From 70d14b46ef9a1a10729bd79856fa69e178294da6 Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Tue, 5 Jan 2021 15:13:36 +0200 Subject: [PATCH 1/7] Aligning with newer stix-shifter version --- tools/config/stix-linux.yml | 8 ++++---- tools/config/stix-windows.yml | 30 +++++++++++++++--------------- tools/config/stix.yml | 14 +++++++------- 3 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tools/config/stix-linux.yml b/tools/config/stix-linux.yml index 3bab2072..0ab8f72b 100644 --- a/tools/config/stix-linux.yml +++ b/tools/config/stix-linux.yml @@ -7,7 +7,7 @@ logsources: product: linux fieldmappings: type: - - x-event:action + - x-ibm-event:action keywords: - artifact:payload_bin a0: @@ -25,12 +25,12 @@ fieldmappings: a2: - process:command_line SYSCALL: - - x-event:action + - x-ibm-event:action pam_message: - - x-event:action + - x-ibm-event:action pam_user: - user-account:user_id pam_rhost: - - x-host:name + - x-ibm-host:hostname USER: - user-account:user_id \ No newline at end of file diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml index 6a9de243..c14001f3 100644 --- a/tools/config/stix-windows.yml +++ b/tools/config/stix-windows.yml @@ -26,9 +26,9 @@ fieldmappings: - ipv6-addr:value - network-traffic:src_ref.value ComputerName: - - x-host:name + - x-ibm-host:hostname Description: - - x-event:action + - x-ibm-event:action DestinationIsIpv6: - x-windows:destisipv6 DestinationHostname: @@ -38,16 +38,16 @@ fieldmappings: ErrorCode: - x-error:code Event-ID: - - x-event:id - - x-event:code + - x-ibm-event:id + - x-ibm-event:code EventID: - - x-event:id - - x-event:code + - x-ibm-event:id + - x-ibm-event:code Event_ID: - - x-event:id - - x-event:code + - x-ibm-event:id + - x-ibm-event:code EventType: - - x-event:action + - x-ibm-event:action ExtendedErrorCode: - x-error:code - x-error:id @@ -107,7 +107,7 @@ fieldmappings: MD5Hash: - file:hashes.MD5 Message: - - x-event:original + - x-ibm-event:original NewName: - windows-registry-key:key ObjectName: @@ -197,7 +197,7 @@ fieldmappings: - x-windows:targetdetails Details: - windows-registry-key:values[*].data - - x-event:original + - x-ibm-event:original TargetFilename: - file:name TargetImage: @@ -223,9 +223,9 @@ fieldmappings: UserDomain: - user-account:x_domain event-id: - - x-event:id + - x-ibm-event:code eventId: - - x-event:id + - x-ibm-event:code event_data.FileName: - file:name event_data.Image: @@ -264,6 +264,6 @@ fieldmappings: event_data.User: - user-account:user_id event_id: - - x-event:id + - x-ibm-event:code eventid: - - x-event:id \ No newline at end of file + - x-ibm-event:code \ No newline at end of file diff --git a/tools/config/stix.yml b/tools/config/stix.yml index 88b37fba..facba562 100644 --- a/tools/config/stix.yml +++ b/tools/config/stix.yml @@ -4,7 +4,7 @@ backends: order: 20 fieldmappings: action: - - x-event:action + - x-ibm-event:action User: - user-account:user_id c-ip: @@ -126,7 +126,7 @@ fieldmappings: - url:value - x-dns:query cs-host: - - x-host:name + - x-ibm-host:hostname - domain-name:value cs-cookie: - network-traffic:extensions.'http-request-ext'.request_header.Cookie @@ -137,11 +137,11 @@ fieldmappings: record_type: - x-dns:record_type operation: - - x-event:action + - x-ibm-event:action # Compliance mapping event.category: - - x-event:action + - x-ibm-event:category host.scan.vuln_name: - vulnerability:name host.scan.vuln: @@ -149,9 +149,9 @@ fieldmappings: # Cloud mapping eventSource: - - x-host:name + - x-ibm-host:hostname eventName: - - x-event:action + - x-ibm-event:action requestParameters.attribute: - x-cloud:request_parameters responseElements.publiclyAccessible: @@ -167,7 +167,7 @@ fieldmappings: userIdentity.type: - user-account:account_login eventType: - - x-event:action + - x-ibm-event:category userIdentity.arn: - user-account:account_login - user-account:display_name From 08c8db25e91c559c249a8660e7d73fc0c2051a3e Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Mon, 8 Feb 2021 10:56:31 +0200 Subject: [PATCH 2/7] New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings --- tools/config/stix-custom.yml | 132 ++++++++++++++++ tools/config/stix-linux.yml | 36 ----- tools/config/stix-qradar.yml | 51 ------- tools/config/stix-shifter.yml | 115 ++++++++++++++ tools/config/stix.yml | 175 --------------------- tools/config/stix2.0.yml | 280 ++++++++++++++++++++++++++++++++++ tools/sigma/backends/stix.py | 5 +- 7 files changed, 530 insertions(+), 264 deletions(-) create mode 100644 tools/config/stix-custom.yml delete mode 100644 tools/config/stix-linux.yml delete mode 100644 tools/config/stix-qradar.yml create mode 100644 tools/config/stix-shifter.yml delete mode 100644 tools/config/stix.yml create mode 100644 tools/config/stix2.0.yml diff --git a/tools/config/stix-custom.yml b/tools/config/stix-custom.yml new file mode 100644 index 00000000..f5061596 --- /dev/null +++ b/tools/config/stix-custom.yml @@ -0,0 +1,132 @@ +title: Additional STIX mapping for future use +backends: + - stix +order: 10 +fieldmappings: + record_type: + - x-dns:record_type + requestParameters.attribute: + - x-cloud:request_parameters + responseElements.publiclyAccessible: + - x-cloud:publicly_accessible + errorMessage: + - x-error:message + errorCode: + - x-error:code + responseElements: + - x-cloud:response_elements + requestParameters.userData: + - x-cloud:request_parameters + AccessMask: + - x-windows:accessmask + Accesses: + - x-windows:accesses + CallTrace: + - x-windows:calltrace + DestinationIsIpv6: + - x-windows:destisipv6 + ErrorCode: + - x-error:code + ExtendedErrorCode: + - x-error:code + - x-error:id + GrantedAccess: + - x-windows:grantedaccess + GroupDomain: + - x-group:domain + GroupID: + - x-group:id + GroupName: + - x-group:name + GroupSecurityID: + - x-group:security_id + IMPHash: + - x-windows:imphash + Imphash: + - x-windows:imphash + ImageTempPath: + - process:binary_ref.x_temp_path + InitiatedConnection: + - x-windows:initiatedconnection + Initiated: + - x-windows:initiatedconnection + IntegrityLevel: + - x-windows:integritylevel + LogonType: + - x-windows:logontype + ObjectName: + - x-windows:objectname + ObjectType: + - x-windows:objecttype + PipeName: + - x-windows:pipename + QueryName: + - x-windows:queryname + QueryResults: + - x-windows:queryresults + QueryStatus: + - x-windows:querystatus + ShareName: + - x-windows:sharename + SharePath: + - x-windows:sharepath + Signature: + - x-windows:signature + SignatureStatus: + - x-windows:signaturestatus + Signed: + - x-windows:signed + SourceImage: + - x-windows:sourceimage + SourceImageTempPath: + - x-windows:sourceimagetemppath + SourceWorkstation: + - x-windows:sourceworkstation + StartAddress: + - x-windows:startaddress + StartFunction: + - x-windows:startfunction + StartModule: + - x-windows:startmodule + TargetAccountSecurityID: + - x-windows:targetaccountsecurityid + TargetComputerDomain: + - x-windows:targetcomputerdomain + TargetComputerName: + - x-windows:targetcomputername + TargetDetails: + - x-windows:targetdetails + TargetImage: + - x-windows:targetimage + TargetImageName: + - x-windows:targetimagename + TargetProcessGuid: + - x-windows:targetprocessguid + TargetProcessAddress: + - x-windows:startaddress + TargetUserDomain: + - x-windows:targetuserdomain + TargetUserName: + - x-windows:targetusername + TaskName: + - x-windows:taskname + TicketEncryptionType: + - x-windows:ticketencryptiontype + event_data.PipeName: + - x-windows:pipename + event_data.ServiceFileName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + event_data.ShareName: + - x-windows:sharename + event_data.Signature: + - x-windows:signature + event_data.SourceImage: + - x-windows:sourceimage + event_data.StartModule: + - x-windows:startmodule + event_data.TargetImage: + - x-windows:targetimage + key: + - x-sigma:keywords + sc-status: + - x-web:status_code diff --git a/tools/config/stix-linux.yml b/tools/config/stix-linux.yml deleted file mode 100644 index 0ab8f72b..00000000 --- a/tools/config/stix-linux.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: STIX for Linux Logs -backends: - - stix -order: 40 -logsources: - linux: - product: linux -fieldmappings: - type: - - x-ibm-event:action - keywords: - - artifact:payload_bin - a0: - - process:command_line - a1: - - process:command_line - name: - - file:name - a3: - - process:command_line - key: - - x-sigma:keywords - exe: - - file:name - a2: - - process:command_line - SYSCALL: - - x-ibm-event:action - pam_message: - - x-ibm-event:action - pam_user: - - user-account:user_id - pam_rhost: - - x-ibm-host:hostname - USER: - - user-account:user_id \ No newline at end of file diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml deleted file mode 100644 index cd78c190..00000000 --- a/tools/config/stix-qradar.yml +++ /dev/null @@ -1,51 +0,0 @@ -title: STIX for QRadar -backends: - - stix -order: 30 -fieldmappings: - categoryid: - - x-ibm-ariel:category_id - categoryname: - - x-ibm-ariel:category_name - credescription: - - x-ibm-finding:description - Description: - - x-ibm-finding:description - credibility: - - x-ibm-ariel:credibility - crename: - - x-ibm-finding:name - devicetype: - - x-ibm-ariel:device_type - Device: - - x-ibm-ariel:device_type - direction: - - x-ibm-ariel:direction - domainid: - - x-ibm-ariel:domain_id - geographic: - - x-ibm-ariel:geographic - high_level_category_id: - - x-ibm-ariel:high_level_category_id - high_level_category_name: - - x-ibm-ariel:high_level_category_name - identityhostname: - - x-ibm-ariel:identity_host_name - logsourceid: - - x-ibm-ariel:log_source_id - logsourcename: - - x-ibm-ariel:log_source_name - logsourcetypename: - - x-ibm-ariel:log_source_type_name - magnitude: - - x-ibm-ariel:magnitude - qid: - - x-ibm-ariel:qid - qidname: - - x-ibm-ariel:event_name - relevance: - - x-ibm-ariel:relevance - rulenames: - - x-ibm-ariel:rule_names[*] - severity: - - x-ibm-ariel:severity diff --git a/tools/config/stix-shifter.yml b/tools/config/stix-shifter.yml new file mode 100644 index 00000000..02f725a6 --- /dev/null +++ b/tools/config/stix-shifter.yml @@ -0,0 +1,115 @@ +title: Custom mappings for stix-shifter project +backends: + - stix +order: 30 +fieldmappings: + # x-oca-event SCO + action: + - x-oca-event:action + operation: + - x-oca-event:action + event.category: + - x-oca-event:category + eventName: + - x-oca-event:action + eventType: + - x-oca-event:category + Description: + - x-oca-event:action + - x-ibm-finding:description + Event-ID: + - x-oca-event:code + EventID: + - x-oca-event:code + Event_ID: + - x-oca-event:code + event-id: + - x-oca-event:code + eventId: + - x-oca-event:code + EventType: + - x-oca-event:action + Message: + - x-oca-event:original + Details: + - windows-registry-key:values[*].data + - x-oca-event:original + event_id: + - x-oca-event:code + eventid: + - x-oca-event:code + type: + - x-oca-event:action + pam_message: + - x-oca-event:action + + # x-oca-asset SCO + cs-host: + - x-oca-asset:hostname + - domain-name:value + eventSource: + - x-oca-asset:hostname + ComputerName: + - x-oca-asset:hostname + pam_rhost: + - x-oca-asset:hostname + + # DNS network extension + r-dns: + - domain-name:value + - url:value + - network-traffic:extensions.'dns-ext'.question.domain_ref + query: + - domain-name:value + - url:value + - network-traffic:extensions.'dns-ext'.question.domain_ref + + # x-ibm-finding object + credescription: + - x-ibm-finding:description + crename: + - x-ibm-finding:name + + # x-qradar custom object + categoryid: + - x-qradar:category_id + categoryname: + - x-qradar:category_name + credibility: + - x-qradar:credibility + Device: + - x-qradar:device_type + - file:name + devicetype: + - x-qradar:device_type + direction: + - x-qradar:direction + domainid: + - x-qradar:domain_id + geographic: + - x-qradar:geographic + high_level_category_id: + - x-qradar:high_level_category_id + high_level_category_name: + - x-qradar:high_level_category_name + identityhostname: + - x-qradar:identity_host_name + logsourceid: + - x-qradar:log_source_id + logsourcename: + - x-qradar:log_source_name + logsourcetypename: + - x-qradar:log_source_type_name + magnitude: + - x-qradar:magnitude + qid: + - x-qradar:qid + qidname: + - x-qradar:event_name + relevance: + - x-qradar:relevance + rulenames: + - x-qradar:rule_names[*] + severity: + - x-qradar:severity + diff --git a/tools/config/stix.yml b/tools/config/stix.yml deleted file mode 100644 index facba562..00000000 --- a/tools/config/stix.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Basic STIX -backends: - - stix -order: 20 -fieldmappings: - action: - - x-ibm-event:action - User: - - user-account:user_id - c-ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - cs-ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - destinationip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - destinationmac: - - mac-addr:value - - network-traffic:dst_ref.value - destinationport: - - network-traffic:dst_port - dst_port: - - network-traffic:dst_port - domainname: - - domain-name:value - dst: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - dst_ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - endtime: - - network-traffic:end - event_data.DestinationIp: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - DestinationIp: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - event_data.DestinationPort: - - network-traffic:dst_port - DestinationPort: - - network-traffic:dst_port - destination.port: - - network-traffic:dst_port - event_data.SubjectUserName: - - user-account:user_id - event_data.User: - - user-account:user_id - filehash: - - file:hashes.SHA-256 - - file:hashes.MD5 - - file:hashes.SHA-1 - filename: - - file:name - filepath: - - file:parent_directory_ref - - directory:path - identityip: - - ipv4-addr:value - protocolid: - - network-traffic:protocols[*] - sourceip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - sourcemac: - - mac-addr:value - - network-traffic:src_ref.value - sourceport: - - network-traffic:src_port - SourcePort: - - network-traffic:src_port - src: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - src_ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - starttime: - - network-traffic:start - url: - - url:value - user: - - user-account:user_id - username: - - user-account:user_id - utf8_payload: - - artifact:payload_bin - - # Web + Proxy mapping - c-uri: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - c-uri-query: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - c-uri-stem: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - keywords: - - artifact:payload_bin - cs-method: - - network-traffic:extensions.'http-request-ext'.request_method - sc-status: - - x-web:status_code - clientip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - c-useragent: - - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' - r-dns: - - domain-name:value - - url:value - - x-dns:query - cs-host: - - x-ibm-host:hostname - - domain-name:value - cs-cookie: - - network-traffic:extensions.'http-request-ext'.request_header.Cookie - query: - - domain-name:value - - url:value - - x-dns:query - record_type: - - x-dns:record_type - operation: - - x-ibm-event:action - - # Compliance mapping - event.category: - - x-ibm-event:category - host.scan.vuln_name: - - vulnerability:name - host.scan.vuln: - - vulnerability:external_references[*].external_id - - # Cloud mapping - eventSource: - - x-ibm-host:hostname - eventName: - - x-ibm-event:action - requestParameters.attribute: - - x-cloud:request_parameters - responseElements.publiclyAccessible: - - x-cloud:publicly_accessible - errorMessage: - - x-error:message - errorCode: - - x-error:code - responseElements: - - x-cloud:response_elements - requestParameters.userData: - - x-cloud:request_parameters - userIdentity.type: - - user-account:account_login - eventType: - - x-ibm-event:category - userIdentity.arn: - - user-account:account_login - - user-account:display_name - responseElements.pendingModifiedValues.masterUserPassword: - - user-account:credential diff --git a/tools/config/stix2.0.yml b/tools/config/stix2.0.yml new file mode 100644 index 00000000..e2f12419 --- /dev/null +++ b/tools/config/stix2.0.yml @@ -0,0 +1,280 @@ +title: Official STIX 2.0 +backends: + - stix +order: 100 +fieldmappings: + User: + - user-account:user_id + USER: + - user-account:user_id + user: + - user-account:user_id + event_data.SubjectUserName: + - user-account:user_id + - user-account:account_login + c-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + cs-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + destinationip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + destinationmac: + - mac-addr:value + - network-traffic:dst_ref.value + destinationport: + - network-traffic:dst_port + dst_port: + - network-traffic:dst_port + domainname: + - domain-name:value + dst: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + dst_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + endtime: + - network-traffic:end + event_data.DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + event_data.DestinationPort: + - network-traffic:dst_port + DestinationPort: + - network-traffic:dst_port + destination.port: + - network-traffic:dst_port + filehash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + filename: + - file:name + filepath: + - file:parent_directory_ref + - directory:path + identityip: + - ipv4-addr:value + protocolid: + - network-traffic:protocols[*] + sourceip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + sourcemac: + - mac-addr:value + - network-traffic:src_ref.value + sourceport: + - network-traffic:src_port + SourcePort: + - network-traffic:src_port + src: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + src_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + starttime: + - network-traffic:start + url: + - url:value + username: + - user-account:user_id + utf8_payload: + - artifact:payload_bin + + # Web + Proxy mapping + c-uri: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + c-uri-query: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + c-uri-stem: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + keywords: + - artifact:payload_bin + cs-method: + - network-traffic:extensions.'http-request-ext'.request_method + clientip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + c-useragent: + - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' + r-dns: + - domain-name:value + - url:value + cs-host: + - domain-name:value + cs-cookie: + - network-traffic:extensions.'http-request-ext'.request_header.Cookie + query: + - domain-name:value + - url:value + + # Compliance mapping + host.scan.vuln_name: + - vulnerability:name + host.scan.vuln: + - vulnerability:external_references[*].external_id + + # Cloud mapping + userIdentity.type: + - user-account:account_login + userIdentity.arn: + - user-account:account_login + - user-account:display_name + responseElements.pendingModifiedValues.masterUserPassword: + - user-account:credential + AccountDomain: + - user-account:x_domain + AccountID: + - user-account:user_id + AccountName: + - user-account:account_login + - user-account:display_name + AccountSecurityID: + - user-account:x_security_id + ClientIP: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + DestinationHostname: + - network-traffic:dst_ref.value + Device: + - file:name + FileDirectory: + - directory:path + FileExtension: + - file:x_extension + FileHash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + FilePath: + - file:name + Filename: + - file:name + HomeDirectory: + - directory:path + Image: + - process:binary_ref.name + ImageLoadedTempPath: + - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path + ImageName: + - process:binary_ref.name + ImagePath: + - binary_ref.parent_directory_ref.pat.name + InitiatorUserName: + - user-account:user_id + - user-account:account_login + LoadedImage: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + LoadedImageName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + MD5Hash: + - file:hashes.MD5 + NewName: + - windows-registry-key:key + ParentCommandLine: + - process:parent_ref.command_line + ParentImage: + - process:parent_ref.binary_ref.name + ParentImageName: + - process:parent_ref.binary_ref.name + ParentProcessGuid: + - process:parent_ref.x_guid + ParentProcessName: + - process:parent_ref.binary_ref.name + ParentProcessPath: + - process:parent_ref.binary_ref.name + ProcessCommandLine: + - process:command_line + Command: + - process:command_line + CommandLine: + - process:command_line + ProcessGuid: + - process:x_guid + ProcessId: + - process:pid + ProcessName: + - process:binary_ref.name + ProcessPath: + - process:binary_ref.parent_directory_ref.path + RegistryKey: + - windows-registry-key:key + RegistryValueData: + - windows-registry-key:values[*].data + RegistryValueName: + - windows-registry-key:values[*].name + SAMAccountName: + - user-account:account_login + - user-account:display_name + SHA1Hash: + - file:hashes.SHA-1 + SHA256Hash: + - file:hashes.SHA-256 + ServiceFileName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + ServiceName: + - process:extensions.'windows-service-ext'.service_name + Details: + - windows-registry-key:values[*].data + TargetFilename: + - file:name + TargetObject: + - windows-registry-key:key + UserDomain: + - user-account:x_domain + event_data.FileName: + - file:name + event_data.Image: + - process:binary_ref.name + event_data.ImageLoaded: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + ImageLoaded: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + event_data.ImagePath: + - process:binary_ref.parent_directory_ref.path + event_data.ParentCommandLine: + - process:parent_ref.command_line + event_data.ParentImage: + - process:parent_ref.binary_ref.name + event_data.ParentProcessName: + - process:parent_ref.binary_ref.name + event_data.TargetFilename: + - file:name + event_data.User: + - user-account:user_id + a0: + - process:command_line + a1: + - process:command_line + name: + - file:name + a3: + - process:command_line + exe: + - file:name + a2: + - process:command_line + pam_user: + - user-account:user_id diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py index 03191d8b..c802180c 100644 --- a/tools/sigma/backends/stix.py +++ b/tools/sigma/backends/stix.py @@ -16,7 +16,7 @@ class STIXBackend(SingleTextQueryBackend): mapExpression = "%s = %s" notMapExpression = "%s != %s" mapListsSpecialHandling = True - sigmaSTIXObjectName = "x-sigma" + sort_condition_lists = True def cleanKey(self, key): if key is None: @@ -113,7 +113,8 @@ class STIXBackend(SingleTextQueryBackend): def generateMapItemNode(self, node, currently_within_NOT_node=False): key, value = node if ":" not in key: - key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower()) + # key wasn't mapped + return None if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if type(value) == str and "*" in value: value = value.replace("*", "%") From 08ee6d7f1f716c129badd52c166bb4c89cbcbb8e Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Mon, 8 Feb 2021 11:44:00 +0200 Subject: [PATCH 3/7] deleted missed file --- tools/config/stix-windows.yml | 269 ---------------------------------- 1 file changed, 269 deletions(-) delete mode 100644 tools/config/stix-windows.yml diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml deleted file mode 100644 index c14001f3..00000000 --- a/tools/config/stix-windows.yml +++ /dev/null @@ -1,269 +0,0 @@ -title: STIX for Windows Logs -backends: - - stix -order: 40 -logsources: - windows: - product: windows -fieldmappings: - AccessMask: - - x-windows:accessmask - Accesses: - - x-windows:accesses - AccountDomain: - - user-account:x_domain - AccountID: - - user-account:user_id - AccountName: - - user-account:account_login - - user-account:display_name - AccountSecurityID: - - user-account:x_security_id - CallTrace: - - x-windows:calltrace - ClientIP: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - ComputerName: - - x-ibm-host:hostname - Description: - - x-ibm-event:action - DestinationIsIpv6: - - x-windows:destisipv6 - DestinationHostname: - - network-traffic:dst_ref.value - Device: - - file:name - ErrorCode: - - x-error:code - Event-ID: - - x-ibm-event:id - - x-ibm-event:code - EventID: - - x-ibm-event:id - - x-ibm-event:code - Event_ID: - - x-ibm-event:id - - x-ibm-event:code - EventType: - - x-ibm-event:action - ExtendedErrorCode: - - x-error:code - - x-error:id - FileDirectory: - - directory:path - FileExtension: - - file:x_extension - FileHash: - - file:hashes.SHA-256 - - file:hashes.MD5 - - file:hashes.SHA-1 - FilePath: - - file:name - Filename: - - file:name - GrantedAccess: - - x-windows:grantedaccess - GroupDomain: - - x-group:domain - GroupID: - - x-group:id - GroupName: - - x-group:name - GroupSecurityID: - - x-group:security_id - HomeDirectory: - - directory:path - IMPHash: - - x-windows:imphash - Imphash: - - x-windows:imphash - Image: - - process:image_ref.name - ImageLoadedTempPath: - - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path - ImageName: - - process:image_ref.name - ImagePath: - - process:image_ref.name - ImageTempPath: - - process:image_ref.x_temp_path - InitiatedConnection: - - x-windows:initiatedconnection - Initiated: - - x-windows:initiatedconnection - InitiatorUserName: - - user-account:user_id - - user-account:account_login - IntegrityLevel: - - x-windows:integritylevel - LoadedImage: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - LoadedImageName: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - LogonType: - - x-windows:logontype - MD5Hash: - - file:hashes.MD5 - Message: - - x-ibm-event:original - NewName: - - windows-registry-key:key - ObjectName: - - x-windows:objectname - ObjectType: - - x-windows:objecttype - ParentCommandLine: - - process:parent_ref.command_line - ParentImage: - - process:parent_ref.image_ref.name - ParentImageName: - - process:parent_ref.image_ref.name - ParentProcessGuid: - - process:parent_ref.x_guid - ParentProcessName: - - process:parent_ref.image_ref.name - ParentProcessPath: - - process:parent_ref.image_ref.name - PipeName: - - x-windows:pipename - ProcessCommandLine: - - process:command_line - Command: - - process:command_line - CommandLine: - - process:command_line - ProcessGuid: - - process:x_guid - ProcessId: - - process:pid - ProcessName: - - process:image_ref.name - ProcessPath: - - process:image_ref.name - QueryName: - - x-windows:queryname - QueryResults: - - x-windows:queryresults - QueryStatus: - - x-windows:querystatus - RegistryKey: - - windows-registry-key:key - RegistryValueData: - - windows-registry-key:values[*].data - RegistryValueName: - - windows-registry-key:values[*].name - SAMAccountName: - - user-account:account_login - - user-account:display_name - SHA1Hash: - - file:hashes.SHA-1 - SHA256Hash: - - file:hashes.SHA-256 - ServiceFileName: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - ServiceName: - - process:extensions.'windows-service-ext'.service_name - ShareName: - - x-windows:sharename - SharePath: - - x-windows:sharepath - Signature: - - x-windows:signature - SignatureStatus: - - x-windows:signaturestatus - Signed: - - x-windows:signed - SourceImage: - - x-windows:sourceimage - SourceImageTempPath: - - x-windows:sourceimagetemppath - SourceWorkstation: - - x-windows:sourceworkstation - StartAddress: - - x-windows:startaddress - StartFunction: - - x-windows:startfunction - StartModule: - - x-windows:startmodule - TargetAccountSecurityID: - - x-windows:targetaccountsecurityid - TargetComputerDomain: - - x-windows:targetcomputerdomain - TargetComputerName: - - x-windows:targetcomputername - TargetDetails: - - x-windows:targetdetails - Details: - - windows-registry-key:values[*].data - - x-ibm-event:original - TargetFilename: - - file:name - TargetImage: - - x-windows:targetimage - TargetImageName: - - x-windows:targetimagename - TargetObject: - - windows-registry-key:key - TargetProcessGuid: - - x-windows:targetprocessguid - TargetProcessAddress: - - x-windows:startaddress - TargetUserDomain: - - x-windows:targetuserdomain - TargetUserName: - - x-windows:targetusername - TaskName: - - x-windows:taskname - TicketEncryptionType: - - x-windows:ticketencryptiontype - User: - - user-account:user_id - UserDomain: - - user-account:x_domain - event-id: - - x-ibm-event:code - eventId: - - x-ibm-event:code - event_data.FileName: - - file:name - event_data.Image: - - process:image_ref.name - event_data.ImageLoaded: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - ImageLoaded: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - event_data.ImagePath: - - process:image_ref.name - event_data.ParentCommandLine: - - process:parent_ref.command_line - event_data.ParentImage: - - process:parent_ref.image_ref.name - event_data.ParentProcessName: - - process:parent_ref.image_ref.name - event_data.PipeName: - - x-windows:pipename - event_data.ServiceFileName: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - event_data.ShareName: - - x-windows:sharename - event_data.Signature: - - x-windows:signature - event_data.SourceImage: - - x-windows:sourceimage - event_data.StartModule: - - x-windows:startmodule - event_data.SubjectUserName: - - user-account:user_id - - user-account:account_login - event_data.TargetFilename: - - file:name - event_data.TargetImage: - - x-windows:targetimage - event_data.User: - - user-account:user_id - event_id: - - x-ibm-event:code - eventid: - - x-ibm-event:code \ No newline at end of file From 5143cbeaa71022b600417124d77b62da4cf1a5cb Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Mon, 8 Feb 2021 12:23:57 +0200 Subject: [PATCH 4/7] Fixed sigmac stix test invocation --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index deeb2c73..a7480919 100644 --- a/Makefile +++ b/Makefile @@ -57,7 +57,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix-custom.yml -c tools/config/stix-shifter.yml -c tools/config/stix2.0.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null From 563fd3c7e24ff7222527f9e345242610eb519eab Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Mon, 8 Feb 2021 17:55:03 +0200 Subject: [PATCH 5/7] Fixed error mapping for stix-shifter configuration --- tools/config/stix-shifter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/stix-shifter.yml b/tools/config/stix-shifter.yml index 02f725a6..0ad48d7f 100644 --- a/tools/config/stix-shifter.yml +++ b/tools/config/stix-shifter.yml @@ -69,6 +69,8 @@ fieldmappings: - x-ibm-finding:description crename: - x-ibm-finding:name + rulenames: + - x-ibm-finding:rule_names[*] # x-qradar custom object categoryid: @@ -108,8 +110,6 @@ fieldmappings: - x-qradar:event_name relevance: - x-qradar:relevance - rulenames: - - x-qradar:rule_names[*] severity: - x-qradar:severity From e12d710ab4e2a9e235fde2d60164b6bb4aeced75 Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Tue, 2 Mar 2021 11:51:46 +0200 Subject: [PATCH 6/7] Fixed config typo --- tools/config/stix2.0.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/stix2.0.yml b/tools/config/stix2.0.yml index e2f12419..bdcecf31 100644 --- a/tools/config/stix2.0.yml +++ b/tools/config/stix2.0.yml @@ -181,7 +181,7 @@ fieldmappings: ImageName: - process:binary_ref.name ImagePath: - - binary_ref.parent_directory_ref.pat.name + - binary_ref.parent_directory_ref.path.name InitiatorUserName: - user-account:user_id - user-account:account_login From 12cc2cade10256f744b66ce7afda26f9e07ba571 Mon Sep 17 00:00:00 2001 From: Dennis Potashnik Date: Tue, 2 Mar 2021 12:04:22 +0200 Subject: [PATCH 7/7] Moved references to binary file from custom config to stix-2.0 config --- tools/config/stix-custom.yml | 4 ---- tools/config/stix2.0.yml | 6 +++++- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/config/stix-custom.yml b/tools/config/stix-custom.yml index f5061596..c65d8907 100644 --- a/tools/config/stix-custom.yml +++ b/tools/config/stix-custom.yml @@ -76,8 +76,6 @@ fieldmappings: - x-windows:signaturestatus Signed: - x-windows:signed - SourceImage: - - x-windows:sourceimage SourceImageTempPath: - x-windows:sourceimagetemppath SourceWorkstation: @@ -96,8 +94,6 @@ fieldmappings: - x-windows:targetcomputername TargetDetails: - x-windows:targetdetails - TargetImage: - - x-windows:targetimage TargetImageName: - x-windows:targetimagename TargetProcessGuid: diff --git a/tools/config/stix2.0.yml b/tools/config/stix2.0.yml index bdcecf31..afe29114 100644 --- a/tools/config/stix2.0.yml +++ b/tools/config/stix2.0.yml @@ -181,7 +181,9 @@ fieldmappings: ImageName: - process:binary_ref.name ImagePath: - - binary_ref.parent_directory_ref.path.name + - process:binary_ref.parent_directory_ref.path.name + SourceImage: + - process:binary_ref.name InitiatorUserName: - user-account:user_id - user-account:account_login @@ -240,6 +242,8 @@ fieldmappings: - windows-registry-key:values[*].data TargetFilename: - file:name + TargetImage: + - process:binary_ref.name TargetObject: - windows-registry-key:key UserDomain: