valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

PR Review: Minor fixes

Browse Source
This commit is contained in:
Sven Scharmentke 2020-10-21 08:54:50 +02:00
parent 03ad9e22e1
commit ca852eca0e
1 changed files with 31 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
tools/sigma/backends/uberagent.py
View File

@ -10,7 +10,7 @@ from ..parser.modifiers.base import SigmaTypeModifier
def convert_sigma_level_to_uberagent_risk_score(level): def convert_sigma_level_to_uberagent_risk_score(level):
"""Converts the given sigma rule level to uberAgent ESA RiskScore property.""" """Converts the given Sigma rule level to uberAgent ESA RiskScore property."""
levels = { levels = {
"critical": 100, "critical": 100,
"high": 75, "high": 75,
@ -25,7 +25,7 @@ def convert_sigma_level_to_uberagent_risk_score(level):
def convert_sigma_name_to_uberagent_tag(name): def convert_sigma_name_to_uberagent_tag(name):
"""Converts the given sigma rule name to uberAgent ESA Tag property.""" """Converts the given Sigma rule name to uberAgent ESA Tag property."""
tag = name.lower().replace(" ", "-") tag = name.lower().replace(" ", "-")
tag = re.sub(r"-{2,}", "-", tag, 0, re.IGNORECASE) tag = re.sub(r"-{2,}", "-", tag, 0, re.IGNORECASE)
return tag return tag
@ -99,7 +99,7 @@ class ActivityMonitoringRule:
self.risk_score = risk_score self.risk_score = risk_score
def set_sigma_level(self, level): def set_sigma_level(self, level):
"""Sets the sigma rule level.""" """Sets the Sigma rule level."""
self.sigma_level = level self.sigma_level = level
def set_description(self, description): def set_description(self, description):
@ -215,36 +215,36 @@ class uberAgentBackend(SingleTextQueryBackend):
# uberAgent field mapping # uberAgent field mapping
# #
fieldMapping = { fieldMapping = {
'commandline': 'Process.CommandLine', "commandline": "Process.CommandLine",
'image': 'Process.Path', "image": "Process.Path",
'originalfilename': 'Process.Name', "originalfilename": "Process.Name",
'imageloaded': 'Image.Name', "imageloaded": "Image.Name",
'imagepath': 'Image.Path', "imagepath": "Image.Path",
'parentcommandline': 'Parent.CommandLine', "parentcommandline": "Parent.CommandLine",
'parentprocessname': 'Parent.Name', "parentprocessname": "Parent.Name",
'parentimage': 'Parent.Path', "parentimage": "Parent.Path",
'path': 'Process.Path', "path": "Process.Path",
'processcommandline': 'Process.CommandLine', "processcommandline": "Process.CommandLine",
'command': 'Process.CommandLine', "command": "Process.CommandLine",
'processname': 'Process.Name', "processname": "Process.Name",
'user': 'Process.User', "user": "Process.User",
'username': 'Process.User' "username": "Process.User"
} }
# We ignore some fields that we don't support yet but we don't want them to # We ignore some fields that we don't support yet but we don't want them to
# throw errors in the console since we are aware of this. # throw errors in the console since we are aware of this.
ignoreFieldList = [ ignoreFieldList = [
'description', "description",
'product', "product",
'logonid', "logonid",
'integritylevel', "integritylevel",
'currentdirectory', "currentdirectory",
'company', "company",
'parentintegritylevel', "parentintegritylevel",
'sha1', "sha1",
'eventid', "eventid",
'parentuser', "parentuser",
'imphash' "imphash"
] ]
rules = [] rules = []
@ -263,13 +263,13 @@ class uberAgentBackend(SingleTextQueryBackend):
def generate(self, sigmaparser): def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
product, category, service, title, level, condition, description = get_parser_properties(sigmaparser) product, category, service, title, level, condition, description = get_parser_properties(sigmaparser)
if product not in ['windows']: if product not in ["windows"]:
return "" return ""
# Do not generate a rule if the given category is unsupported by now. # Do not generate a rule if the given category is unsupported by now.
if not is_sigma_category_supported(category): if not is_sigma_category_supported(category):
return "" return ""
if category not in ['process_creation']: if category not in ["process_creation"]:
return "" return ""
try: try:
@ -299,7 +299,7 @@ class uberAgentBackend(SingleTextQueryBackend):
try: try:
serialized_rule = str(rule) serialized_rule = str(rule)
if rule.sigma_level == level: if rule.sigma_level == level:
file.write(serialized_rule + '\n') file.write(serialized_rule + "\n")
count = count + 1 count = count + 1
except MalformedRuleException: except MalformedRuleException:
continue continue