From d2592ee0b60b0428ed12c191793896bf19db1a01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Lipt=C3=A1k?= Date: Mon, 26 Jul 2021 16:26:03 -0400 Subject: [PATCH] Add yamllint to GHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gábor Lipták --- .github/workflows/sigma-test.yml | 10 +- Makefile | 4 +- ...d_cmd_and_powershell_spawned_processes.yml | 2 +- ...stall_elevated_parent_child_correlated.yml | 2 +- ..._party_drivers_exploits_token_stealing.yml | 2 +- ...ivilege_escalation_using_rotten_potato.yml | 2 +- .../{invalid_yaml.yml => invalid_yaml.badyml} | 0 tools/config/arcsight-zeek.yml | 4 +- tools/config/ecs-auditd.yml | 5 +- tools/config/ecs-filebeat.yml | 2 +- tools/config/logrhythm_winevent.yml | 140 +++++++++--------- tools/config/winlogbeat-modules-enabled.yml | 3 +- tools/config/winlogbeat.yml | 5 +- 13 files changed, 91 insertions(+), 90 deletions(-) rename tests/{invalid_yaml.yml => invalid_yaml.badyml} (100%) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index d94d319d..2d1f625b 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -8,7 +8,9 @@ on: branches: - "*" pull_request: - branches: [ master, oscd ] + branches: + - master + - oscd jobs: test-sigma: @@ -31,3 +33,9 @@ jobs: - name: Test SQL(ite) Backend run: | pipenv run make test-backend-sql + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: yaml-lint + uses: ibiqlik/action-yamllint@v3 diff --git a/Makefile b/Makefile index 96870aec..ea442b75 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,7 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null @@ -113,7 +113,7 @@ test-sigmac: ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml test-merge: diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index ade22426..931cae2c 100644 --- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: process_creation - definition : Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section detection: parent_image: ParentImage|endswith: diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml index bcd2772a..07ca9c1a 100644 --- a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -35,7 +35,7 @@ fields: - IntegrityLevel - User - Image - ParentProcessGuid + - ParentProcessGuid falsepositives: - System administrator usage - Penetration test diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index da3c9882..cd2ce7d8 100644 --- a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -12,7 +12,7 @@ date: 2019/06/03 logsource: category: process_creation product: windows - definition : Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section detection: selection: ParentIntegrityLevel: Medium diff --git a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml index 45351522..94c1560f 100644 --- a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml @@ -15,7 +15,7 @@ modified: 2020/09/01 logsource: category: process_creation product: windows - definition : Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section detection: selection: ParentUser: diff --git a/tests/invalid_yaml.yml b/tests/invalid_yaml.badyml similarity index 100% rename from tests/invalid_yaml.yml rename to tests/invalid_yaml.badyml diff --git a/tools/config/arcsight-zeek.yml b/tools/config/arcsight-zeek.yml index f9544552..a9272cc2 100644 --- a/tools/config/arcsight-zeek.yml +++ b/tools/config/arcsight-zeek.yml @@ -458,7 +458,7 @@ fieldmappings: #service=http: #service=sip: msg: - - 'message' + - 'message' #service=notice: #service=pop3: name: @@ -832,7 +832,7 @@ fieldmappings: #password: pending: message #status: message - successful_commands: message + successful_commands: message #username: sourceUserName # Radius connect_info: message diff --git a/tools/config/ecs-auditd.yml b/tools/config/ecs-auditd.yml index 43e84fcc..c5c9a0cc 100644 --- a/tools/config/ecs-auditd.yml +++ b/tools/config/ecs-auditd.yml @@ -1,4 +1,4 @@ -title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules +title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules order: 20 backends: - es-qs @@ -70,7 +70,6 @@ fieldmappings: data: data default-context: default-context dev: dev - dev: dev device: device dir: dir direction: direction @@ -92,7 +91,6 @@ fieldmappings: feature: feature fi: fi fp: fp - fp: fp format: format fsgid: fsgid fsuid: fsuid @@ -169,7 +167,6 @@ fieldmappings: ogid: ogid ocomm: ocomm old: old - old: old old-auid: old-auid old-chardev: old-chardev old-disk: old-disk diff --git a/tools/config/ecs-filebeat.yml b/tools/config/ecs-filebeat.yml index 8c95dac0..dd85cc7a 100644 --- a/tools/config/ecs-filebeat.yml +++ b/tools/config/ecs-filebeat.yml @@ -1,4 +1,4 @@ -title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema +title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema order: 20 backends: - es-qs diff --git a/tools/config/logrhythm_winevent.yml b/tools/config/logrhythm_winevent.yml index 84b6bee4..9ca034ab 100644 --- a/tools/config/logrhythm_winevent.yml +++ b/tools/config/logrhythm_winevent.yml @@ -1,71 +1,71 @@ ---- -title: LogRhythm Windows EventID Field Mapping - -order: 20 -backends: - - es-qs-lr - -logsources: - eventlogs: - product: windows - conditions: - logSourceTypeName: 'MS Windows Event Logging XML - Security' - -fieldmappings: - EventID: vendorMessageID - TicketOptions: object - TicketEncryptionType: sessionType - ServiceName: processName - TargetUserName: - - originUser - - impactedUser - Workstation: originHostname - SubjectUserName: originUser - LogonType: command - LogonProcessName: processName - WorkstationName: - - originHostname - - impactedHostname - SubjectLogonId: session - SubStatus: status - IpPort: originPort - IpAddress: - - originIp - - impactedIp - ErrorCode: responseCode - Task: vendorInfo - PrivilegeList: subject - SamAccountName: impactedUser - PrimaryGroupId: group - StatusCode: responseCode - Level: severity - SubjectDomainName: domainOrigin - DSName: domainImpacted - ObjectDN: objectName - ObjectGUID: object - ObjectClass: objectType - OperationType: action - Computer: impactedHostname - CategoryId: policy - SubcategoryId: objectName - SubCategoryGuid: object - AuditPolicyChanges: action - ObjectCollectionName: objectType - CountOfCredentialsReturned: quantity - AlgorithmName: policy - KeyName: objectName - KeyType: objectType - KeyFilePath: object - Operation: action - ReturnCode: responseCode - ChannelType: objectType - DomainName: domainImpacted - ExecutionProcessId: processId - processName: process - ProviderName: vendorInfo - SChannelName: objectName - SecureChannelName: objectName - ThreadId: session - UserName: - - originUser +--- +title: LogRhythm Windows EventID Field Mapping + +order: 20 +backends: + - es-qs-lr + +logsources: + eventlogs: + product: windows + conditions: + logSourceTypeName: 'MS Windows Event Logging XML - Security' + +fieldmappings: + EventID: vendorMessageID + TicketOptions: object + TicketEncryptionType: sessionType + ServiceName: processName + TargetUserName: + - originUser + - impactedUser + Workstation: originHostname + SubjectUserName: originUser + LogonType: command + LogonProcessName: processName + WorkstationName: + - originHostname + - impactedHostname + SubjectLogonId: session + SubStatus: status + IpPort: originPort + IpAddress: + - originIp + - impactedIp + ErrorCode: responseCode + Task: vendorInfo + PrivilegeList: subject + SamAccountName: impactedUser + PrimaryGroupId: group + StatusCode: responseCode + Level: severity + SubjectDomainName: domainOrigin + DSName: domainImpacted + ObjectDN: objectName + ObjectGUID: object + ObjectClass: objectType + OperationType: action + Computer: impactedHostname + CategoryId: policy + SubcategoryId: objectName + SubCategoryGuid: object + AuditPolicyChanges: action + ObjectCollectionName: objectType + CountOfCredentialsReturned: quantity + AlgorithmName: policy + KeyName: objectName + KeyType: objectType + KeyFilePath: object + Operation: action + ReturnCode: responseCode + ChannelType: objectType + DomainName: domainImpacted + ExecutionProcessId: processId + processName: process + ProviderName: vendorInfo + SChannelName: objectName + SecureChannelName: objectName + ThreadId: session + UserName: + - originUser - impactedUser \ No newline at end of file diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 5cfb81d3..eb3bf37c 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -225,7 +225,6 @@ fieldmappings: Accesses: winlog.event_data.Accesses AccessList: winlog.event_data.AccessList AttributeValue: winlog.event_data.AttributeValue - AttributeValue: winlog.event_data.AttributeValue AuditSourceName: winlog.event_data.AuditSourceName AuthenticationPackage: winlog.event_data.AuthenticationPackageName CallerProcessName: winlog.event_data.CallerProcessName @@ -279,4 +278,4 @@ fieldmappings: TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName - Workstation : winlog.event_data.Workstation + Workstation: winlog.event_data.Workstation diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 97b5fa80..87ffb4ac 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -203,8 +203,6 @@ fieldmappings: ContextInfo: winlog.event_data.ContextInfo # from here missing field at 20210706 Accesses: winlog.event_data.Accesses - AccessList: winlog.event_data.AccessList - AttributeValue: winlog.event_data.AttributeValue AttributeValue: winlog.event_data.AttributeValue AuditSourceName: winlog.event_data.AuditSourceName AuthenticationPackage: winlog.event_data.AuthenticationPackageName @@ -214,7 +212,6 @@ fieldmappings: Company: winlog.event_data.Company DestAddress: winlog.event_data.DestAddress Destination: winlog.event_data.Destination - DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestPort: winlog.event_data.DestPort Device: winlog.event_data.Device DeviceDescription: winlog.event_data.DeviceDescription @@ -258,4 +255,4 @@ fieldmappings: TaskName: winlog.event_data.TaskName # UserName => smbclient-security eventid:31017 UserName: winlog.event_data.UserName - Workstation : winlog.event_data.Workstation + Workstation: winlog.event_data.Workstation