodule
event_data.SubjectUserName:
- user-account:user_id
- user-account:account_login
event_data.TargetFilename:
- file:name
event_data.TargetImage:
- x-windows:targetimage
event_data.User:
- user-account:user_id
event_id:
- x-event:id
eventid:
- x-event:id

175
tools/config/stix.yml
View File

@ -1,175 +0,0 @@
title: Basic STIX
backends:
- stix
order: 20
fieldmappings:
action:
- x-event:action
User:
- user-account:user_id
c-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
cs-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
destinationip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
destinationmac:
- mac-addr:value
- network-traffic:dst_ref.value
destinationport:
- network-traffic:dst_port
dst_port:
- network-traffic:dst_port
domainname:
- domain-name:value
dst:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
dst_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
endtime:
- network-traffic:end
event_data.DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
event_data.DestinationPort:
- network-traffic:dst_port
DestinationPort:
- network-traffic:dst_port
destination.port:
- network-traffic:dst_port
event_data.SubjectUserName:
- user-account:user_id
event_data.User:
- user-account:user_id
filehash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
filename:
- file:name
filepath:
- file:parent_directory_ref
- directory:path
identityip:
- ipv4-addr:value
protocolid:
- network-traffic:protocols[*]
sourceip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
sourcemac:
- mac-addr:value
- network-traffic:src_ref.value
sourceport:
- network-traffic:src_port
SourcePort:
- network-traffic:src_port
src:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
src_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
starttime:
- network-traffic:start
url:
- url:value
user:
- user-account:user_id
username:
- user-account:user_id
utf8_payload:
- artifact:payload_bin
# Web + Proxy mapping
c-uri:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
c-uri-query:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
c-uri-stem:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
keywords:
- artifact:payload_bin
cs-method:
- network-traffic:extensions.'http-request-ext'.request_method
sc-status:
- x-web:status_code
clientip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
c-useragent:
- network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
r-dns:
- domain-name:value
- url:value
- x-dns:query
cs-host:
- x-host:name
- domain-name:value
cs-cookie:
- network-traffic:extensions.'http-request-ext'.request_header.Cookie
query:
- domain-name:value
- url:value
- x-dns:query
record_type:
- x-dns:record_type
operation:
- x-event:action
# Compliance mapping
event.category:
- x-event:action
host.scan.vuln_name:
- vulnerability:name
host.scan.vuln:
- vulnerability:external_references[*].external_id
# Cloud mapping
eventSource:
- x-host:name
eventName:
- x-event:action
requestParameters.attribute:
- x-cloud:request_parameters
responseElements.publiclyAccessible:
- x-cloud:publicly_accessible
errorMessage:
- x-error:message
errorCode:
- x-error:code
responseElements:
- x-cloud:response_elements
requestParameters.userData:
- x-cloud:request_parameters
userIdentity.type:
- user-account:account_login
eventType:
- x-event:action
userIdentity.arn:
- user-account:account_login
- user-account:display_name
responseElements.pendingModifiedValues.masterUserPassword:
- user-account:credential

284
tools/config/stix2.0.yml Normal file
View File

@ -0,0 +1,284 @@
title: Official STIX 2.0
backends:
- stix
order: 100
fieldmappings:
User:
- user-account:user_id
USER:
- user-account:user_id
user:
- user-account:user_id
event_data.SubjectUserName:
- user-account:user_id
- user-account:account_login
c-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
cs-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
destinationip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
destinationmac:
- mac-addr:value
- network-traffic:dst_ref.value
destinationport:
- network-traffic:dst_port
dst_port:
- network-traffic:dst_port
domainname:
- domain-name:value
dst:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
dst_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
endtime:
- network-traffic:end
event_data.DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
event_data.DestinationPort:
- network-traffic:dst_port
DestinationPort:
- network-traffic:dst_port
destination.port:
- network-traffic:dst_port
filehash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
filename:
- file:name
filepath:
- file:parent_directory_ref
- directory:path
identityip:
- ipv4-addr:value
protocolid:
- network-traffic:protocols[*]
sourceip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
sourcemac:
- mac-addr:value
- network-traffic:src_ref.value
sourceport:
- network-traffic:src_port
SourcePort:
- network-traffic:src_port
src:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
src_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
starttime:
- network-traffic:start
url:
- url:value
username:
- user-account:user_id
utf8_payload:
- artifact:payload_bin
# Web + Proxy mapping
c-uri:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
c-uri-query:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
c-uri-stem:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
keywords:
- artifact:payload_bin
cs-method:
- network-traffic:extensions.'http-request-ext'.request_method
clientip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
c-useragent:
- network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
r-dns:
- domain-name:value
- url:value
cs-host:
- domain-name:value
cs-cookie:
- network-traffic:extensions.'http-request-ext'.request_header.Cookie
query:
- domain-name:value
- url:value
# Compliance mapping
host.scan.vuln_name:
- vulnerability:name
host.scan.vuln:
- vulnerability:external_references[*].external_id
# Cloud mapping
userIdentity.type:
- user-account:account_login
userIdentity.arn:
- user-account:account_login
- user-account:display_name
responseElements.pendingModifiedValues.masterUserPassword:
- user-account:credential
AccountDomain:
- user-account:x_domain
AccountID:
- user-account:user_id
AccountName:
- user-account:account_login
- user-account:display_name
AccountSecurityID:
- user-account:x_security_id
ClientIP:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
DestinationHostname:
- network-traffic:dst_ref.value
Device:
- file:name
FileDirectory:
- directory:path
FileExtension:
- file:x_extension
FileHash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
FilePath:
- file:name
Filename:
- file:name
HomeDirectory:
- directory:path
Image:
- process:binary_ref.name
ImageLoadedTempPath:
- process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
ImageName:
- process:binary_ref.name
ImagePath:
- process:binary_ref.parent_directory_ref.path.name
SourceImage:
- process:binary_ref.name
InitiatorUserName:
- user-account:user_id
- user-account:account_login
LoadedImage:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
LoadedImageName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
MD5Hash:
- file:hashes.MD5
NewName:
- windows-registry-key:key
ParentCommandLine:
- process:parent_ref.command_line
ParentImage:
- process:parent_ref.binary_ref.name
ParentImageName:
- process:parent_ref.binary_ref.name
ParentProcessGuid:
- process:parent_ref.x_guid
ParentProcessName:
- process:parent_ref.binary_ref.name
ParentProcessPath:
- process:parent_ref.binary_ref.name
ProcessCommandLine:
- process:command_line
Command:
- process:command_line
CommandLine:
- process:command_line
ProcessGuid:
- process:x_guid
ProcessId:
- process:pid
ProcessName:
- process:binary_ref.name
ProcessPath:
- process:binary_ref.parent_directory_ref.path
RegistryKey:
- windows-registry-key:key
RegistryValueData:
- windows-registry-key:values[*].data
RegistryValueName:
- windows-registry-key:values[*].name
SAMAccountName:
- user-account:account_login
- user-account:display_name
SHA1Hash:
- file:hashes.SHA-1
SHA256Hash:
- file:hashes.SHA-256
ServiceFileName:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
ServiceName:
- process:extensions.'windows-service-ext'.service_name
Details:
- windows-registry-key:values[*].data
TargetFilename:
- file:name
TargetImage:
- process:binary_ref.name
TargetObject:
- windows-registry-key:key
UserDomain:
- user-account:x_domain
event_data.FileName:
- file:name
event_data.Image:
- process:binary_ref.name
event_data.ImageLoaded:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
ImageLoaded:
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
event_data.ImagePath:
- process:binary_ref.parent_directory_ref.path
event_data.ParentCommandLine:
- process:parent_ref.command_line
event_data.ParentImage:
- process:parent_ref.binary_ref.name
event_data.ParentProcessName:
- process:parent_ref.binary_ref.name
event_data.TargetFilename:
- file:name
event_data.User:
- user-account:user_id
a0:
- process:command_line
a1:
- process:command_line
name:
- file:name
a3:
- process:command_line
exe:
- file:name
a2:
- process:command_line
pam_user:
- user-account:user_id

5
tools/sigma/backends/stix.py
View File

@ -16,7 +16,7 @@ class STIXBackend(SingleTextQueryBackend):
mapExpression = "%s = %s"
notMapExpression = "%s != %s"
mapListsSpecialHandling = True
sigmaSTIXObjectName = "x-sigma"
sort_condition_lists = True
def cleanKey(self, key):
if key is None:
@ -113,7 +113,8 @@ class STIXBackend(SingleTextQueryBackend):
def generateMapItemNode(self, node, currently_within_NOT_node=False):
key, value = node
if ":" not in key:
key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower())
# key wasn't mapped
return None
if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
if type(value) == str and "*" in value:
value = value.replace("*", "%")