mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
285 lines
6.8 KiB
YAML
285 lines
6.8 KiB
YAML
title: Official STIX 2.0
|
|
backends:
|
|
- stix
|
|
order: 100
|
|
fieldmappings:
|
|
User:
|
|
- user-account:user_id
|
|
USER:
|
|
- user-account:user_id
|
|
user:
|
|
- user-account:user_id
|
|
event_data.SubjectUserName:
|
|
- user-account:user_id
|
|
- user-account:account_login
|
|
c-ip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
cs-ip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
destinationip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:dst_ref.value
|
|
destinationmac:
|
|
- mac-addr:value
|
|
- network-traffic:dst_ref.value
|
|
destinationport:
|
|
- network-traffic:dst_port
|
|
dst_port:
|
|
- network-traffic:dst_port
|
|
domainname:
|
|
- domain-name:value
|
|
dst:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:dst_ref.value
|
|
dst_ip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:dst_ref.value
|
|
endtime:
|
|
- network-traffic:end
|
|
event_data.DestinationIp:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:dst_ref.value
|
|
DestinationIp:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:dst_ref.value
|
|
event_data.DestinationPort:
|
|
- network-traffic:dst_port
|
|
DestinationPort:
|
|
- network-traffic:dst_port
|
|
destination.port:
|
|
- network-traffic:dst_port
|
|
filehash:
|
|
- file:hashes.SHA-256
|
|
- file:hashes.MD5
|
|
- file:hashes.SHA-1
|
|
filename:
|
|
- file:name
|
|
filepath:
|
|
- file:parent_directory_ref
|
|
- directory:path
|
|
identityip:
|
|
- ipv4-addr:value
|
|
protocolid:
|
|
- network-traffic:protocols[*]
|
|
sourceip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
sourcemac:
|
|
- mac-addr:value
|
|
- network-traffic:src_ref.value
|
|
sourceport:
|
|
- network-traffic:src_port
|
|
SourcePort:
|
|
- network-traffic:src_port
|
|
src:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
src_ip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
starttime:
|
|
- network-traffic:start
|
|
url:
|
|
- url:value
|
|
username:
|
|
- user-account:user_id
|
|
utf8_payload:
|
|
- artifact:payload_bin
|
|
|
|
# Web + Proxy mapping
|
|
c-uri:
|
|
- network-traffic:extensions.'http-request-ext'.request_value
|
|
- url:value
|
|
c-uri-query:
|
|
- network-traffic:extensions.'http-request-ext'.request_value
|
|
- url:value
|
|
c-uri-stem:
|
|
- network-traffic:extensions.'http-request-ext'.request_value
|
|
- url:value
|
|
keywords:
|
|
- artifact:payload_bin
|
|
cs-method:
|
|
- network-traffic:extensions.'http-request-ext'.request_method
|
|
clientip:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
c-useragent:
|
|
- network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
|
|
r-dns:
|
|
- domain-name:value
|
|
- url:value
|
|
cs-host:
|
|
- domain-name:value
|
|
cs-cookie:
|
|
- network-traffic:extensions.'http-request-ext'.request_header.Cookie
|
|
query:
|
|
- domain-name:value
|
|
- url:value
|
|
|
|
# Compliance mapping
|
|
host.scan.vuln_name:
|
|
- vulnerability:name
|
|
host.scan.vuln:
|
|
- vulnerability:external_references[*].external_id
|
|
|
|
# Cloud mapping
|
|
userIdentity.type:
|
|
- user-account:account_login
|
|
userIdentity.arn:
|
|
- user-account:account_login
|
|
- user-account:display_name
|
|
responseElements.pendingModifiedValues.masterUserPassword:
|
|
- user-account:credential
|
|
AccountDomain:
|
|
- user-account:x_domain
|
|
AccountID:
|
|
- user-account:user_id
|
|
AccountName:
|
|
- user-account:account_login
|
|
- user-account:display_name
|
|
AccountSecurityID:
|
|
- user-account:x_security_id
|
|
ClientIP:
|
|
- ipv4-addr:value
|
|
- ipv6-addr:value
|
|
- network-traffic:src_ref.value
|
|
DestinationHostname:
|
|
- network-traffic:dst_ref.value
|
|
Device:
|
|
- file:name
|
|
FileDirectory:
|
|
- directory:path
|
|
FileExtension:
|
|
- file:x_extension
|
|
FileHash:
|
|
- file:hashes.SHA-256
|
|
- file:hashes.MD5
|
|
- file:hashes.SHA-1
|
|
FilePath:
|
|
- file:name
|
|
Filename:
|
|
- file:name
|
|
HomeDirectory:
|
|
- directory:path
|
|
Image:
|
|
- process:binary_ref.name
|
|
ImageLoadedTempPath:
|
|
- process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
|
|
ImageName:
|
|
- process:binary_ref.name
|
|
ImagePath:
|
|
- process:binary_ref.parent_directory_ref.path.name
|
|
SourceImage:
|
|
- process:binary_ref.name
|
|
InitiatorUserName:
|
|
- user-account:user_id
|
|
- user-account:account_login
|
|
LoadedImage:
|
|
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
|
|
LoadedImageName:
|
|
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
|
|
MD5Hash:
|
|
- file:hashes.MD5
|
|
NewName:
|
|
- windows-registry-key:key
|
|
ParentCommandLine:
|
|
- process:parent_ref.command_line
|
|
ParentImage:
|
|
- process:parent_ref.binary_ref.name
|
|
ParentImageName:
|
|
- process:parent_ref.binary_ref.name
|
|
ParentProcessGuid:
|
|
- process:parent_ref.x_guid
|
|
ParentProcessName:
|
|
- process:parent_ref.binary_ref.name
|
|
ParentProcessPath:
|
|
- process:parent_ref.binary_ref.name
|
|
ProcessCommandLine:
|
|
- process:command_line
|
|
Command:
|
|
- process:command_line
|
|
CommandLine:
|
|
- process:command_line
|
|
ProcessGuid:
|
|
- process:x_guid
|
|
ProcessId:
|
|
- process:pid
|
|
ProcessName:
|
|
- process:binary_ref.name
|
|
ProcessPath:
|
|
- process:binary_ref.parent_directory_ref.path
|
|
RegistryKey:
|
|
- windows-registry-key:key
|
|
RegistryValueData:
|
|
- windows-registry-key:values[*].data
|
|
RegistryValueName:
|
|
- windows-registry-key:values[*].name
|
|
SAMAccountName:
|
|
- user-account:account_login
|
|
- user-account:display_name
|
|
SHA1Hash:
|
|
- file:hashes.SHA-1
|
|
SHA256Hash:
|
|
- file:hashes.SHA-256
|
|
ServiceFileName:
|
|
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
|
|
ServiceName:
|
|
- process:extensions.'windows-service-ext'.service_name
|
|
Details:
|
|
- windows-registry-key:values[*].data
|
|
TargetFilename:
|
|
- file:name
|
|
TargetImage:
|
|
- process:binary_ref.name
|
|
TargetObject:
|
|
- windows-registry-key:key
|
|
UserDomain:
|
|
- user-account:x_domain
|
|
event_data.FileName:
|
|
- file:name
|
|
event_data.Image:
|
|
- process:binary_ref.name
|
|
event_data.ImageLoaded:
|
|
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
|
|
ImageLoaded:
|
|
- process:extensions.'windows-service-ext'.service_dll_refs[*].name
|
|
event_data.ImagePath:
|
|
- process:binary_ref.parent_directory_ref.path
|
|
event_data.ParentCommandLine:
|
|
- process:parent_ref.command_line
|
|
event_data.ParentImage:
|
|
- process:parent_ref.binary_ref.name
|
|
event_data.ParentProcessName:
|
|
- process:parent_ref.binary_ref.name
|
|
event_data.TargetFilename:
|
|
- file:name
|
|
event_data.User:
|
|
- user-account:user_id
|
|
a0:
|
|
- process:command_line
|
|
a1:
|
|
- process:command_line
|
|
name:
|
|
- file:name
|
|
a3:
|
|
- process:command_line
|
|
exe:
|
|
- file:name
|
|
a2:
|
|
- process:command_line
|
|
pam_user:
|
|
- user-account:user_id
|