Planned Changes from our web session on 02.09.2021

[Neo23x0]

Planned Changes from our web session on 02.09.2021

Global Rules

definition: rules with action: global and multiple sections
plan: we'd like to split up all global rules and create dedicated rules, so that every detection idea has a dedicated level, ID, tags and so on.
why: the problem is that now a single rule file can contain multiple detection rules for different log sources, different levels etc. under the same ID, which makes it difficult to put all rules in a common database scheme and work with them.

Step 1

Define and test for certain fields in global section

Forbidden fields in global section:

• uuid

Step 2

Check if global rule deprecation is possible

Step 3

Split up all global rules and create normal rules, remove all global rules

Placeholders

definition: list placeholders in rules as proposed by frack in other discussion

decision: in new sigma converter only
important: check specifications and add them if not yet included

Relations

definition: the field related mentioned in wiki

add value "sibling" (or the like)

[frack113]

hello,
To split my global rules, I see 2 cases for the moment

• Rules are the same topic but not the same detection
  Split all the part in new file name (no need related)

• Rule are the same detection but different chanel
  Split all the part in new file name
  First detection is father
  other part get related type:derived from father

[Neo23x0]

@frack113 : did you already split up and merge all of the global rule changes? Wow.

[Neo23x0]

I can only find my Godmode rule, which is just an example and another rule named "win_apt_apt29_tor.yml" in the master branch. Wow. Great work.

@thomaspatzke: How important is that rule? We could rewrite such a rule with one of the new correlation rules some day. I'd like to move it to rules-unsupported for the time being to clean up everything.

[thomaspatzke]

It's very specific to a campaign/ttp, so I'm fine with it to move it away temporary.

[frack113]

Hi,
from my last commit (SUCCESS does not mean that is a good query) :

win_apt_apt29_tor.yml:
  ala: FAILURE
  ala-rule: FAILURE
  arcsight: FAILURE
  arcsight-esm: FAILURE
  carbonblack: FAILURE
  chronicle: FAILURE
  crowdstrike: FAILURE
  csharp: FAILURE
  devo: FAILURE
  ee-outliers: FAILURE
  elastalert: FAILURE
  elastalert-dsl: FAILURE
  es-dsl: FAILURE
  es-qs: FAILURE
  es-rule: FAILURE
  fireeye-helix: FAILURE
  graylog: FAILURE
  grep: SUCCESS
  humio: FAILURE
  kibana: SUCCESS
  kibana-ndjson: SUCCESS
  lacework: FAILURE
  limacharlie: FAILURE
  logiq: FAILURE
  logpoint: FAILURE
  mdatp: FAILURE
  netwitness: SUCCESS
  netwitness-epl: SUCCESS
  powershell: FAILURE
  qradar: FAILURE
  qualys: FAILURE
  sentinel-rule: FAILURE
  splunk: FAILURE
  splunkdm: FAILURE
  splunkxml: SUCCESS
  sql: FAILURE
  sqlite: FAILURE
  stix: SUCCESS
  sumologic: FAILURE
  sumologic-cse: FAILURE
  sumologic-cse-rule: FAILURE
  uberagent: SUCCESS
  xpack-watcher: SUCCESS

Can be put into rules-unsupported for me

[Neo23x0]

I already did that. The master branch should not contain any more global rules under ./rules