valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c5bdd18d8d
SigmaHQ/tools/config/winlogbeat.yml
Maxime Thiebaut c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
2020-03-19 19:40:18 +01:00

120 lines
4.5 KiB
YAML
Raw Blame History

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.computer_name
ContextInfo: winlog.event_data.ContextInfo
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
Message: winlog.event_data.Message
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
Reference in New Issue View Git Blame Copy Permalink