mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
55beecac28
commitd97d2ced82Merge:022d73f884dd8c39Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 15:53:55 2020 +0200 Merge pull request #725 from WilliamBruneau/fix_null_list Move null values out from list in rules commit84dd8c39c4Author: William Bruneau <william.bruneau@epfedu.fr> Date: Tue May 5 09:04:47 2020 +0200 Move null values out from list in rules commit022d73f842Merge:0cbc099d4ed51201Author: Florian Roth <venom14@gmail.com> Date: Wed Jun 3 10:48:05 2020 +0200 Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename All Rules use 'TargetFilename' instead of 'TargetFileName'. commit4ed512011aAuthor: Sven Scharmentke <sven@vastlimits.com> Date: Wed Jun 3 09:00:59 2020 +0200 All Rules use 'TargetFilename' instead of 'TargetFileName'. This commit fixes the incorrect spelling. commit0cbc099defMerge:74e16fdc3a6ac5bdAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 30 09:31:45 2020 +0200 Merge pull request #807 from forensicanalysis/master Add sqlite backend commit3a6ac5bd5cAuthor: Jonas Plum <git@cugu.eu> Date: Sat May 30 01:57:06 2020 +0200 Remove unused function commit5cc82d0f05Author: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:56:06 2020 +0200 Move testcase commit4a8ab88adeAuthor: Jonas Plum <git@cugu.eu> Date: Sat May 30 00:15:38 2020 +0200 Fix test path commit70935d26ceAuthor: Jonas Plum <git@cugu.eu> Date: Fri May 29 23:56:05 2020 +0200 Add license header commit74e16fdccdMerge:e20b58c4537bda44Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:43 2020 +0200 Merge pull request #803 from gamma37/clear_cmd_history Edit Clear Command History commite20b58c421Merge:7f2fa05ea00f7f19Author: Florian Roth <venom14@gmail.com> Date: Fri May 29 17:32:27 2020 +0200 Merge pull request #806 from SanWieb/sysmon_creation_system_file Fixed wrong field & Improve rule commita00f7f19a1Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Fri May 29 16:25:54 2020 +0200 Add tagg Endswith Prevent the trigger of {}.exe.log commit38afd8b5deAuthor: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Thu May 28 21:52:17 2020 +0200 Fixed wrong field commit7f2fa05ed3Merge:ec313b6c39b41b55Author: Florian Roth <venom14@gmail.com> Date: Thu May 28 11:16:44 2020 +0200 Merge pull request #802 from Neo23x0/rule-devel ComRAT and KazuarRAT commit537bda4417Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:56:35 2020 +0200 Update lnx_shell_clear_cmd_history.yml commit5a48934822Author: gamma37 <marie.euler@polytechnique.edu> Date: Thu May 28 10:52:17 2020 +0200 Edit Clear Command History I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line. commit39b41b5582Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 10:13:38 2020 +0200 rule: moved DebugView rule to process creation category commit76dcc1a16fAuthor: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 28 09:22:25 2020 +0200 rule: renamed debugview commitec313b6c8aMerge:5bb6770fd44fc43cAuthor: Florian Roth <venom14@gmail.com> Date: Wed May 27 08:49:20 2020 +0200 Merge pull request #801 from SanWieb/sysmon_creation_system_file Rule: sysmon_creation_system_file commitd44fc43c54Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 19:10:11 2020 +0200 Add extension commitf6ec724d51Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 18:53:54 2020 +0200 Rule: sysmon_creation_system_file commit5bb6770f53Merge:0b398c5b3681b8cbAuthor: Florian Roth <venom14@gmail.com> Date: Tue May 26 14:28:47 2020 +0200 Merge pull request #800 from SanWieb/win_system_exe_anomaly Extended Windows processes: win_system_exe_anomaly commit4ca81b896dAuthor: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 14:19:22 2020 +0200 rule: Turla ComRAT report commit3681b8cb56Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:56:51 2020 +0200 Extended Windows processes commit0b398c5bf0Merge:c1f47875b648998fAuthor: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:31:57 2020 +0200 Merge pull request #798 from Neo23x0/rule-devel rule: confluence exploit CVE-2019-3398 & Turla ComRAT commitc1f4787566Merge:ce1f463448c5f2edAuthor: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:21:04 2020 +0200 Merge pull request #797 from NVISO-BE/sysmon_cve-2020-1048 Changes to sysmon_cve-2020-1048 commitce1f46346fMerge:e131f3471a598282Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:40 2020 +0200 Merge pull request #751 from zaphodef/fix/powershell_ntfs_ads_access Add 'Add-Content' to powershell_ntfs_ads_access commite131f3476eMerge:30861b557037e775Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:23 2020 +0200 Merge pull request #796 from EccoTheFlintstone/fp add more false positives commit30861b558cMerge:a962bd1bf9f814f3Author: Florian Roth <venom14@gmail.com> Date: Tue May 26 13:20:07 2020 +0200 Merge pull request #799 from SanWieb/susp_file_characteristics Susp file characteristics: Reduce FP of legitime processes commitb648998fd0Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 13:18:50 2020 +0200 rule: Turla ComRAT commitf9f814f3b3Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 13:06:27 2020 +0200 Shortened title commita241792e10Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:58:15 2020 +0200 Reduce FP of legitime processes A lot of Windows apps does not have any file characteristics. Some examples: - Gamebar: C:\\Program Files\\WindowsApps\\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\\GameBarFT.exe - YourPhone: C:\\Program Files\\WindowsApps\\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\\YourPhoneServer/YourPhoneServer.exe All C:\Windows\System32\OpenSSH (scp, sftp, ssh etc) does not have a description and company. Python 2.7, 3.3 and 3.7 does not have any file characteristics. So I don't think it is possible to whitelist all options, maybe it is worthwhile to check the \Downloads\ folder otherwise it would be better to just delete the rule. All other suspicious folders are covered by /rules/windows/process_creation/win_susp_exec_folder.yml commitcdf1ade625Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:27:16 2020 +0200 fix: typo in selection commit91b4ee8d56Merge:4cd7c39ea962bd1bAuthor: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Tue May 26 12:24:21 2020 +0200 Merge pull request #2 from Neo23x0/master Update repository commit828484d7c6Author: Florian Roth <florian.roth@nextron-systems.com> Date: Tue May 26 12:09:41 2020 +0200 rule: confluence exploit CVE-2019-3398 commit48c5f2ed09Author: Remco Hofman <rhofman@nviso.be> Date: Tue May 26 11:20:21 2020 +0200 Update to sysmon_cve-2020-1048 Added .com executables to detection Second TargetObject should have been Details commitabf1a2c6d7Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:54:16 2020 +0200 Adjusted Makefile commitdedfb65d63Author: Jonas Hagg <joy.hagg@web.de> Date: Mon May 25 10:44:14 2020 +0200 Implemented Aggregation for SQL, Added SQLite FullTextSearch commit7037e77569Author: ecco <none@none.com> Date: Mon May 25 04:50:22 2020 -0400 add more FP commita962bd1bc1Merge:0afe0623d510e1aaAuthor: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:48:36 2020 +0200 Merge pull request #747 from zaphodef/fix/win_susp_backup_delete_source Fix 'source' value for win_susp_backup_delete commit0afe0623afMerge:92d0aa86beb62dc1Author: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:47:23 2020 +0200 Merge pull request #757 from tliffick/master added rule for Blue Mockingbird (cryptominer) commit92d0aa8654Merge:0dda757c6fcf3f9eAuthor: Florian Roth <venom14@gmail.com> Date: Mon May 25 10:46:39 2020 +0200 Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed Rule improvement: netsh Application or Port allowed commit6fcf3f9ebfAuthor: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:13:26 2020 +0200 Update win_netsh_fw_add.yml commit28652e4648Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 10:02:13 2020 +0200 Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` commit2678cd1d3eAuthor: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 09:50:47 2020 +0200 Create win_netsh_fw_add_susp_image.yml More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check. Combined the following rules for the suspicious locations: https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml commit4cd7c39e9dMerge:6fbfa9df0dda757cAuthor: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Mon May 25 08:48:16 2020 +0200 Merge pull request #1 from Neo23x0/master Update repository commit0dda757ca5Merge:40f0beb5daf7ab5fAuthor: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:58:58 2020 +0200 Merge branch 'socprime-master' commitdaf7ab5ff7Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 22:41:38 2020 +0200 Cleanup: removal of corelight_* backends commitd45f8e19feAuthor: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:46:55 2020 +0200 Fixes commit32e4998c49Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 21:45:37 2020 +0200 Removed dead code from ALA backend. commit24b08bbf30Merge:96fae4bee8b956f5Author: Thomas Patzke <thomas@patzke.org> Date: Sun May 24 17:06:32 2020 +0200 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master commit40f0beb58dMerge:6fbfa9dfb8ee736fAuthor: Florian Roth <venom14@gmail.com> Date: Sun May 24 16:30:10 2020 +0200 Merge pull request #794 from SanWieb/update_susp_run_key Remove AppData folder as suspicious folder commitb8ee736f44Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sun May 24 15:16:07 2020 +0200 Remove AppData folder as suspicious folder A lot of software is using the AppData folder for startup keys. Some examples: - Microsoft Teams (\AppData\Local\Microsoft\Teams) - Resilio (\AppData\Roaming\Resilio Sync\) - Discord ( (\AppData\Local\Discord\) - Spotify ( (\AppData\Roaming\Spotify\) Too many to whitelist them all commit6fbfa9dfddMerge:d0da28103028a270Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 23:47:12 2020 +0200 Merge pull request #793 from Neo23x0/rule-devel Esentutl rule and StrongPity Loader UA commitf970d28f10Author: ecco <none@none.com> Date: Sat May 23 15:06:15 2020 -0400 add more false positives commit3028a27055Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:32:02 2020 +0200 fix: buggy rule commitdf715386b6Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 18:27:36 2020 +0200 rule: suspicious esentutl use commitd0da2810c1Merge:8321cc7e67faf4bdAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:13:16 2020 +0200 Merge pull request #792 from EccoTheFlintstone/fff fix FP + remove powershell rule redundant with sysmon_in_memory_power… commit8321cc7ee1Merge:9cd9a301e1a05dfcAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 23 18:11:32 2020 +0200 Merge pull request #772 from gamma37/suspicious_activities Create a rule for "suspicious activities" commitd1a5471d21Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 17:38:10 2020 +0200 rule: Strong Pity loader UA commit67faf4bd41Author: ecco <none@none.com> Date: Sat May 23 10:56:23 2020 -0400 fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml commit9cd9a301c2Merge:ee1ca77fd310805eAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:50:31 2020 +0200 Merge pull request #791 from SanWieb/master added rule for Netsh RDP port opening commite1a05dfc1cAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:49:03 2020 +0200 Update lnx_auditd_susp_C2_commands.yml commitee1ca77fadMerge:895c8470cbf06b1eAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:46 2020 +0200 Merge pull request #771 from gamma37/new_rules Create a new rule to detect "Create Account" commit895c84703fMerge:12e1aeaf327a53c1Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 16:47:01 2020 +0200 Merge pull request #790 from EccoTheFlintstone/fp_fix fix false positive matching on every powershell process not run by SY… commit327a53c120Author: ecco <none@none.com> Date: Sat May 23 10:25:37 2020 -0400 add new test for sysmon rules without eventid commit10ca3006f5Author: ecco <none@none.com> Date: Sat May 23 10:07:55 2020 -0400 move rule where needed commit2b89e56054Author: ecco <none@none.com> Date: Sat May 23 10:03:13 2020 -0400 fix test commitd9bc09c38cAuthor: ecco <none@none.com> Date: Sat May 23 10:02:58 2020 -0400 fix test commit78a7852a43Author: ecco <none@none.com> Date: Sat May 23 09:16:40 2020 -0400 renamed dbghelp rule with new ID and comment and removed a false positive commitd310805ed9Author: Sander Wiebing <45387038+SanWieb@users.noreply.github.com> Date: Sat May 23 14:19:52 2020 +0200 rule: Netsh RDP port opening commit75ba5f989cAuthor: ecco <none@none.com> Date: Sat May 23 07:44:45 2020 -0400 add 1 more FP to wmi load commit9a7f462d79Author: ecco <none@none.com> Date: Sat May 23 07:17:56 2020 -0400 move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) commitcfde0625f5Author: ecco <none@none.com> Date: Sat May 23 07:05:09 2020 -0400 fix false positive matching on every powershell process not run by SYSTEM account commit12e1aeaf9fMerge:46f3a70a34006d07Author: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:43 2020 +0200 Merge pull request #788 from Neo23x0/rule-devel refactor: split up rule for CVE-2020-1048 into 2 rules commit46f3a70a7dMerge:96fae4beec17c2abAuthor: Florian Roth <venom14@gmail.com> Date: Sat May 23 09:54:28 2020 +0200 Merge pull request #786 from EccoTheFlintstone/perf_fix various rules cleaning (slight perf improvements) commit34006d0794Author: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:16:19 2020 +0200 refactor: simplified and extended expression in CVE-2020-1048 rule commit57c8e63acdAuthor: Florian Roth <florian.roth@nextron-systems.com> Date: Sat May 23 09:09:58 2020 +0200 refactore: split up rule for CVE-2020-1048 into 2 rules commitec17c2ab56Author: ecco <none@none.com> Date: Fri May 22 10:37:00 2020 -0400 filter on createkey only when needed commit96fae4be68Author: Thomas Patzke <thomas@patzke.org> Date: Fri May 22 00:50:37 2020 +0200 Added CrachMapExec rules commit64e0e7ca72Merge:bbf7837491c4c4ecAuthor: Florian Roth <venom14@gmail.com> Date: Thu May 21 14:19:09 2020 +0200 Merge pull request #784 from Neo23x0/rule-devel refactor: slightly improved Greenbug rule commit91c4c4ecc5Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 13:38:11 2020 +0200 refactor: slightly improved Greenbug rule commitbbf78374b6Merge:8d9b706d9a3b6c1cAuthor: Florian Roth <venom14@gmail.com> Date: Thu May 21 09:55:46 2020 +0200 Merge pull request #783 from Neo23x0/rule-devel Greenbug Rule commit9a3b6c1c77Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:44:11 2020 +0200 docs: added MITRE ATT&CK group tag commit344eb713c5Author: Florian Roth <florian.roth@nextron-systems.com> Date: Thu May 21 09:39:57 2020 +0200 rule: Greenbug campaign commit8d9b706d6aMerge:e7980bb406abd6e7Author: Thomas Patzke <thomas@patzke.org> Date: Wed May 20 19:11:56 2020 +0200 Merge pull request #727 from 3CORESec/master Override Features commite7980bb434Merge:af92a5bd8963c0a6Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:41 2020 +0200 Merge pull request #782 from ZikyHD/patch-1 Remove duplicate 'CommandLine' in fields commitaf92a5bd2cMerge:04dfe6c59ab65cd1Author: Florian Roth <venom14@gmail.com> Date: Wed May 20 12:55:29 2020 +0200 Merge pull request #780 from tatsu-i/master Null field check to eliminate false positives commit8963c0a65eAuthor: ZikyHD <ZikyHD@users.noreply.github.com> Date: Wed May 20 11:54:47 2020 +0200 Remove duplicate 'CommandLine' in fields commite8b956f575Author: vh <vh@socprime.com> Date: Wed May 20 12:35:00 2020 +0300 Updated config commit9ab65cd1c7Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 14:50:22 2020 +0200 Update win_alert_ad_user_backdoors.yml commit04dfe6c5fcMerge:df75bdd39e272d37Author: Thomas Patzke <thomas@patzke.org> Date: Tue May 19 13:18:40 2020 +0200 Merge pull request #778 from neu5ron/sigmacs SIGMACs: Winlogbeat & Zeek commitdf75bdd3b6Merge:4446c4cd7c3dea22Author: Florian Roth <venom14@gmail.com> Date: Tue May 19 13:10:56 2020 +0200 Merge pull request #779 from neu5ron/rules Rules: Zeek commit7c3dea22b8Author: neu5ron <> Date: Tue May 19 05:13:48 2020 -0400 small T, big T commitdd382848b4Merge:602c8917e975d3fdAuthor: neu5ron <> Date: Tue May 19 05:09:05 2020 -0400 Merge remote-tracking branch 'neu5ron-sigma/rules' into rules commit602c8917efAuthor: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commitc815773b1aAuthor: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:05:51 2020 +0900 enhancement rule commit49f68a327aAuthor: Tatsuya Ito <t_ito@cyberdefense.jp> Date: Tue May 19 18:00:50 2020 +0900 enhancement rule commite975d3fd14Author: neu5ron <> Date: Tue May 19 04:41:08 2020 -0400 domain user enumeration via zeek rpc (dce_rpc) log. commiteffb2a8337Author: neu5ron <> Date: Tue May 19 04:41:00 2020 -0400 add exe webdav download commit858ebcd3d3Author: neu5ron <> Date: Tue May 19 04:35:47 2020 -0400 author typo update commit2fc8d513d6Author: neu5ron <> Date: Tue May 19 04:35:30 2020 -0400 zeek, swap `path` and `name` commit0dd089db47Author: ecco <none@none.com> Date: Mon May 18 20:29:53 2020 -0400 various rules cleaning commit71c507d8a9Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:34:53 2020 +0200 remove space bedore colon commit55eec46932Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 11:25:18 2020 +0200 Create a rule for "suspicious activities" commitcbf06b1e43Author: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:11:32 2020 +0200 lowercased tag commit904716771aAuthor: gamma37 <marie.euler@polytechnique.edu> Date: Mon May 18 10:03:34 2020 +0200 Create a new rule to detect "Create Account" commitbeb62dc163Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 12:06:34 2020 +0200 fix: condition location commit28dc2a2267Author: Florian Roth <venom14@gmail.com> Date: Fri May 15 11:33:36 2020 +0200 Minor changes hints: - contains doesn't require wildcards in the strings - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day) - we can use "1 of them" to say that 1 of the conditions has to match commit40ab1b7247Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:33:08 2020 -0400 added 'action: global' commit56a2747a70Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:18:33 2020 -0400 Corrected missing condition learning! fail fast & forward commitfb1d8d7a76Author: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 23:04:14 2020 -0400 Corrected typo commit8aff6b412eAuthor: Trent Liffick <trent.liffick@outlook.com> Date: Thu May 14 22:58:23 2020 -0400 added rule for Blue Mockingbird (cryptominer) commit06abd6e76aAuthor: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:03:23 2020 +0100 added ci tests for ecs-cloudtrail commit2893becf8cMerge:31ad8187133319c4Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Thu May 14 14:02:20 2020 +0100 Merge remote-tracking branch 'upstream/master' commit1a598282f4Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Wed May 13 11:57:10 2020 +0200 Add 'Add-Content' to powershell_ntfs_ads_access commitd510e1aad4Author: zaphod <18658828+zaphodef@users.noreply.github.com> Date: Mon May 11 18:31:59 2020 +0200 Fix 'source' value for win_susp_backup_delete commitfb9c5841f4Author: vh <vh@socprime.com> Date: Fri May 8 13:41:52 2020 +0300 Added Humio, Crowdstrike, Corelight commit31ad81874fAuthor: pdr9rc <pedro.gracio@3coresec.com> Date: Tue May 5 11:32:18 2020 +0100 capitalized titles corrected capitalization of titles and removed literals from config commitaa175a7d5bAuthor: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 18:02:27 2020 +0100 wip wip commitdd9e128a15Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:35:12 2020 +0100 kibana target update kibana target now compatible with overrides commitb32093e734Merge:b3194e66d298bb57Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 17:26:51 2020 +0100 Merge remote-tracking branch 'upstream/master' Keeping up with the sigmas. commitb3194e66c4Author: pdr9rc <pedro.gracio@3coresec.com> Date: Mon May 4 16:37:36 2020 +0100 Update base.py commitdd85467a27Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Sat May 2 00:13:55 2020 +0100 Update aws_ec2_vm_export_failure.yml commitbc0a2c7ab9Author: pdr9rc <pedro.gracio@3coresec.com> Date: Fri May 1 19:20:05 2020 +0100 wip wip commit98391f985aAuthor: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:19:38 2020 +0100 wip wip commitadcc3766e3Merge:81422444dfdb5b95Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:25 2020 +0100 Merge branch 'master' of https://github.com/3CORESec/sigma commit8142244449Author: pdr9rc <pedro.gracio@3coresec.com> Date: Thu Apr 30 15:08:20 2020 +0100 wip wip commitdfdb5b9550Author: Tiago Faria <tiago.faria.backups@gmail.com> Date: Wed Apr 29 23:59:26 2020 +0100 better description and event.outcome commitac4a2b1f26Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 22:55:46 2020 +0100 wip wip commit9ce84a38e5Author: pdr9rc <pedro.gracio@3coresec.com> Date: Wed Apr 29 20:36:45 2020 +0100 overrides section support + one example rule + cloudtrail config ditto
1291 lines
33 KiB
YAML
1291 lines
33 KiB
YAML
title: Corelight Zeek and Corelight Opensource Zeek Elastic Common Schema (ECS) implementation
|
|
description: Uses the mappings as created by Corelight here https://github.com/corelight/ecs-mapping
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- corelight_es-qs
|
|
- es-dsl
|
|
- elasticsearch-rule
|
|
- corelight_elasticsearch-rule
|
|
- kibana
|
|
- corelight_kibana
|
|
- xpack-watcher
|
|
- corelight_xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
logsources:
|
|
zeek:
|
|
product: zeek
|
|
index: '*ecs-*'
|
|
#'*ecs-corelight*'
|
|
#'*ecs-zeek-*
|
|
zeek-category-accounting:
|
|
category: accounting
|
|
rewrite:
|
|
product: zeek
|
|
service: syslog
|
|
zeek-category-firewall:
|
|
category: firewall
|
|
rewrite:
|
|
product: zeek
|
|
service: conn
|
|
zeek-category-dns:
|
|
category: dns
|
|
rewrite:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
event.dataset: dns
|
|
zeek-category-proxy:
|
|
category: proxy
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-category-webserver:
|
|
category: webserver
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-conn:
|
|
product: zeek
|
|
service: conn
|
|
conditions:
|
|
event.dataset: conn
|
|
zeek-conn_long:
|
|
product: zeek
|
|
service: conn_long
|
|
conditions:
|
|
event.dataset: conn_long
|
|
zeek-dce_rpc:
|
|
product: zeek
|
|
service: dce_rpc
|
|
conditions:
|
|
event.dataset: dce_rpc
|
|
zeek-dns:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
event.dataset: dns
|
|
zeek-dnp3:
|
|
product: zeek
|
|
service: dnp3
|
|
conditions:
|
|
event.dataset: dnp3
|
|
zeek-dpd:
|
|
product: zeek
|
|
service: dpd
|
|
conditions:
|
|
event.dataset: dpd
|
|
zeek-files:
|
|
product: zeek
|
|
service: files
|
|
conditions:
|
|
event.dataset: files
|
|
zeek-ftp:
|
|
product: zeek
|
|
service: ftp
|
|
conditions:
|
|
event.dataset: ftp
|
|
zeek-gquic:
|
|
product: zeek
|
|
service: gquic
|
|
conditions:
|
|
event.dataset: gquic
|
|
zeek-http:
|
|
product: zeek
|
|
service: http
|
|
conditions:
|
|
event.dataset: http
|
|
zeek-http2:
|
|
product: zeek
|
|
service: http2
|
|
conditions:
|
|
event.dataset: http2
|
|
zeek-intel:
|
|
product: zeek
|
|
service: intel
|
|
conditions:
|
|
event.dataset: intel
|
|
zeek-irc:
|
|
product: zeek
|
|
service: irc
|
|
conditions:
|
|
event.dataset: irc
|
|
zeek-kerberos:
|
|
product: zeek
|
|
service: kerberos
|
|
conditions:
|
|
event.dataset: kerberos
|
|
zeek-known_certs:
|
|
product: zeek
|
|
service: known_certs
|
|
conditions:
|
|
event.dataset: known_certs
|
|
zeek-known_hosts:
|
|
product: zeek
|
|
service: known_hosts
|
|
conditions:
|
|
event.dataset: known_hosts
|
|
zeek-known_modbus:
|
|
product: zeek
|
|
service: known_modbus
|
|
conditions:
|
|
event.dataset: known_modbus
|
|
zeek-known_services:
|
|
product: zeek
|
|
service: known_services
|
|
conditions:
|
|
event.dataset: known_services
|
|
zeek-modbus:
|
|
product: zeek
|
|
service: modbus
|
|
conditions:
|
|
event.dataset: modbus
|
|
zeek-modbus_register_change:
|
|
product: zeek
|
|
service: modbus_register_change
|
|
conditions:
|
|
event.dataset: modbus_register_change
|
|
zeek-mqtt_connect:
|
|
product: zeek
|
|
service: mqtt_connect
|
|
conditions:
|
|
event.dataset: mqtt_connect
|
|
zeek-mqtt_publish:
|
|
product: zeek
|
|
service: mqtt_publish
|
|
conditions:
|
|
event.dataset: mqtt_publish
|
|
zeek-mqtt_subscribe:
|
|
product: zeek
|
|
service: mqtt_subscribe
|
|
conditions:
|
|
event.dataset: mqtt_subscribe
|
|
zeek-mysql:
|
|
product: zeek
|
|
service: mysql
|
|
conditions:
|
|
event.dataset: mysql
|
|
zeek-notice:
|
|
product: zeek
|
|
service: notice
|
|
conditions:
|
|
event.dataset: notice
|
|
zeek-ntlm:
|
|
product: zeek
|
|
service: ntlm
|
|
conditions:
|
|
event.dataset: ntlm
|
|
zeek-ntp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
event.dataset: ntp
|
|
zeek-ocsp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
event.dataset: ocsp
|
|
zeek-pe:
|
|
product: zeek
|
|
service: pe
|
|
conditions:
|
|
event.dataset: pe
|
|
zeek-pop3:
|
|
product: zeek
|
|
service: pop3
|
|
conditions:
|
|
event.dataset: pop3
|
|
zeek-radius:
|
|
product: zeek
|
|
service: radius
|
|
conditions:
|
|
event.dataset: radius
|
|
zeek-rdp:
|
|
product: zeek
|
|
service: rdp
|
|
conditions:
|
|
event.dataset: rdp
|
|
zeek-rfb:
|
|
product: zeek
|
|
service: rfb
|
|
conditions:
|
|
event.dataset: rfb
|
|
zeek-sip:
|
|
product: zeek
|
|
service: sip
|
|
conditions:
|
|
event.dataset: sip
|
|
zeek-smb_files:
|
|
product: zeek
|
|
service: smb_files
|
|
conditions:
|
|
event.dataset: smb_files
|
|
zeek-smb_mapping:
|
|
product: zeek
|
|
service: smb_mapping
|
|
conditions:
|
|
event.dataset: smb_mapping
|
|
zeek-smtp:
|
|
product: zeek
|
|
service: smtp
|
|
conditions:
|
|
event.dataset: smtp
|
|
zeek-smtp_links:
|
|
product: zeek
|
|
service: smtp_links
|
|
conditions:
|
|
event.dataset: smtp_links
|
|
zeek-snmp:
|
|
product: zeek
|
|
service: snmp
|
|
conditions:
|
|
event.dataset: snmp
|
|
zeek-socks:
|
|
product: zeek
|
|
service: socks
|
|
conditions:
|
|
event.dataset: socks
|
|
zeek-software:
|
|
product: zeek
|
|
service: software
|
|
conditions:
|
|
event.dataset: software
|
|
zeek-ssh:
|
|
product: zeek
|
|
service: ssh
|
|
conditions:
|
|
event.dataset: ssh
|
|
zeek-ssl:
|
|
product: zeek
|
|
service: ssl
|
|
conditions:
|
|
event.dataset: tls
|
|
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
|
|
product: zeek
|
|
service: tls
|
|
conditions:
|
|
event.dataset: tls
|
|
zeek-syslog:
|
|
product: zeek
|
|
service: syslog
|
|
conditions:
|
|
event.dataset: syslog
|
|
zeek-tunnel:
|
|
product: zeek
|
|
service: tunnel
|
|
conditions:
|
|
event.dataset: tunnel
|
|
zeek-traceroute:
|
|
product: zeek
|
|
service: traceroute
|
|
conditions:
|
|
event.dataset: traceroute
|
|
zeek-weird:
|
|
product: zeek
|
|
service: weird
|
|
conditions:
|
|
event.dataset: weird
|
|
zeek-x509:
|
|
product: zeek
|
|
service: x509
|
|
conditions:
|
|
event.dataset: x509
|
|
zeek-ip_search:
|
|
product: zeek
|
|
service: network
|
|
conditions:
|
|
event.dataset:
|
|
- conn
|
|
- conn_long
|
|
- dce_rpc
|
|
- dhcp
|
|
- dnp3
|
|
- dns
|
|
- ftp
|
|
- gquic
|
|
- http
|
|
- irc
|
|
- kerberos
|
|
- modbus
|
|
- mqtt_connect
|
|
- mqtt_publish
|
|
- mqtt_subscribe
|
|
- mysql
|
|
- ntlm
|
|
- ntp
|
|
- radius
|
|
- rfb
|
|
- sip
|
|
- smb_files
|
|
- smb_mapping
|
|
- smtp
|
|
- smtp_links
|
|
- snmp
|
|
- socks
|
|
- ssh
|
|
- tls #SSL
|
|
- tunnel
|
|
- weird
|
|
defaultindex: '*ecs-*'
|
|
fieldmappings:
|
|
# All Logs Applied Mapping & Taxonomy
|
|
dst: destination.ip
|
|
dst_ip: destination.ip
|
|
dst_port: destination.port
|
|
host: host.ip
|
|
inner_vlan: network.vlan.inner.id
|
|
mac: source.mac
|
|
mime_type: file.mime_type
|
|
network_application: network.protocol
|
|
network_community_id: network.community_id
|
|
network_protocol: network.transport
|
|
password: source.user.password
|
|
port_num: labels.known.port
|
|
proto: network.transport
|
|
result: event.outcome
|
|
rtt: event.duration
|
|
server_name: destination.domain
|
|
src: source.ip
|
|
src_ip: source.ip
|
|
src_port: source.port
|
|
success: event.outcome
|
|
uri: url.original
|
|
user: source.user.name
|
|
username: source.user.name
|
|
user_agent: user_agent.original
|
|
vlan: network.vlan.id
|
|
# DNS matching Taxonomy & DNS Category
|
|
answer: dns.answers.name
|
|
question_length: labels.dns.query_length
|
|
record_type: dns.question.type
|
|
parent_domain: dns.question.registered_domain
|
|
# HTTP matching Taxonomy & Web/Proxy Category
|
|
cs-bytes: http.request.body.bytes
|
|
cs-cookie: http.cookie_vars
|
|
r-dns:
|
|
- url.domain
|
|
- destination.domain
|
|
sc-bytes: http.response.body.bytes
|
|
sc-status: http.response.status_code
|
|
c-uri: url.original
|
|
c-uri-extension: url.extension
|
|
c-uri-query: url.query
|
|
c-uri-stem: url.original
|
|
c-useragent: user_agent.original
|
|
cs-host:
|
|
- url.domain
|
|
- destination.domain
|
|
cs-method: http.request.method
|
|
cs-referrer: http.request.referrer
|
|
cs-version: http.version
|
|
# All log UIDs
|
|
cert_chain_fuids: log.id.cert_chain_fuids
|
|
client_cert_chain_fuids: log.id.client_cert_chain_fuids
|
|
client_cert_fuid: log.id.client_cert_fuid
|
|
conn_uids: log.id.conn_uids
|
|
fid: log.id.fid
|
|
fuid: log.id.fuid
|
|
fuids: log.id.fuids
|
|
id: log.id.id
|
|
orig_fuids: log.id.orig_fuids
|
|
parent_fuid: log.id.parent_fuid
|
|
related_fuids: log.id.related_fuids
|
|
resp_fuids: log.id.resp_fuids
|
|
server_cert_fuid: log.id.server_cert_fuid
|
|
tunnel_parents: log.id.tunnel_parents
|
|
uid: log.id.uid
|
|
uids: log.id.uids
|
|
uuid: log.id.uuid
|
|
# Deep mappings / Overlapping fields/mappings (aka: shared fields)
|
|
#_action
|
|
action:
|
|
#- '*.action'
|
|
service=mqtt: mqtt.action
|
|
service=smb_files: smb.action
|
|
service=tunnel: tunnel.action
|
|
mqtt_action: smb.action
|
|
smb_action: smb.action
|
|
tunnel_action: tunnel.action
|
|
#_addl
|
|
addl:
|
|
#- '*.addl'
|
|
service=dns: dns.addl
|
|
service=weird: weird.addl
|
|
dns_addl: dns.addl
|
|
weird_addl: weird.addl
|
|
#_analyzer
|
|
analyzer:
|
|
#- '*.analyzer'
|
|
service=dpd: dpd.analyzer
|
|
service=files: files.analyzer
|
|
dpd_analyzer: dpd.analyzer
|
|
files_analyzer: file.analyzer
|
|
#_arg
|
|
arg:
|
|
#- '*.arg'
|
|
service=ftp: ftp.arg
|
|
service=msqyl: mysql.arg
|
|
service=pop3: pop3.arg
|
|
ftp_arg: ftp.arg
|
|
mysql_arg: mysql.arg
|
|
pop3_arg: pop3.arg
|
|
#_auth
|
|
auth:
|
|
#- dns.auth
|
|
service=dns: dns.auth
|
|
service=rfb: rfb.auth
|
|
dns_auth: dns.auth
|
|
rfb_auth: rfb.auth
|
|
#_cipher
|
|
cipher:
|
|
#- '*.client'
|
|
service=kerberos: kerberos.cipher
|
|
service=ssl: tls.cipher
|
|
kerberos_cipher: kerberos.cipher
|
|
ssl_cipher: tls.cipher
|
|
tls_cipher: tls.cipher
|
|
#_client
|
|
client:
|
|
#- '*.client'
|
|
service=kerberos: kerberos.client
|
|
service=ssh: ssh.client
|
|
kerberos_client: kerberos.client
|
|
ssh_client: ssh.client
|
|
#_command
|
|
command:
|
|
#- '*.command'
|
|
service=irc: irc.command
|
|
service=ftp: ftp.command
|
|
service=pop3: pop3.command
|
|
ftp_command: ftp.command
|
|
irc_command: irc.command
|
|
pop3_command: pop3.command
|
|
#_date
|
|
date:
|
|
#- '*.date'
|
|
service=sip: sip.date
|
|
service=smtp: smtp.date
|
|
sip_date: sip.date
|
|
smtp_date: smtp.date
|
|
#_duration
|
|
duration:
|
|
#- event.duration
|
|
service=conn: event.duration
|
|
service=files: files.duration
|
|
service=snmp: event.duration
|
|
conn_duration: event.duration
|
|
files_duration: files.duration
|
|
snmp_duration: event.duration
|
|
#_from
|
|
from:
|
|
#- '*.from'
|
|
service=kerberos: kerberos.from
|
|
service=smtp: smtp.from
|
|
kerberos_from: kerberos.from
|
|
smtp_from: smtp.from
|
|
#_is_orig
|
|
is_orig:
|
|
#- '*.is_orig'
|
|
service=file: file.is_orig
|
|
service=pop3: pop3.is_orig
|
|
files_is_orig: file.is_orig
|
|
pop3_is_orig: pop3.is_orig
|
|
#_local_orig
|
|
local_orig:
|
|
#- '*.local_orig'
|
|
service=conn: conn.local_orig
|
|
service=files: file.local_orig
|
|
conn_local_orig: conn.local_orig
|
|
files_local_orig: file.local_orig
|
|
#_method
|
|
method:
|
|
#- http.request.method
|
|
service=http: http.request.method
|
|
service=sip: sip.method
|
|
http_method: http.request.method
|
|
sip_method: sip.method
|
|
#_msg
|
|
msg:
|
|
#- notice.msg
|
|
service=notice: notice.msg
|
|
service=pop3: pop3.msg
|
|
notice_msg: notice.msg
|
|
pop3_msg: pop3.msg
|
|
#_name
|
|
name:
|
|
#- file.name
|
|
service=smb_files: file.name
|
|
service=software: software.name
|
|
service=weird: weird.name
|
|
smb_files_name: file.name
|
|
software_name: software.name
|
|
weird_name: weird.name
|
|
#_path
|
|
path:
|
|
#- file.path
|
|
service=smb_files: file.path
|
|
service=smb_mapping: file.path
|
|
service=smtp: smtp.path
|
|
smb_files_path: file.path
|
|
smb_mapping_path: file.path
|
|
smtp_path: smtp.path
|
|
#_reply_msg
|
|
reply_msg:
|
|
#- '*.reply_msg'
|
|
service=ftp: ftp.reply_msg
|
|
service=radius: radius.reply_msg
|
|
ftp_reply_msg: ftp.reply_msg
|
|
radius_reply_msg: radius.reply_msg
|
|
#_reply_to
|
|
reply_to:
|
|
#- '*.reply_to'
|
|
service=sip: sip.reply_to
|
|
service=smtp: smtp.reply_to
|
|
sip_reply_to: sip.reply_to
|
|
smtp_reply_to: smtp.reply_to
|
|
#_response_body_len
|
|
response_body_len:
|
|
#- http.response.body.bytes
|
|
service=http: http.response.body.bytes
|
|
service=sip: sip.response_body_len
|
|
http_response_body_len: http.response.body.bytes
|
|
sip_response_body_len: sip.response_body_len
|
|
#_request_body_len
|
|
request_body_len:
|
|
#- http.request.body.bytes
|
|
service=http: http.response.body.bytes
|
|
service=sip: sip.request_body_len
|
|
http_request_body_len: http.response.body.bytes
|
|
sip_request_body_len: sip.response_body_len
|
|
#_rtt
|
|
#rtt:
|
|
#- event.duration
|
|
#- 'zeek.*.rtt'
|
|
#service=dns: event.duration
|
|
#service=dce_rpc: event.duration
|
|
dns_rtt: event.duration
|
|
dce_rpc_rtt: event.duration
|
|
#_service
|
|
service:
|
|
#- '*.service'
|
|
service=kerberos: kerberos.service
|
|
service=smb_mapping: smb.service
|
|
kerberos_service: kerberos.service
|
|
smb_mapping_kerberos: smb.service
|
|
#_status
|
|
status:
|
|
#- '*.status'
|
|
service=mqtt: mqtt.status
|
|
service=pop3: pop3.status
|
|
service=socks: socks.status
|
|
mqtt_status: mqtt.status
|
|
pop3_status: pop3.status
|
|
socks_status: socks.status
|
|
#_status_code
|
|
status_code:
|
|
#- 'http.response.status_code'
|
|
service=http: http.response.status_code
|
|
service=sip: sip.status_code
|
|
http_status_code: http.response.status_code
|
|
sip_status_code: sip.status_code
|
|
#_status_msg
|
|
status_msg:
|
|
#- '*.status_msg'
|
|
service=http: http.status_msg
|
|
service=sip: sip.status_msg
|
|
http_status_msg: http.status_msg
|
|
sip_status_msg: sip.status_msg
|
|
#_subject
|
|
subject:
|
|
#- '*.subject'
|
|
service=known_certs: known_certs.subject
|
|
service=sip: sip.subject
|
|
service=smtp: smtp.subject
|
|
service=ssl: tls.subject
|
|
known_certs_subject: known_certs.subject
|
|
sip_subject: sip.subject
|
|
smtp_subject: smtp.subject
|
|
ssl_subject: tls.subject
|
|
#_service
|
|
|
|
#_trans_depth
|
|
trans_depth:
|
|
#- '*.trans_depth'
|
|
service=http: http.trans_depth
|
|
service=sip: sip.trans_depth
|
|
service=smtp: smtp.trans_depth
|
|
http_trans_depth: http.trans_depth
|
|
sip_trans_depth: sip.trans_depth
|
|
smtp_trans_depth: smtp.trans_depth
|
|
#_user_agent
|
|
#user_agent: #already normalized
|
|
http_user_agent: user_agent.original
|
|
gquic_user_agent: user_agent.original
|
|
sip_user_agent: user_agent.original
|
|
smtp_user_agent: user_agent.original
|
|
#_version
|
|
version:
|
|
#- '*.version'
|
|
service=gquic: gquic.version
|
|
service=http: http.version
|
|
service=ntp: ntp.version
|
|
service=socks: socks.version
|
|
service=snmp: snmp.version
|
|
service=ssh: ssh.version
|
|
service=tls: tls.version
|
|
gquic_version: gquic.version
|
|
http_version: http.version
|
|
ntp_version: ntp.version
|
|
socks_version: socks.version
|
|
snmp_version: snmp.version
|
|
ssh_version: ssh.version
|
|
ssl_version: tls.version
|
|
tls_version: tls.version
|
|
# Conn and Conn Long
|
|
cache_add_rx_ev: conn.cache_add_rx_ev
|
|
cache_add_rx_mpg: conn.cache_add_rx_mpg
|
|
cache_add_rx_new: conn.cache_add_rx_new
|
|
cache_add_tx_ev: conn.cache_add_tx_ev
|
|
cache_add_tx_mpg: conn.cache_add_tx_mpg
|
|
cache_del_mpg: conn.cache_del_mpg
|
|
cache_entries: conn.cache_entries
|
|
conn_state: conn.conn_state
|
|
corelight_shunted: conn.corelight_shunted
|
|
history: conn.history
|
|
id.orig_h.name_src: conn.id.orig_h_name.src
|
|
id.orig_h.names_vals: conn.id.orig_h_names.vals
|
|
id.resp_h.name_src: conn.id.resp_h_name.src
|
|
id.resp_h.name_vals: conn.id.resp_h_name.vals
|
|
#local_orig: conn.local_orig
|
|
local_resp: conn.local_resp
|
|
missed_bytes: conn.missed_bytes
|
|
orig_bytes: source.bytes
|
|
orig_cc: source.geo.country_iso_code
|
|
orig_ip_bytes: conn.orig_ip_bytes
|
|
orig_l2_addr: source.mac
|
|
orig_pkts: source.packets
|
|
resp_bytes: destination.bytes
|
|
resp_cc: destination.geo.country_iso_code
|
|
resp_ip_bytes: conn.resp.ip_bytes
|
|
resp_l2_addr: destination.mac
|
|
resp_pkts: destination.packets
|
|
# DCE-RPC Specific
|
|
endpoint: dce_rpc.endpoint
|
|
named_pipe: dce_rpc.named_pipe
|
|
operation: dce_rpc.operation
|
|
#rtt: dce_rpc.rtt
|
|
# DHCP
|
|
domain: source.domain
|
|
host_name: source.hostname
|
|
lease_time: dhcp.lease_time
|
|
agent_remote_id: dhcp.agent_remote_id
|
|
assigned_addr: dhcp.assigned_addr
|
|
circuit_id: dhcp.circuit_id
|
|
client_message: dhcp.client_message
|
|
client_software: dhcp.client_software
|
|
client_fqdn: source.fqdn
|
|
#mac: source.mac
|
|
msg_orig: dhcp.msg_orig
|
|
msg_types: dhcp.msg_types
|
|
requested_addr: dhcp.requested_addr
|
|
server_addr: destination.ip
|
|
server_message: dhcp.server_message
|
|
server_software: dhcp.server_software
|
|
subscriber_id: dhcp.subscriber_id
|
|
# DNS
|
|
AA: dns.AA
|
|
#addl: dns.addl
|
|
answers: dns.answers.name
|
|
TTLs: dns.answers.ttl
|
|
RA: dns.RA
|
|
RD: dns.RD
|
|
rejected: dns.rejected
|
|
TC: dns.TC
|
|
Z: dns.Z
|
|
qclass: dns.qclass
|
|
qclass_name: dns.question.class
|
|
qtype: dns.qtype
|
|
qtype_name: dns.question.type
|
|
query: dns.question.name
|
|
rcode_name: dns.response_code
|
|
rcode: dns.rcode
|
|
#rtt: dns.rtt
|
|
trans_id: dns.id
|
|
# DNP3
|
|
fc_reply: dnp3.fc_reply
|
|
fc_request: dnp3.fc_request
|
|
iin: dnp3.inn
|
|
# DPD
|
|
#analyzer: dpd.analyzer
|
|
failure_reason: dpd.failure_reason
|
|
packet_segment: dpd.packet_segment
|
|
# Files
|
|
rx_hosts: source.ip
|
|
tx_hosts: destination.ip
|
|
#analyzer: files.analyzer
|
|
depth: files.depth
|
|
#duration: files.duration
|
|
extracted: files.extracted
|
|
extracted_cutoff: files.extracted_cutoff
|
|
extracted_size: files.extracted_size
|
|
entropy: files.entropy
|
|
md5: file.hash.md5
|
|
sha1: file.hash.sha1
|
|
sha256: file.hash.sha256
|
|
#is_orig: file.is_orig
|
|
#local_orig: files.local_orig
|
|
missing_bytes: files.missing_bytes
|
|
filename: file.name
|
|
overflow_bytes: files.overflow_bytes
|
|
seen_bytes: files.seen_bytes
|
|
source: network.protocol
|
|
total_bytes: file.size
|
|
timedout: files.timedout
|
|
# GQUIC/QUIC
|
|
cyu: gquic.cyu
|
|
cyutags: gquic.cyutags
|
|
#server_name: destination.domain
|
|
tag_count: gquic.tag_count
|
|
#user_agent: user_agent.original
|
|
#version: gquic.version
|
|
# FTP
|
|
#arg: ftp.arg
|
|
#command: ftp.command
|
|
cwd: ftp.cwd
|
|
data_channel.orig_h: ftp.data_channel.orig_h
|
|
data_channel.passive: ftp.data_channel.passive
|
|
data_channel.resp_h: ftp.data_channel.resp_h
|
|
data_channel.resp_p: ftp.data_channel.resp_p
|
|
passive: ftp.passive
|
|
file_size: file.size
|
|
#mime_type: file.mime_type
|
|
#password: ftp.password
|
|
reply_code: ftp.reply_code
|
|
#reply_msg: ftp.reply_msg
|
|
#user: source.user.name
|
|
# HTTP
|
|
client_header_names: http.client_header_names
|
|
cookie_vars: http.cookie_vars
|
|
flash_version: http.flash_version
|
|
info_code: http.info_code
|
|
info_msg: http.info_msg
|
|
#method: http.request.method
|
|
omniture: http.omniture
|
|
orig_filenames: http.orig_filenames
|
|
orig_mime_types: http.orig_mime_types
|
|
origin: http.origin
|
|
#password: source.user.password
|
|
#response_body_len: http.response.body.bytes
|
|
#request_body_len: http.request.body.bytes
|
|
referrer: http.request.referrer
|
|
post_body: http.post_body
|
|
proxied: http.proxied
|
|
resp_filenames: http.resp_filenames
|
|
resp_mime_types: http.resp_mime_types
|
|
server_header_names: http.server_header_names
|
|
#status_code: http.response.status_code
|
|
#status_msg: http.status_msg
|
|
#trans_depth: http.trans_depth
|
|
uri_vars: http.uri_vars
|
|
#user_agent: user_agent.original
|
|
#username: source.user.name
|
|
#version: http.version
|
|
# Intel
|
|
file_mime_type: file.mime_type
|
|
file_desc: intel.file_desc
|
|
#host: host.ip
|
|
matched: intel.matched
|
|
indicator: intel.seen.indicator
|
|
indicator_type: intel.seen.indicator_type
|
|
node: intel.seen.node
|
|
where: intel.seen.where
|
|
sources: intel.seen.sources
|
|
# IRC
|
|
dcc_file_name: file.name
|
|
dcc_file_size: file.size
|
|
dcc_mime_type: file.mime_type
|
|
#command: irc.command
|
|
nick: irc.nick
|
|
#user: source.user.name
|
|
value: irc.command
|
|
# Kerberos
|
|
auth_ticket: kerberos.auth_ticket
|
|
#cipher: kerberos.cipher
|
|
#client: kerberos.client
|
|
client_cert_subject: kerberos.client_cert_subject
|
|
error_code: kerberos.error_code
|
|
error_msg: kerberos.error_msg
|
|
#from: kerberos.from
|
|
forwardable: kerberos.forwardable
|
|
new_ticket: kerberos.new_ticket
|
|
renewable: kerberos.renewable
|
|
request_type: kerberos.request_type
|
|
server_cert_subject: kerberos.server_cert_subject
|
|
#service: kerberos.service
|
|
#success: event.outcome
|
|
till: kerberos.till
|
|
# Known_Certs
|
|
#host: host.ip
|
|
issuer_subject: known_certs.issuer_subject
|
|
#port_num: labels.known.port
|
|
serial: known_certs.serial
|
|
#subject: known_certs.subject
|
|
# Known_Modbus
|
|
#host: host.ip
|
|
device_type: known_modbus.device_type
|
|
# Known_Services
|
|
port_proto: network.transport
|
|
#port_num: labels.known.port
|
|
# Modbus All
|
|
delta: modbus.delta
|
|
new_val: modbus.new_val
|
|
old_val: modbus.old_val
|
|
register: modbus.register
|
|
# Modbus
|
|
func: modbus.func
|
|
exception: modbus.exception
|
|
track_address: modbus.track_address
|
|
# ModBus_Register_Change
|
|
#delta: modbus.delta
|
|
#new_val: modbus.new_val
|
|
#old_val: modbus.old_val
|
|
#register: modbus.register
|
|
# MQTT_Connect , MQTT_Publish, MQTT_Subscribe
|
|
ack: mqtt.ack
|
|
#action: mqtt.action
|
|
client_id: mqtt.client_id
|
|
connect_status: mqtt.connect_status
|
|
from_client: mqtt.from_client
|
|
granted_qos_level: mqtt.granted_qos_level
|
|
payload: mqtt.payload
|
|
payload_len: mqtt.payload_len
|
|
proto_name: mqtt.proto_name
|
|
proto_version: mqtt.proto_version
|
|
qos: mqtt.qos
|
|
qos_levels: mqtt.qos_levels
|
|
retain: mqtt.retain
|
|
#status: mqtt.status
|
|
topic: mqtt.topic
|
|
topics: mqtt.topics
|
|
will_payload: mqtt.will_payload
|
|
will_topic: mqtt.will_topic
|
|
# MYSQL
|
|
#arg: mysql.arg
|
|
cmd: mysql.command
|
|
response: mysql.response
|
|
rows: mysql.rows
|
|
#success: event.outcome
|
|
# Notice
|
|
actions: notice.actions
|
|
dropped: notice.dropped
|
|
#dst: destination.ip
|
|
email_body_sections: notice.email_body_sections
|
|
email_delay_tokens: notice.email_delay_tokens
|
|
identifier: notice.identifier
|
|
#msg: notice.msg
|
|
n: notice.n
|
|
note: notice.note
|
|
p: destination.port
|
|
peer_descr: notice.peer_descr
|
|
peer_name: notice.peer_name
|
|
#proto: network.transport
|
|
#src: source.ip
|
|
sub: notice.sub
|
|
subpress_for: notice.subpress_for
|
|
# NTLM
|
|
domainname: ntlm.domainname
|
|
hostname: ntlm.hostname
|
|
#username: source.user.name
|
|
server_nb_computer_name: ntlm.server_nb_computer_name
|
|
server_tree_name: ntlm.server_tree_name
|
|
#success: event.outcome
|
|
server_dns_computer_name: ntlm.server_dns_computer_name
|
|
# NTP
|
|
mode: ntp.mode
|
|
num_exts: ntp.num_exts
|
|
org_time: ntp.org_time
|
|
poll: ntp.poll
|
|
precision: ntp.precision
|
|
rec_time: ntp.rec_time
|
|
ref_id: ntp.ref_id
|
|
ref_time: ntp.ref_time
|
|
root_delay: ntp.root_delay
|
|
root_disp: ntp.root_disp
|
|
stratum: ntp.stratum
|
|
#version: ntp.version
|
|
xmt_time: ntp.xmt_time
|
|
# OCSP
|
|
certStatus: oscp.certStatus
|
|
hashAlgorithm: oscp.hashAlgorithm
|
|
issuerKeyHash: oscp.issuerKeyHash
|
|
issuerNameHash: oscp.issuerNameHash
|
|
nextUpdate: oscp.nextUpdate
|
|
revokereason: oscp.revokereason
|
|
revoketime: oscp.revoketime
|
|
serialNumber: oscp.serialNumber
|
|
thisUpdate: oscp.thisUpdate
|
|
# PE
|
|
compile_ts: pe.compile_ts
|
|
has_cert_table: pe.has_cert_table
|
|
has_debug_data: pe.has_debug_data
|
|
has_import_table: pe.has_import_table
|
|
has_export_table: pe.has_export_table
|
|
is_64bit: pe.is_64bit
|
|
is_exe: pe.is_exe
|
|
machine: pe.machine
|
|
os: pe.os
|
|
section_names: pe.section_names
|
|
subsystem: pe.subsystem
|
|
uses_aslr: pe.uses_aslr
|
|
uses_code_integrity: pe.uses_code_integrity
|
|
uses_dep: pe.uses_dep
|
|
uses_seh: pe.uses_seh
|
|
# POP3
|
|
#arg: pop3.arg
|
|
#command: pop3.command
|
|
current_request: pop3.current_request
|
|
current_response: pop3.current_response
|
|
data: pop3.data
|
|
failed_commands: pop3.failed_commands
|
|
has_client_activity: pop3.has_client_activity
|
|
#is_orig: pop3.is_orig
|
|
#msg: pop3.msg
|
|
#password: source.user.password
|
|
pending: pop3.pending
|
|
#status: pop3.status
|
|
successful_commands: pop3.successful_commands
|
|
#username: source.user.name
|
|
# Radius
|
|
connect_info: radius.connect_info
|
|
framed_addr: radius.framed_addr
|
|
#mac: source.mac
|
|
#reply_msg: radius.reply_msg
|
|
#result: event.outcome
|
|
ttl: event.duration
|
|
tunnel_client: radius.tunnel_client
|
|
#username: source.user.name
|
|
# RDP
|
|
cert_count: rdp.cert_count
|
|
cert_permanent: rdp.cert_permanent
|
|
cert_type: rdp.cert_type
|
|
client_build: rdp.client_build
|
|
client_dig_product_id: rdp.client_dig_product_id
|
|
client_name: source.hostname
|
|
cookie: rdp.cookie
|
|
desktop_height: rdp.desktop_height
|
|
desktop_width: rdp.desktop_width
|
|
encryption_level: rdp.encryption_level
|
|
encryption_method: rdp.encryption_method
|
|
keyboard_layout: rdp.keyboard_layout
|
|
requested_color_depth: rdp.requested_color_depth
|
|
#result: event.outcome
|
|
security_protocol: rdp.security_protocol
|
|
ssl: rdp.ssl
|
|
# RFB
|
|
#auth: event.outcome
|
|
authentication_method: rfb.authentication_method
|
|
client_major_version: rfb.client_major_version
|
|
client_minor_version: rfb.client_minor_version
|
|
desktop_name: destination.hostname
|
|
height: rfb.height
|
|
server_major_version: rfb.server_major_version
|
|
server_minor_version: rfb.server_minor_version
|
|
share_flag: rfb.share_flag
|
|
width: rfb.width
|
|
# SIP
|
|
call_id: sip.call_id
|
|
content_type: sip.content_type
|
|
#date: sip.date
|
|
#method: sip.method
|
|
#reply_to: sip.reply_to
|
|
#request_body_len: sip.request_body_len
|
|
request_from: sip.request_from
|
|
request_path: sip.request_path
|
|
request_to: sip.request_to
|
|
#response_body_len: sip.response_body_len
|
|
response_from: sip.response_from
|
|
response_path: sip.response_path
|
|
response_to: sip.response_to
|
|
seq: sip.seq
|
|
#status_code: sip.status_code
|
|
#status_msg: sip.status_msg
|
|
#subject: sip.subject
|
|
#trans_depth: sip.trans_depth
|
|
#uri: url.original
|
|
warning: sip.warning
|
|
#user_agent: user_agent.original
|
|
# SMB_Files
|
|
#action: smb.action
|
|
#name: file.name
|
|
#path: file.path
|
|
prev_name: smb.prev_name
|
|
size: file.size
|
|
times_accessed: file.accessed
|
|
times_changed: file.ctime
|
|
times_created: file.created
|
|
times_modified: file.mtime
|
|
# SMB_Mapping
|
|
native_file_system: smb.native_file_system
|
|
#path: file.path
|
|
share_type: smb.share_type
|
|
#service: smb.service
|
|
# SMTP
|
|
cc: smtp.cc
|
|
#date: smtp.date
|
|
first_received: smtp.first_received
|
|
#from: smtp.from
|
|
helo: smtp.helo
|
|
in_reply_to: smtp.in_reply_to
|
|
is_webmail: smtp.is_webmail
|
|
last_reply: smtp.last_reply
|
|
mailfrom: smtp.mailfrom
|
|
msg_id: smtp.msg_id
|
|
#path: smtp.path
|
|
rcptto: smtp.rcptto
|
|
#reply_to: smtp.reply_to
|
|
second_received: smtp.second_received
|
|
#subject: smtp.subject
|
|
tls: smtp.tls
|
|
to: smtp.to
|
|
#trans_depth: smtp.trans_depth
|
|
x_originating_ip: smtp.x_originating_ip
|
|
#user_agent: user_agent.original
|
|
# SMTP_Links
|
|
#cs-host: url.domain
|
|
#c-uri: url.original
|
|
# SNMP
|
|
#duration: event.duration
|
|
community: snmp.community
|
|
display_string: snmp.display_string
|
|
get_bulk_requests: snmp.get_bulk_requests
|
|
get_requests: snmp.get_requests
|
|
set_requests: snmp.set_requests
|
|
up_since: snmp.up_since
|
|
#version: snmp.version
|
|
# Socks
|
|
#password: source.user.password
|
|
bound_host: socks.bound_host
|
|
bound_name: socks.bound_name
|
|
bound_p: socks.bound_p
|
|
request_host: socks.request_host
|
|
request_name: socks.request_name
|
|
request_p: socks.request_p
|
|
#status: socks.status
|
|
#version: socks.version
|
|
# Software
|
|
#host: host.ip
|
|
host_p: software.host_port
|
|
version.major: software.version.major
|
|
version.minor: software.version.minor
|
|
version.minor2: software.version.minor2
|
|
version.minor3: software.version.minor3
|
|
#name: software.name
|
|
unparsed_version: software.unparsed_version
|
|
software_type: software.software_type
|
|
#url: url.original
|
|
# SSH
|
|
auth_attempts: ssh.auth_attempts
|
|
auth_success: event.outcome
|
|
cipher_alg: ssh.cipher_alg
|
|
#client: ssh.client
|
|
compression_alg: ssh.compression_alg
|
|
cshka: ssh.cshka
|
|
direction: network.direction
|
|
hassh: ssh.hassh
|
|
hasshAlgorithms: ssh.hasshAlgorithms
|
|
hasshServer: ssh.hasshServer
|
|
hasshServerAlgorithms: ssh.hasshServerAlgorithms
|
|
hasshVersion: ssh.hasshVersion
|
|
host_key: ssh.host_key
|
|
host_key_alg: ssh.host_key_alg
|
|
kex_alg: ssh.kex_alg
|
|
mac_alg: ssh.mac_alg
|
|
server: ssh.server
|
|
#version: ssh.version
|
|
# SSL / TLS
|
|
#cipher: tls.cipher
|
|
client_issuer: tls.client.issuer
|
|
client_subject: tls.client.subject
|
|
curve: tls.curve
|
|
established: tls.established
|
|
issuer: tls.server.issuer
|
|
ja3: tls.client.ja3
|
|
ja3s: tls.client.ja3s
|
|
last_alert: ssl.last_alert
|
|
next_protocol: tls.next_protocol
|
|
notary: ssl.notary
|
|
ocsp_status: ssl.oscp_status
|
|
orig_certificate_sha1: tls.client.hash.sha1
|
|
resp_certificate_sha1: tls.server.hash.sha1
|
|
resumed: tls.resumed
|
|
#server_name: tls.client.server_name
|
|
#subject: tls.server.subject
|
|
valid_ct_logs: ssl.valid_ct_logs
|
|
valid_ct_operators: ssl.validct_operators
|
|
valid_ct_operators_list: ssl.valid_ct_operators_list
|
|
validation_status: ssl.validation_status
|
|
#version: tls.version
|
|
version_num: ssl.version_num
|
|
# Syslog
|
|
facility: log.syslog.facility.name
|
|
severity: log.syslog.severity.name
|
|
message: syslog.message
|
|
# Traceroute
|
|
#proto: network.transport
|
|
#dst: destination.ip
|
|
#src: source.ip
|
|
# Tunnel
|
|
#action: tunnel.action
|
|
tunnel_type: tunnel.tunnel_type
|
|
# Weird
|
|
#addl: weird.addl
|
|
#name: weird.name
|
|
notice: weird.notice
|
|
peer: weird.peer
|
|
# X509
|
|
basic_constraints.ca: x509.certificate.basic_constraints_ca
|
|
basic_constraints.path_len: x509.certificate.basic_constraints_path_length
|
|
certificate.cn: x509.certificate.cn
|
|
certificate.curve: x509.certificate.curve
|
|
certificate.exponent: x509.certificate.exponent
|
|
certificate.issuer: x509.certificate.issuer
|
|
certificate.key_alg: x509.certificate.key_alg
|
|
certificate.key_length: x509.certificate.key_length
|
|
certificate.key_type: x509.certificate.key_type
|
|
certificate.not_valid_after: x509.certificate.not_valid_after
|
|
certificate.not_valid_before: x509.certificate.not_valid_before
|
|
certificate.serial: x509.certificate.serial
|
|
certificate.sig_alg: x509.certificate.sig_alg
|
|
certificate.subject: x509.certificate.subject
|
|
certificate.version: x509.certificate.version
|
|
logcert: x509.logcert
|
|
san.dns: x509.san.dns
|
|
san.email: x509.san.email
|
|
san.ip: x509.san.ip
|
|
san.uri: x509.san.url
|
|
# Few other variations of names from zeek source itself
|
|
id_orig_h: source.ip
|
|
id_orig_p: source.port
|
|
id_resp_h: destination.ip
|
|
id_resp_p: destination.port
|
|
# Temporary one off rule name fields
|
|
cs-uri: url.original
|
|
# destination.domain:
|
|
# destination.ip:
|
|
# destination.port:
|
|
# http.response.status_code
|
|
# http.request.body.content
|
|
# source.domain:
|
|
# source.ip:
|
|
# source.port:
|
|
agent.version: http.version
|
|
c-ip: source.ip
|
|
clientip: source.ip
|
|
clientIP: source.ip
|
|
dest_domain:
|
|
- destination.domain
|
|
- url.domain
|
|
dest_ip: destination.ip
|
|
dest_port: destination.port
|
|
#TODO:WhatShouldThisBe?==dest:
|
|
#TODO:WhatShouldThisBe?==destination:
|
|
#TODO:WhatShouldThisBe?==Destination:
|
|
destination.hostname:
|
|
- destination.domain
|
|
- url.domain
|
|
DestinationAddress: destination.ip
|
|
DestinationHostname:
|
|
- destination.domain
|
|
- url.domain
|
|
DestinationIp: destination.ip
|
|
DestinationIP: destination.ip
|
|
DestinationPort: destination.port
|
|
dst-ip: destination.ip
|
|
dstip: destination.ip
|
|
dstport: destination.port
|
|
Host:
|
|
- destination.domain
|
|
- url.domain
|
|
#host:
|
|
# - destination.domain
|
|
# - url.domain
|
|
HostVersion: http.version
|
|
http_host:
|
|
- destination.domain
|
|
- url.domain
|
|
http_uri: url.original
|
|
http_url: url.original
|
|
#http_user_agent: user_agent.original
|
|
http.request.url-query-params: url.original
|
|
HttpMethod: http.request.method
|
|
in_url: url.original
|
|
#parent_domain:
|
|
# - url.registered_domain
|
|
# - destination.registered_domain
|
|
post_url_parameter: url.original
|
|
Request Url: url.original
|
|
request_url: url.original
|
|
request_URL: url.original
|
|
RequestUrl: url.original
|
|
#response: http.response.status_code
|
|
resource.url: url.original
|
|
resource.URL: url.original
|
|
sc_status: http.response.status_code
|
|
sender_domain:
|
|
- destination.domain
|
|
- url.domain
|
|
service.response_code: http.response.status_code
|
|
SourceAddr:
|
|
- source.address
|
|
- source.ip
|
|
SourceAddress: source.ip
|
|
SourceIP: source.ip
|
|
SourceIp: source.ip
|
|
SourceNetworkAddress:
|
|
- source.address
|
|
- source.ip
|
|
SourcePort: source.port
|
|
srcip: source.ip
|
|
Status: http.response.status_code
|
|
#status: http.response.status_code
|
|
url: url.original
|
|
URL: url.original
|
|
url_query: url.original
|
|
url.query: url.original
|
|
uri_path: url.original
|
|
#user_agent: user_agent.original
|
|
user_agent.name: user_agent.original
|
|
user-agent: user_agent.original
|
|
User-Agent: user_agent.original
|
|
useragent: user_agent.original
|
|
UserAgent: user_agent.original
|
|
User Agent: user_agent.original
|
|
web_dest:
|
|
- url.domain
|
|
- destination.domain
|
|
web.dest:
|
|
- url.domain
|
|
- destination.domain
|
|
Web.dest:
|
|
- url.domain
|
|
- destination.domain
|
|
web.host:
|
|
- url.domain
|
|
- destination.domain
|
|
Web.host:
|
|
- url.domain
|
|
- destination.domain
|
|
web_method: http.request.method
|
|
Web_method: http.request.method
|
|
web.method: http.request.method
|
|
Web.method: http.request.method
|
|
web_src: source.ip
|
|
web_status: http.response.status_code
|
|
Web_status: http.response.status_code
|
|
web.status: http.response.status_code
|
|
Web.status: http.response.status_code
|
|
web_uri: url.original
|
|
web_url: url.original
|