diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 316c6ef386d..bb6cee73175 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -59,7 +59,7 @@ jobs: python-version: 3.11 - name: Test Sigma logsource run: | - pip install PyYAML colorama + pip install pysigma colorama python tests/test_logsource.py test-sigma: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml index 0f92953ea77..b9a9d685b45 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml @@ -12,11 +12,11 @@ references: - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf author: Nasreddine Bencherchali (Nextron Systems) date: 2024/06/24 +modified: 2024/07/25 tags: - attack.credential_access logsource: product: windows - service: windows category: process_creation detection: selection_img: diff --git a/tests/logsource.json b/tests/logsource.json index 55bfeefd9fd..041d3315ff5 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -1,447 +1,1908 @@ -{ - "title": "Field name by logsource", - "version": "20230113", - "legit":{ - "windows":{ - "common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"], - "empty": [], - "category":{ - "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion", - "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName", - "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId", - "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"], - "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"], - "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort", - "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname", - "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"], - "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"], - "process_termination":["Image", "ProcessGuid", "ProcessId", "User"], - "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"], - "image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid", - "ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"], - "create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress", - "StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"], - "raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"], - "process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId", - "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"], - "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], - "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], - "file_executable_detected":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "Hashes", "User"], - "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"], - "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"], - "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"], - "registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], - "registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], - "create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], - "pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"], - "wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"], - "dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"], - "file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"], - "clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"], - "process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"], - "file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], - "ps_module":["ContextInfo", "UserData", "Payload"], - "ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"], - "file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"], - "file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"], - "ps_classic_start":[], - "ps_classic_provider_start":[], - "sysmon_error":[] - }, - "service":{ - "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], - "bits-client":["RemoteName", "LocalName", "processPath", "processId"], - "codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer", - "RequestedPolicy", "ValidatedPolicy", "Status"], - "diagnosis-scripted": ["PackagePath", "PackageId"], - "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"], - "ldap":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"], - "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID", - "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"], - "openssh":["process", "payload"], - "security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine", - "ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel", - "ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime", - "RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"], - "shell-core":["Name", "AppID", "Flags"], - "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName", - "UserNameLength", "UserName", "ServerNameLength", "ServerName"], - "smbclient-connectivity":[], - "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"], - "terminalservices-localsessionmanager":["User", "SessionID", "Address"], - "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", - "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", - "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", - "cs-referer", "cs-cookie"], - "application":[], - "sysmon":[], - "powershell":[], - "powershell-classic":[], - "security":[], - "system":[], - "windefend":[], - "wmi":[], - "microsoft-servicebus-client":[], - "printservice-operational":[], - "driver-framework":[], - "dns-server-analytic":[], - "dns-server":[], - "printservice-admin":[], - "msexchange-management":[], - "applocker":[], - "vhdmp":[], - "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"], - "appxpackaging-om":["subjectName"], - "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], - "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"], - "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"], - "capi2":[], - "certificateservicesclient-lifecycle-system":[] - } - }, - "linux":{ - "common": [], - "empty": [], - "category":{ - "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", - "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", - "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], - "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", - "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", - "DestinationPortName"], - "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], - "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], - "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], - "sysmon_status": ["Configuration", "ConfigurationFileHash"], - "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] - }, - "service":{ - "auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", - "acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time", - "audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi", - "cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data", - "default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe", - "exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp", - "hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd", - "ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj", - "major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp", - "new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role", - "new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing", - "old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs", - "old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid", - "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer", - "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid", - "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid", - "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user", - "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"], - "vsftpd":[], - "sshd":[], - "syslog":[], - "guacamole":[], - "auth":[], - "clamav":[], - "modsecurity":[], - "sudo":[], - "cron":[] - } - }, - "empty":{ - "common": [], - "empty": ["not_found"], - "category":{ - "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie", - "cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", - "cs-uri"], - "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", - "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", - "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", - "cs-referer", "cs-cookie"], - "antivirus":[], - "database":[], - "dns":[], - "firewall":[] - }, - "service":{ - "apache":[], - "netflow":[], - "nginx":[] - } - }, - "cisco":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "aaa":[], - "bgp":[], - "duo":[], - "ldp":[], - "syslog":[] - } - }, - "fortios":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "sslvpnd": [] - } - }, - "paloalto":{ - "common": [], - "empty": [], - "category":{ - "file_event": [] - }, - "service":{ - "globalprotect": [] - } - }, - "django":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "kubernetes":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{ - "audit": [] - } - }, - "python":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "qualys":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "rpc_firewall":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "ruby_on_rails":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "modsecurity":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "spring":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "sql":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "jvm":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "nodejs":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "opencanary":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "velocity":{ - "common": [], - "empty": [], - "category":{ - "application":[] - }, - "service":{} - }, - "aws":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "cloudtrail":[] - } - }, - "azure":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "activitylogs":[], - "auditlogs":[], - "riskdetection":[], - "pim":[], - "signinlogs":[] - } - }, - "gcp":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "gcp.audit":[], - "google_workspace.admin":[] - } - }, - "github":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "audit":[] - } - }, - "bitbucket":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "audit":[] - } - }, - "m365":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "audit":[], - "exchange":[], - "threat_detection":[], - "threat_management":[] - } - }, - "okta":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "okta":[] - } - }, - "onelogin":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "onelogin.events":[] - } - }, - "huawei":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "bgp":[] - } - }, - "juniper":{ - "common": [], - "empty": [], - "category":{}, - "service":{ - "bgp":[] - } - }, - "zeek":{ - "common": [], - "empty": [], - "category":{ - }, - "service":{ - "kerberos":[], - "smb_files":[], - "rdp":[], - "http":[], - "dns":[], - "dce_rpc":[], - "x509":[] - } - }, - "macos":{ - "common": [], - "empty": [], - "category":{ - "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", - "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", - "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], - "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", - "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", - "DestinationPortName"], - "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], - "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], - "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], - "sysmon_status": ["Configuration", "ConfigurationFileHash"], - "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] - }, - "service":{ - } - } - }, - "addon":{ - "windows":{ - "category":{ - "process_creation": ["GrandparentCommandLine"], - "network_connection": ["CommandLine", "ParentImage"], - "create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage", - "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine", - "IsInitialThread", "RemoteCreation"], - "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"], - "file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"], - "image_load": ["CommandLine"], - "process_access": ["SourceCommandLine", "CallTraceExtended"], - "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"], - "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"] - }, - "service":{} - } - } +{ + "title": "Field name by logsource", + "version": "20240809", + "common": { + "windows": { + "product": "windows", + "category": null, + "service": null, + "data": [ + "Channel", + "Computer", + "EventID", + "Provider_Name", + "Security_UserID" + ] + } + }, + "addon": { + "win_create_remote_thread": { + "product": "windows", + "category": "create_remote_thread", + "service": null, + "data": [ + "IsInitialThread", + "RemoteCreation", + "SourceCommandLine", + "SourceParentCommandLine", + "SourceParentImage", + "SourceParentProcessId", + "TargetCommandLine", + "TargetParentCommandLine", + "TargetParentImage", + "TargetParentProcessId", + "User" + ] + }, + "win_file_access": { + "product": "windows", + "category": "file_access", + "service": null, + "data": [ + "CommandLine", + "Image", + "ParentCommandLine", + "ParentImage", + "TargetFilename", + "User" + ] + }, + "win_file_delete": { + "product": "windows", + "category": "file_delete", + "service": null, + "data": [ + "CommandLine", + "ParentCommandLine", + "ParentImage" + ] + }, + "win_file_event": { + "product": "windows", + "category": "file_event", + "service": null, + "data": [ + "CommandLine", + "MagicHeader", + "ParentCommandLine", + "ParentImage" + ] + }, + "win_file_rename": { + "product": "windows", + "category": "file_rename", + "service": null, + "data": [ + "CommandLine", + "Image", + "MagicHeader", + "OriginalFileName", + "ParentCommandLine", + "ParentImage", + "SourceFilename", + "TargetFilename", + "User" + ] + }, + "win_image_load": { + "product": "windows", + "category": "image_load", + "service": null, + "data": [ + "CommandLine" + ] + }, + "win_network_connection": { + "product": "windows", + "category": "network_connection", + "service": null, + "data": [ + "CommandLine", + "ParentImage" + ] + }, + "win_process_access": { + "product": "windows", + "category": "process_access", + "service": null, + "data": [ + "CallTraceExtended", + "SourceCommandLine" + ] + }, + "win_process_creation": { + "product": "windows", + "category": "process_creation", + "service": null, + "data": [ + "GrandparentCommandLine" + ] + } + }, + "field": { + "antivirus": { + "product": null, + "category": "antivirus", + "service": null, + "data": [] + }, + "apache": { + "product": null, + "category": null, + "service": "apache", + "data": [] + }, + "aws_cloudtrail": { + "product": "aws", + "category": null, + "service": "cloudtrail", + "data": [] + }, + "azure_activitylogs": { + "product": "azure", + "category": null, + "service": "activitylogs", + "data": [] + }, + "azure_auditlogs": { + "product": "azure", + "category": null, + "service": "auditlogs", + "data": [] + }, + "azure_pim": { + "product": "azure", + "category": null, + "service": "pim", + "data": [] + }, + "azure_riskdetection": { + "product": "azure", + "category": null, + "service": "riskdetection", + "data": [] + }, + "azure_signinlogs": { + "product": "azure", + "category": null, + "service": "signinlogs", + "data": [] + }, + "bitbucket_audit": { + "product": "bitbucket", + "category": null, + "service": "audit", + "data": [] + }, + "cisco_aaa": { + "product": "cisco", + "category": null, + "service": "aaa", + "data": [] + }, + "cisco_bgp": { + "product": "cisco", + "category": null, + "service": "bgp", + "data": [] + }, + "cisco_duo": { + "product": "cisco", + "category": null, + "service": "duo", + "data": [] + }, + "cisco_ldp": { + "product": "cisco", + "category": null, + "service": "ldp", + "data": [] + }, + "cisco_syslog": { + "product": "cisco", + "category": null, + "service": "syslog", + "data": [] + }, + "database": { + "product": null, + "category": "database", + "service": null, + "data": [] + }, + "django": { + "product": "django", + "category": "application", + "service": null, + "data": [] + }, + "dns": { + "product": null, + "category": "dns", + "service": null, + "data": [] + }, + "firewall": { + "product": null, + "category": "firewall", + "service": null, + "data": [] + }, + "fortios_sslvpnd": { + "product": "fortios", + "category": null, + "service": "sslvpnd", + "data": [] + }, + "gcp_gcp.audit": { + "product": "gcp", + "category": null, + "service": "gcp.audit", + "data": [] + }, + "gcp_google_workspace.admin": { + "product": "gcp", + "category": null, + "service": "google_workspace.admin", + "data": [] + }, + "github_audit": { + "product": "github", + "category": null, + "service": "audit", + "data": [] + }, + "huawei_bgp": { + "product": "huawei", + "category": null, + "service": "bgp", + "data": [] + }, + "juniper_bgp": { + "product": "juniper", + "category": null, + "service": "bgp", + "data": [] + }, + "jvm_application": { + "product": "jvm", + "category": "application", + "service": null, + "data": [] + }, + "kubernetes_application": { + "product": "kubernetes", + "category": "application", + "service": null, + "data": [] + }, + "kubernetes_application_audit": { + "product": "kubernetes", + "category": "application", + "service": "audit", + "data": [] + }, + "kubernetes_audit": { + "product": "kubernetes", + "category": null, + "service": "audit", + "data": [] + }, + "linux": { + "product": "linux", + "category": null, + "service": null, + "data": [] + }, + "lnx_auditd": { + "product": "linux", + "category": null, + "service": "auditd", + "data": [ + "a0", + "a1", + "a2", + "a3", + "a4", + "a5", + "a6", + "a7", + "a8", + "a9", + "acct", + "acl", + "action", + "added", + "addr", + "apparmor", + "arch", + "argc", + "audit_backlog_limit", + "audit_backlog_wait_time", + "audit_enabled", + "audit_failure", + "auid", + "banners", + "bool", + "bus", + "cap_fe,cap_fi", + "cap_fp", + "cap_fver", + "cap_pa", + "cap_pe", + "cap_pi", + "cap_pp", + "capability", + "category", + "cgroup", + "changed", + "cipher", + "class", + "cmd", + "code", + "comm", + "compat", + "cwd", + "daddr", + "data", + "default-context", + "dev", + "dev", + "device", + "dir", + "direction", + "dmac", + "dport", + "egid", + "enforcing", + "entries", + "errno", + "euid", + "exe", + "exit", + "fam", + "family", + "fd", + "fe", + "feature", + "fi", + "file", + "flags", + "format", + "fp", + "fsgid", + "fsuid", + "fver", + "gid", + "grantors", + "grp", + "hook", + "hostname", + "icmp_type", + "id", + "igid", + "img-ctx", + "inif", + "ino", + "inode", + "inode_gid", + "inode_uid", + "invalid_context", + "ioctlcmd", + "ip", + "ipid", + "ipx-net", + "item", + "items", + "iuid", + "kernel", + "key", + "kind", + "ksize", + "laddr", + "len", + "list", + "lport", + "mac", + "macproto", + "maj", + "major", + "minor", + "mode", + "model", + "msg", + "name", + "nametype", + "nargs", + "net", + "new", + "new-chardev", + "new-disk", + "new-enabled", + "new-fs", + "new-level", + "new-log_passwd", + "new-mem", + "new-net", + "new-range", + "new-rng", + "new-role", + "new-seuser", + "new-vcpu", + "new_gid", + "new_lock", + "new_pe", + "new_pi", + "new_pp", + "nlnk-fam", + "nlnk-grp", + "nlnk-pid", + "oauid", + "obj", + "obj_gid", + "obj_uid", + "ocomm", + "oflag", + "ogid", + "old", + "old-auid", + "old-chardev", + "old-disk", + "old-enabled", + "old-fs", + "old-level", + "old-log_passwd", + "old-mem", + "old-net", + "old-range", + "old-rng", + "old-role", + "old-ses", + "old-seuser", + "old-vcpu", + "old_enforcing", + "old_lock", + "old_pa", + "old_pe", + "old_pi", + "old_pp", + "old_prom", + "old_val", + "op", + "opid", + "oses", + "ouid", + "outif", + "pa", + "parent", + "path", + "pe", + "per", + "perm", + "perm_mask", + "permissive", + "pfs", + "pi", + "pid", + "pp", + "ppid", + "printer", + "proctitle", + "prom", + "proto", + "qbytes", + "range", + "rdev", + "reason", + "removed", + "res", + "resrc", + "result", + "role", + "rport", + "saddr", + "sauid", + "scontext", + "selected-context", + "seperm", + "seperms", + "seqno", + "seresult", + "ses", + "seuser", + "sgid", + "sig", + "sigev_signo", + "smac", + "spid", + "sport", + "state", + "subj", + "success", + "suid", + "syscall", + "table", + "tclass", + "tcontext", + "terminal", + "tty", + "type", + "uid", + "unit", + "uri", + "user", + "uuid", + "val", + "val", + "ver", + "virt", + "vm", + "vm-ctx", + "vm-pid", + "watch" + ] + }, + "lnx_auth": { + "product": "linux", + "category": null, + "service": "auth", + "data": [] + }, + "lnx_clamav": { + "product": "linux", + "category": null, + "service": "clamav", + "data": [] + }, + "lnx_cron": { + "product": "linux", + "category": null, + "service": "cron", + "data": [] + }, + "lnx_file_delete": { + "product": "linux", + "category": "file_delete", + "service": null, + "data": [ + "Archived", + "Hashes", + "Image", + "IsExecutable", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "lnx_file_event": { + "product": "linux", + "category": "file_event", + "service": null, + "data": [ + "CreationUtcTime", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "lnx_guacamole": { + "product": "linux", + "category": null, + "service": "guacamole", + "data": [] + }, + "lnx_modsecurity": { + "product": "linux", + "category": null, + "service": "modsecurity", + "data": [] + }, + "lnx_network_connection": { + "product": "linux", + "category": "network_connection", + "service": null, + "data": [ + "DestinationHostname", + "DestinationIp", + "DestinationIsIpv6", + "DestinationPort", + "DestinationPortName", + "Image", + "Initiated", + "ProcessGuid", + "ProcessId", + "Protocol", + "SourceHostname", + "SourceIp", + "SourceIsIpv6", + "SourcePort", + "SourcePortName", + "User" + ] + }, + "lnx_process_creation": { + "product": "linux", + "category": "process_creation", + "service": null, + "data": [ + "CommandLine", + "Company", + "CurrentDirectory", + "Description", + "FileVersion", + "Hashes", + "Image", + "IntegrityLevel", + "LogonGuid", + "LogonId", + "OriginalFileName", + "ParentCommandLine", + "ParentImage", + "ParentProcessGuid", + "ParentProcessId", + "ParentUser", + "ProcessGuid", + "ProcessId", + "Product", + "TerminalSessionId", + "User" + ] + }, + "lnx_process_termination": { + "product": "linux", + "category": "process_termination", + "service": null, + "data": [ + "Image", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "lnx_raw_access_read": { + "product": "linux", + "category": "raw_access_read", + "service": null, + "data": [ + "Device", + "Image", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "lnx_sshd": { + "product": "linux", + "category": null, + "service": "sshd", + "data": [] + }, + "lnx_sudo": { + "product": "linux", + "category": null, + "service": "sudo", + "data": [] + }, + "lnx_syslog": { + "product": "linux", + "category": null, + "service": "syslog", + "data": [] + }, + "lnx_sysmon_status": { + "product": "linux", + "category": "sysmon_status", + "service": null, + "data": [ + "Configuration", + "ConfigurationFileHash" + ] + }, + "lnx_vsftpd": { + "product": "linux", + "category": null, + "service": "vsftpd", + "data": [] + }, + "m365_audit": { + "product": "m365", + "category": null, + "service": "audit", + "data": [] + }, + "m365_exchange": { + "product": "m365", + "category": null, + "service": "exchange", + "data": [] + }, + "m365_threat_detection": { + "product": "m365", + "category": null, + "service": "threat_detection", + "data": [] + }, + "m365_threat_management": { + "product": "m365", + "category": null, + "service": "threat_management", + "data": [] + }, + "macos_file_delete": { + "product": "macos", + "category": "file_delete", + "service": null, + "data": [ + "Archived", + "Hashes", + "Image", + "IsExecutable", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "macos_file_event": { + "product": "macos", + "category": "file_event", + "service": null, + "data": [ + "CreationUtcTime", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "macos_network_connection": { + "product": "macos", + "category": "network_connection", + "service": null, + "data": [ + "DestinationHostname", + "DestinationIp", + "DestinationIsIpv6", + "DestinationPort", + "DestinationPortName", + "Image", + "Initiated", + "ProcessGuid", + "ProcessId", + "Protocol", + "SourceHostname", + "SourceIp", + "SourceIsIpv6", + "SourcePort", + "SourcePortName", + "User" + ] + }, + "macos_process_creation": { + "product": "macos", + "category": "process_creation", + "service": null, + "data": [ + "CommandLine", + "Company", + "CurrentDirectory", + "Description", + "FileVersion", + "Hashes", + "Image", + "IntegrityLevel", + "LogonGuid", + "LogonId", + "OriginalFileName", + "ParentCommandLine", + "ParentImage", + "ParentProcessGuid", + "ParentProcessId", + "ParentUser", + "ProcessGuid", + "ProcessId", + "Product", + "TerminalSessionId", + "User" + ] + }, + "macos_process_termination": { + "product": "macos", + "category": "process_termination", + "service": null, + "data": [ + "Image", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "macos_raw_access_read": { + "product": "macos", + "category": "raw_access_read", + "service": null, + "data": [ + "Device", + "Image", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "macos_sysmon_status": { + "product": "macos", + "category": "sysmon_status", + "service": null, + "data": [ + "Configuration", + "ConfigurationFileHash" + ] + }, + "netflow": { + "product": null, + "category": null, + "service": "netflow", + "data": [] + }, + "nginx": { + "product": null, + "category": null, + "service": "nginx", + "data": [] + }, + "nodejs_application": { + "product": "nodejs", + "category": "application", + "service": null, + "data": [] + }, + "okta_okta": { + "product": "okta", + "category": null, + "service": "okta", + "data": [] + }, + "onelogin_onelogin.events": { + "product": "onelogin", + "category": null, + "service": "onelogin.events", + "data": [] + }, + "opencanary_application": { + "product": "opencanary", + "category": "application", + "service": null, + "data": [] + }, + "paloalto_appliance_globalprotect": { + "product": "paloalto", + "category": "appliance", + "service": "globalprotect", + "data": [] + }, + "paloalto_file_event": { + "product": "paloalto", + "category": "file_event", + "service": null, + "data": [] + }, + "paloalto_file_event_globalprotect": { + "product": "paloalto", + "category": "file_event", + "service": "globalprotect", + "data": [] + }, + "paloalto_globalprotect": { + "product": "paloalto", + "category": null, + "service": "globalprotect", + "data": [] + }, + "proxy": { + "product": null, + "category": "proxy", + "service": null, + "data": [ + "c-uri", + "c-uri-extension", + "c-uri-query", + "c-uri-stem", + "c-useragent", + "cs-bytes", + "cs-cookie", + "cs-host", + "cs-method", + "cs-referrer", + "cs-uri", + "cs-version", + "dst_ip", + "r-dns", + "sc-bytes", + "sc-status", + "src_ip" + ] + }, + "python_application": { + "product": "python", + "category": "application", + "service": null, + "data": [] + }, + "qualys": { + "product": "qualys", + "category": null, + "service": null, + "data": [] + }, + "qualys_application": { + "product": "qualys", + "category": "application", + "service": null, + "data": [] + }, + "rpc_firewall_application": { + "product": "rpc_firewall", + "category": "application", + "service": null, + "data": [] + }, + "ruby_on_rails_application": { + "product": "ruby_on_rails", + "category": "application", + "service": null, + "data": [] + }, + "spring_application": { + "product": "spring", + "category": "application", + "service": null, + "data": [] + }, + "sql_application": { + "product": "sql", + "category": "application", + "service": null, + "data": [] + }, + "velocity_application": { + "product": "velocity", + "category": "application", + "service": null, + "data": [] + }, + "webserver": { + "product": null, + "category": "webserver", + "service": null, + "data": [ + "c-ip", + "cs-bytes", + "cs-cookie", + "cs-host", + "cs-method", + "cs-method", + "cs-referer", + "cs-uri-query", + "cs-uri-stem", + "cs-user-agent", + "cs-username", + "cs-version", + "date", + "s-computername", + "s-ip", + "s-port", + "s-sitename", + "sc-bytes", + "sc-status", + "sc-win32-status", + "time", + "time-taken" + ] + }, + "win_application": { + "product": "windows", + "category": null, + "service": "application", + "data": [] + }, + "win_applocker": { + "product": "windows", + "category": null, + "service": "applocker", + "data": [] + }, + "win_appmodel-runtime": { + "product": "windows", + "category": null, + "service": "appmodel-runtime", + "data": [ + "ApplicationName", + "ImageName", + "Message", + "PackageName", + "ProcessID" + ] + }, + "win_appxdeployment-server": { + "product": "windows", + "category": null, + "service": "appxdeployment-server", + "data": [ + "AppId", + "CallingProcess", + "DeploymentOperation", + "ErrorCode", + "FilePath", + "PackageDisplayName", + "PackageFullName", + "PackageSourceUri", + "Path" + ] + }, + "win_appxpackaging-om": { + "product": "windows", + "category": null, + "service": "appxpackaging-om", + "data": [ + "subjectName" + ] + }, + "win_bitlocker": { + "product": "windows", + "category": null, + "service": "bitlocker", + "data": [ + "ProtectorGUID", + "ProtectorType", + "VolumeMountPoint", + "VolumeName" + ] + }, + "win_bits-client": { + "product": "windows", + "category": null, + "service": "bits-client", + "data": [ + "LocalName", + "RemoteName", + "processId", + "processPath" + ] + }, + "win_capi2": { + "product": "windows", + "category": null, + "service": "capi2", + "data": [] + }, + "win_certificateservicesclient-lifecycle-system": { + "product": "windows", + "category": null, + "service": "certificateservicesclient-lifecycle-system", + "data": [] + }, + "win_clipboard_capture": { + "product": "windows", + "category": "clipboard_capture", + "service": null, + "data": [ + "Archived", + "ClientInfo", + "Hashes", + "Image", + "ProcessGuid", + "ProcessId", + "Session", + "User" + ] + }, + "win_codeintegrity-operational": { + "product": "windows", + "category": null, + "service": "codeintegrity-operational", + "data": [ + "FileNameBuffer", + "FileNameLength", + "ProcessNameBuffer", + "ProcessNameLength", + "RequestedPolicy", + "Status", + "ValidatedPolicy" + ] + }, + "win_create_remote_thread": { + "product": "windows", + "category": "create_remote_thread", + "service": null, + "data": [ + "NewThreadId", + "SourceImage", + "SourceProcessGuid", + "SourceProcessId", + "SourceUser", + "StartAddress", + "StartFunction", + "StartModule", + "TargetImage", + "TargetProcessGuid", + "TargetProcessId", + "TargetUser" + ] + }, + "win_create_stream_hash": { + "product": "windows", + "category": "create_stream_hash", + "service": null, + "data": [ + "Contents", + "CreationUtcTime", + "Hash", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_diagnosis-scripted": { + "product": "windows", + "category": null, + "service": "diagnosis-scripted", + "data": [ + "PackageId", + "PackagePath" + ] + }, + "win_dns-client": { + "product": "windows", + "category": null, + "service": "dns-client", + "data": [ + "Address", + "AddressLength", + "ClientPID", + "DnsServerIpAddress", + "InterfaceIndex", + "NetworkIndex", + "QueryBlob", + "QueryName", + "QueryOptions", + "QueryResults", + "QueryStatus", + "QueryType", + "ResponseStatus", + "SendBlob", + "SendBlobContext", + "Status" + ] + }, + "win_dns-server": { + "product": "windows", + "category": null, + "service": "dns-server", + "data": [] + }, + "win_dns-server-analytic": { + "product": "windows", + "category": null, + "service": "dns-server-analytic", + "data": [] + }, + "win_dns_query": { + "product": "windows", + "category": "dns_query", + "service": null, + "data": [ + "Image", + "ProcessGuid", + "ProcessId", + "QueryName", + "QueryResults", + "QueryStatus", + "User" + ] + }, + "win_driver-framework": { + "product": "windows", + "category": null, + "service": "driver-framework", + "data": [] + }, + "win_driver_load": { + "product": "windows", + "category": "driver_load", + "service": null, + "data": [ + "Hashes", + "ImageLoaded", + "Signature", + "SignatureStatus", + "Signed" + ] + }, + "win_file_access": { + "product": "windows", + "category": "file_access", + "service": null, + "data": [ + "CreateAttributes", + "CreateOptions", + "FileName", + "FileObject", + "Irp", + "IssuingThreadId", + "ShareAccess" + ] + }, + "win_file_block": { + "product": "windows", + "category": "file_block", + "service": null, + "data": [ + "Hashes", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_file_change": { + "product": "windows", + "category": "file_change", + "service": null, + "data": [ + "CreationUtcTime", + "Image", + "PreviousCreationUtcTime", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_file_delete": { + "product": "windows", + "category": "file_delete", + "service": null, + "data": [ + "Archived", + "Hashes", + "Image", + "IsExecutable", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_file_event": { + "product": "windows", + "category": "file_event", + "service": null, + "data": [ + "CreationUtcTime", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_file_executable_detected": { + "product": "windows", + "category": "file_executable_detected", + "service": null, + "data": [ + "Hashes", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_file_rename": { + "product": "windows", + "category": "file_rename", + "service": null, + "data": [ + "ExtraInformation", + "FileKey", + "FileObject", + "FilePath", + "InfoClass", + "Irp", + "IssuingThreadId" + ] + }, + "win_firewall-as": { + "product": "windows", + "category": null, + "service": "firewall-as", + "data": [ + "Action", + "ApplicationPath", + "ModifyingApplication" + ] + }, + "win_iis": { + "product": "windows", + "category": null, + "service": "iis", + "data": [ + "c-ip", + "cs-bytes", + "cs-cookie", + "cs-host", + "cs-method", + "cs-method", + "cs-referer", + "cs-uri-query", + "cs-uri-stem", + "cs-user-agent", + "cs-username", + "cs-version", + "date", + "s-computername", + "s-ip", + "s-port", + "s-sitename", + "sc-bytes", + "sc-status", + "sc-win32-status", + "time", + "time-taken" + ] + }, + "win_image_load": { + "product": "windows", + "category": "image_load", + "service": null, + "data": [ + "Company", + "Description", + "FileVersion", + "Hashes", + "Image", + "ImageLoaded", + "OriginalFileName", + "ProcessGuid", + "ProcessId", + "Product", + "Signature", + "SignatureStatus", + "Signed", + "User" + ] + }, + "win_ldap": { + "product": "windows", + "category": null, + "service": "ldap", + "data": [ + "AttributeList", + "DistinguishedName", + "ProcessId", + "ScopeOfSearch", + "SearchFilter" + ] + }, + "win_lsa-server": { + "product": "windows", + "category": null, + "service": "lsa-server", + "data": [ + "EventCountTotal", + "EventOrginal", + "SidList", + "TargetDomainName", + "TargetLogonGuid", + "TargetLogonId", + "TargetUserName", + "TargetUserSid" + ] + }, + "win_microsoft-servicebus-client": { + "product": "windows", + "category": null, + "service": "microsoft-servicebus-client", + "data": [] + }, + "win_msexchange-management": { + "product": "windows", + "category": null, + "service": "msexchange-management", + "data": [] + }, + "win_network_connection": { + "product": "windows", + "category": "network_connection", + "service": null, + "data": [ + "DestinationHostname", + "DestinationIp", + "DestinationIsIpv6", + "DestinationPort", + "DestinationPortName", + "Image", + "Initiated", + "ParentImage", + "ProcessGuid", + "ProcessId", + "Protocol", + "SourceHostname", + "SourceIp", + "SourceIsIpv6", + "SourcePort", + "SourcePortName", + "User" + ] + }, + "win_ntlm": { + "product": "windows", + "category": null, + "service": "ntlm", + "data": [ + "CallerPID", + "ClientDomainName", + "ClientLUID", + "ClientUserName", + "DomainName", + "MechanismOID", + "ProcessName", + "SChannelName", + "SChannelType", + "TargetName", + "UserName", + "WorkstationName" + ] + }, + "win_openssh": { + "product": "windows", + "category": null, + "service": "openssh", + "data": [ + "payload", + "process" + ] + }, + "win_pipe_created": { + "product": "windows", + "category": "pipe_created", + "service": null, + "data": [ + "EventType", + "Image", + "PipeName", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "win_powershell": { + "product": "windows", + "category": null, + "service": "powershell", + "data": [] + }, + "win_powershell-classic": { + "product": "windows", + "category": null, + "service": "powershell-classic", + "data": [] + }, + "win_printservice-admin": { + "product": "windows", + "category": null, + "service": "printservice-admin", + "data": [] + }, + "win_printservice-operational": { + "product": "windows", + "category": null, + "service": "printservice-operational", + "data": [] + }, + "win_process_access": { + "product": "windows", + "category": "process_access", + "service": null, + "data": [ + "CallTrace", + "GrantedAccess", + "SourceImage", + "SourceProcessGUID", + "SourceProcessId", + "SourceThreadId", + "SourceUser", + "TargetImage", + "TargetProcessGUID", + "TargetProcessId", + "TargetUser" + ] + }, + "win_process_creation": { + "product": "windows", + "category": "process_creation", + "service": null, + "data": [ + "CommandLine", + "Company", + "CurrentDirectory", + "Description", + "FileVersion", + "GrandParentImage", + "Hashes", + "Image", + "IntegrityLevel", + "LogonGuid", + "LogonId", + "OriginalFileName", + "ParentCommandLine", + "ParentImage", + "ParentProcessGuid", + "ParentProcessId", + "ParentUser", + "ProcessGuid", + "ProcessId", + "Product", + "TerminalSessionId", + "User" + ] + }, + "win_process_tampering": { + "product": "windows", + "category": "process_tampering", + "service": null, + "data": [ + "Image", + "ProcessGuid", + "ProcessId", + "Type", + "User" + ] + }, + "win_process_termination": { + "product": "windows", + "category": "process_termination", + "service": null, + "data": [ + "Image", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "win_ps_classic_provider_start": { + "product": "windows", + "category": "ps_classic_provider_start", + "service": null, + "data": [] + }, + "win_ps_classic_start": { + "product": "windows", + "category": "ps_classic_start", + "service": null, + "data": [] + }, + "win_ps_module": { + "product": "windows", + "category": "ps_module", + "service": null, + "data": [ + "ContextInfo", + "Payload", + "UserData" + ] + }, + "win_ps_script": { + "product": "windows", + "category": "ps_script", + "service": null, + "data": [ + "MessageNumber", + "MessageTotal", + "Path", + "ScriptBlockId", + "ScriptBlockText" + ] + }, + "win_raw_access_read": { + "product": "windows", + "category": "raw_access_read", + "service": null, + "data": [ + "CreationUtcTime", + "Image", + "ProcessGuid", + "ProcessId", + "TargetFilename", + "User" + ] + }, + "win_raw_access_thread": { + "product": "windows", + "category": "raw_access_thread", + "service": null, + "data": [ + "Device", + "Image", + "ProcessGuid", + "ProcessId", + "User" + ] + }, + "win_registry_add": { + "product": "windows", + "category": "registry_add", + "service": null, + "data": [ + "EventType", + "Image", + "ProcessGuid", + "ProcessId", + "TargetObject", + "User" + ] + }, + "win_registry_delete": { + "product": "windows", + "category": "registry_delete", + "service": null, + "data": [ + "Details", + "EventType", + "Image", + "ProcessGuid", + "ProcessId", + "TargetObject" + ] + }, + "win_registry_event": { + "product": "windows", + "category": "registry_event", + "service": null, + "data": [ + "Details", + "EventType", + "Image", + "NewName", + "ProcessGuid", + "ProcessId", + "TargetObject", + "User" + ] + }, + "win_registry_rename": { + "product": "windows", + "category": "registry_rename", + "service": null, + "data": [ + "EventType", + "Image", + "NewName", + "ProcessGuid", + "ProcessId", + "TargetObject", + "User" + ] + }, + "win_registry_set": { + "product": "windows", + "category": "registry_set", + "service": null, + "data": [ + "Details", + "EventType", + "Image", + "ProcessGuid", + "ProcessId", + "TargetObject", + "User" + ] + }, + "win_security": { + "product": "windows", + "category": null, + "service": "security", + "data": [] + }, + "win_security-mitigations": { + "product": "windows", + "category": null, + "service": "security-mitigations", + "data": [ + "ImageName", + "ImageNameLength", + "ProcessCommandLine", + "ProcessCommandLineLength", + "ProcessCreateTime", + "ProcessId", + "ProcessPath", + "ProcessPathLength", + "ProcessProtection", + "ProcessSectionSignatureLevel", + "ProcessSignatureLevel", + "ProcessStartKey", + "RequiredSignatureLevel", + "SignatureLevel", + "TargetThreadCreateTime", + "TargetThreadId" + ] + }, + "win_shell-core": { + "product": "windows", + "category": null, + "service": "shell-core", + "data": [ + "AppID", + "Flags", + "Name" + ] + }, + "win_smbclient-connectivity": { + "product": "windows", + "category": null, + "service": "smbclient-connectivity", + "data": [] + }, + "win_smbclient-security": { + "product": "windows", + "category": null, + "service": "smbclient-security", + "data": [ + "ObjectName", + "ObjectNameLength", + "Reason", + "ServerName", + "ServerNameLength", + "ShareName", + "ShareNameLength", + "Status", + "UserName", + "UserNameLength" + ] + }, + "win_sysmon": { + "product": "windows", + "category": null, + "service": "sysmon", + "data": [] + }, + "win_sysmon_error": { + "product": "windows", + "category": "sysmon_error", + "service": null, + "data": [] + }, + "win_sysmon_status": { + "product": "windows", + "category": "sysmon_status", + "service": null, + "data": [ + "Configuration", + "ConfigurationFileHash", + "SchemaVersion", + "State", + "Version" + ] + }, + "win_system": { + "product": "windows", + "category": null, + "service": "system", + "data": [] + }, + "win_taskscheduler": { + "product": "windows", + "category": null, + "service": "taskscheduler", + "data": [ + "Path", + "Priority", + "ProcessID", + "TaskName", + "UserContext", + "UserName" + ] + }, + "win_terminalservices-localsessionmanager": { + "product": "windows", + "category": null, + "service": "terminalservices-localsessionmanager", + "data": [ + "Address", + "SessionID", + "User" + ] + }, + "win_vhdmp": { + "product": "windows", + "category": null, + "service": "vhdmp", + "data": [] + }, + "win_windefend": { + "product": "windows", + "category": null, + "service": "windefend", + "data": [] + }, + "win_wmi": { + "product": "windows", + "category": null, + "service": "wmi", + "data": [] + }, + "win_wmi_event": { + "product": "windows", + "category": "wmi_event", + "service": null, + "data": [ + "Consumer", + "Destination", + "EventNamespace", + "EventType", + "Filter", + "Name", + "Operation", + "Query", + "Type", + "User" + ] + }, + "windows": { + "product": "windows", + "category": null, + "service": null, + "data": [] + }, + "zeek_dce_rpc": { + "product": "zeek", + "category": null, + "service": "dce_rpc", + "data": [] + }, + "zeek_dns": { + "product": "zeek", + "category": null, + "service": "dns", + "data": [] + }, + "zeek_http": { + "product": "zeek", + "category": null, + "service": "http", + "data": [] + }, + "zeek_kerberos": { + "product": "zeek", + "category": null, + "service": "kerberos", + "data": [] + }, + "zeek_rdp": { + "product": "zeek", + "category": null, + "service": "rdp", + "data": [] + }, + "zeek_smb_files": { + "product": "zeek", + "category": null, + "service": "smb_files", + "data": [] + }, + "zeek_x509": { + "product": "zeek", + "category": null, + "service": "x509", + "data": [] + } + } } \ No newline at end of file diff --git a/tests/test_logsource.py b/tests/test_logsource.py index e5426ae4382..a049e2658d4 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -8,216 +8,45 @@ import os import unittest -import yaml from colorama import init from colorama import Fore import json +from sigma.collection import SigmaCollection +from sigma.rule import SigmaLogSource, SigmaDetectionItem class TestRules(unittest.TestCase): - path_to_rules_ = [ + path_to_rules = [ "rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance", ] - path_to_rules = [] - for path_ in path_to_rules_: - path_to_rules.append( - os.path.join(os.path.dirname(os.path.realpath(__name__)), path_) - ) - - # Helper functions - def yield_next_rule_file_path(self, path_to_rules: list) -> str: - for path_ in path_to_rules: - for root, _, files in os.walk(path_): - for file in files: - if file.endswith(".yml"): - yield os.path.join(root, file) - - def get_rule_yaml(self, file_path: str) -> dict: - data = [] - - with open(file_path, encoding="utf-8") as f: - yaml_parts = yaml.safe_load_all(f) - for part in yaml_parts: - data.append(part) - - return data - - def get_rule_part(self, file_path: str, part_name: str): - yaml_dicts = self.get_rule_yaml(file_path) - for yaml_part in yaml_dicts: - if part_name in yaml_part.keys(): - return yaml_part[part_name] - - return None - - def get_detection_field(self, detection: dict): - data = [] - - def get_field_name(selection: dict): - name = [] - for field in selection: - if field == "|all": - continue - elif "|" in field: - name.append(field.split("|")[0]) - else: - name.append(field) - return name - - for search_identifier in detection: - if isinstance(detection[search_identifier], dict): - data += get_field_name(detection[search_identifier]) - if isinstance(detection[search_identifier], list): - for list_value in detection[search_identifier]: - if isinstance(list_value, dict): - data += get_field_name(list_value) - - return data - - def full_logsource(self, logsource: dict) -> dict: - data = {} - - data["product"] = ( - logsource["product"] if "product" in logsource.keys() else None - ) - data["category"] = ( - logsource["category"] if "category" in logsource.keys() else None - ) - data["service"] = ( - logsource["service"] if "service" in logsource.keys() else None - ) - - return data - - def exist_logsource(self, logsource: dict) -> bool: - # Check New product - if logsource["product"]: - if logsource["product"] in fieldname_dict.keys(): - product = logsource["product"] - else: - return False - else: - product = "empty" - - if ( - logsource["category"] - and logsource["category"] in fieldname_dict[product]["category"].keys() - ): - return True - elif ( - logsource["service"] - and logsource["service"] in fieldname_dict[product]["service"].keys() - ): - return True - elif logsource["category"] == None and logsource["service"] == None: - return True # We known the product but there are no category or service - - return False - - def get_logsource(self, logsource: dict) -> list: - data = None - - product = ( - logsource["product"] - if logsource["product"] in fieldname_dict.keys() - else "empty" - ) - - if ( - logsource["category"] - and logsource["category"] in fieldname_dict[product]["category"].keys() - ): - data = fieldname_dict[product]["category"][logsource["category"]] - elif ( - logsource["service"] - and logsource["service"] in fieldname_dict[product]["service"].keys() - ): - data = fieldname_dict[product]["service"][logsource["service"]] - elif logsource["category"] == None and logsource["service"] == None: - data = fieldname_dict[product]["empty"] - - return data - - def not_commun(self, logsource: dict, data: list) -> bool: - product = ( - logsource["product"] - if logsource["product"] in fieldname_dict.keys() - else "empty" - ) - - if fieldname_dict[product]["common"] == data: - return False - else: - return True + rule_paths = SigmaCollection.resolve_paths(path_to_rules) + rule_collection = SigmaCollection.load_ruleset(rule_paths, collect_errors=True) # # test functions # - def test_invalid_logsource_attributes(self): - faulty_rules = [] - valid_logsource = [ - "category", - "product", - "service", - "definition", - ] - for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") - if not logsource: - print(Fore.RED + "Rule {} has no 'logsource'.".format(file)) - faulty_rules.append(file) - continue - valid = True - for key in logsource: - if key not in valid_logsource: - print( - Fore.RED - + "Rule {} has a logsource with an invalid field ({})".format( - file, key - ) - ) - valid = False - elif not isinstance(logsource[key], str): - print( - Fore.RED - + "Rule {} has a logsource with an invalid field type ({})".format( - file, key - ) - ) - valid = False - if not valid: - faulty_rules.append(file) - - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source", - ) + # class FieldnameLogsourceIssue(SigmaValidationIssue): Usage of invalid field name in the log source def test_logsource_value(self): faulty_rules = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") - if logsource: - full_logsource = self.full_logsource(logsource) - if not self.exist_logsource(full_logsource): - faulty_rules.append(file) - print( - Fore.RED - + "Rule {} has the unknown logsource product/category/service ({}/{}/{})".format( - file, - full_logsource["product"], - full_logsource["category"], - full_logsource["service"], - ) + for rule in self.rule_collection: + if not rule.logsource in fieldname_dict.keys(): + faulty_rules.append(rule.source) + print( + Fore.RED + + "Rule {} has the unknown logsource product/category/service ({}/{}/{})".format( + rule.source, + rule.logsource.product, + rule.logsource.category, + rule.logsource.service, ) + ) self.assertEqual( faulty_rules, @@ -226,29 +55,40 @@ def test_logsource_value(self): ) def test_fieldname_case(self): - files_with_fieldname_issues = [] - - for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") - detection = self.get_rule_part(file_path=file, part_name="detection") + def check_name(logsource, name): + if name and not name in fieldname_dict[logsource]: + return True + else: + return False - if logsource and detection: - full_logsource = self.full_logsource(logsource) - list_valid = self.get_logsource(full_logsource) - first_time = True + files_with_fieldname_issues = [] - if list_valid and self.not_commun(full_logsource, list_valid): - for field in self.get_detection_field(detection): - if not field in list_valid: - print( - Fore.RED - + "Rule {} has the invalid field <{}>".format( - file, field + for rule in self.rule_collection: + if ( + rule.logsource in fieldname_dict.keys() + and len(fieldname_dict[rule.logsource]) > 0 + ): + for detection in rule.detection.detections.values(): + for item in detection.detection_items: + if isinstance(item, SigmaDetectionItem): + if check_name(rule.logsource, item.field): + files_with_fieldname_issues.append(rule.source) + print( + Fore.RED + + "Rule {} has the invalid field <{}>".format( + rule.source, item.field + ) ) - ) - if first_time: - files_with_fieldname_issues.append(file) - first_time = False # can be many error in the same rule + else: + for sub_item in item.detection_items: + if check_name(rule.logsource, sub_item.field): + files_with_fieldname_issues.append(rule.source) + print( + Fore.RED + + "Rule {} has the invalid field <{}>".format( + rule.source, sub_item.field + ) + ) self.assertEqual( files_with_fieldname_issues, @@ -258,53 +98,39 @@ def test_fieldname_case(self): ) -def load_fields_json(name: str): - data = {} +def load_fields_json(json_name: str): + field_info = {} + common_info={} + addon_info= {} - file_path = os.path.abspath(os.path.dirname(__file__)) + "/" + name - with open(file_path, "r") as file: + file_path = os.path.abspath(os.path.dirname(__file__)) + "/" + json_name + with open(file_path, "r", encoding="UTF-8") as file: json_dict = json.load(file) - for product in json_dict["legit"]: - data[product] = json_dict["legit"][product] - - for product in json_dict["addon"]: - for category in json_dict["addon"][product]["category"]: - data[product]["category"][category] += json_dict["addon"][product][ - "category" - ][category] - for service in json_dict["addon"][product]["service"]: - data[product]["service"][service] += json_dict["addon"][product]["service"][ - service - ] - - # We use some extracted hash - # Add common field - for product in data: - for category in data[product]["category"]: - if "Hashes" in data[product]["category"][category]: - data[product]["category"][category] += [ - "md5", - "sha1", - "sha256", - "Imphash", - ] - if ( - "Hash" in data[product]["category"][category] - ): # Sysmon 15 create_stream_hash - data[product]["category"][category] += [ - "md5", - "sha1", - "sha256", - "Imphash", - ] - if "common" in data[product].keys(): - data[product]["category"][category] += data[product]["common"] - for service in data[product]["service"]: - if "common" in data[product].keys(): - data[product]["service"][service] += data[product]["common"] - - return data + for key in json_dict["common"]: + info=json_dict["common"][key] + logsource = SigmaLogSource(product=info["product"], category=info["category"], service=info["service"]) + common_info[logsource]= info["data"] + + for key in json_dict["addon"]: + info=json_dict["addon"][key] + logsource = SigmaLogSource(product=info["product"], category=info["category"], service=info["service"]) + addon_info[logsource]= info["data"] + + for key in json_dict["field"]: + info=json_dict["field"][key] + logsource = SigmaLogSource(product=info["product"], category=info["category"], service=info["service"]) + field_info[logsource] = info["data"] + + if len(info["data"]) > 0: + if logsource.product and SigmaLogSource(product=logsource.product) in common_info: + field_info[logsource] += common_info[ SigmaLogSource(product=logsource.product)] + if logsource in addon_info: + field_info[logsource] += addon_info[logsource] + if "Hashes" in info["data"] or "Hash" in info["data"]: + field_info[logsource]+= ["md5","sha1","sha256","Imphash"] + + return field_info if __name__ == "__main__":