Merge branch 'master' of https://github.com/Neo23x0/sigma

SigmaHQ · Jan 14, 2019 · 8336b47 · 8336b47
2 parents cc4b806 + 5cba0b9
commit 8336b47
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 12 deletions.
diff --git a/.yamllint b/.yamllint
@@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
   document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable
diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/haroonmeer/status/939099379834658817
     - https://twitter.com/c_APT_ure/status/939475433711722497
     - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
-author:  Florian Roth, Markus Neis
+author: Florian Roth, Markus Neis
 date: 2018/08/22
 modified: 2018/12/11
 tags:

diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml
@@ -85,7 +85,7 @@ logsources:
     conditions:
       deviceProduct: Apache
       categoryDeviceGroup: /Application
-    firewall:
+  firewall:
     product: firewall
     conditions:
       categoryDeviceGroup: /Firewall

diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml
@@ -26,11 +26,14 @@ logsources:
    index: flows
 
 fieldmappings:
-  dst:
-    - destinationIP
-  dst_ip:
-    - destinationIP
-  src:
-    - sourceIP
-  src_ip:
-    - sourceIP
+    EventID:
+        - Event ID Code
+    dst:
+        - destinationIP
+    dst_ip:
+        - destinationIP
+    src:
+        - sourceIP
+    src_ip:
+        - sourceIP
+    ServiceFileName: Service Name
diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py
@@ -108,7 +108,7 @@ def generateNULLValueNode(self, node):
     def generateNotNULLValueNode(self, node):
         return self.notNullExpression % (node.item)
 
-    def generateAggregation(self, agg):
+    def generateAggregation(self, agg, timeframe='00'):
         if agg == None:
             return ""
         if agg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_NEAR:
@@ -117,11 +117,36 @@ def generateAggregation(self, agg):
             self.qradarPrefixAgg = "SELECT %s(%s) as agg_val from %s where" % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
             self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.aggfield, agg.cond_op, agg.condition)
             return self.qradarPrefixAgg, self.qradarSuffixAgg
+        elif agg.groupfield != None and timeframe == '00':
+                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
+                self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
+                return self.qradarPrefixAgg, self.qradarSuffixAgg
+        elif agg.groupfield != None and timeframe != None:
+            for key, duration in self.generateTimeframe(timeframe).items():
+                self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
+                self.qradarSuffixAgg = " group by %s having agg_val %s %s LAST %s %s" % (agg.groupfield, agg.cond_op, agg.condition, duration, key)
+                return self.qradarPrefixAgg, self.qradarSuffixAgg
         else:
             self.qradarPrefixAgg = " SELECT %s(%s) as agg_val from %s where " % (agg.aggfunc_notrans, agg.aggfield, self.aql_database)
             self.qradarSuffixAgg = " group by %s having agg_val %s %s" % (agg.groupfield, agg.cond_op, agg.condition)
             return self.qradarPrefixAgg, self.qradarSuffixAgg
 
+    def generateTimeframe(self, timeframe):
+        time_unit = timeframe[-1:]
+        duration = timeframe[:-1]
+        timeframe_object = {}
+        if time_unit == "s":
+            timeframe_object['seconds'] = int(duration)
+        elif time_unit == "m":
+            timeframe_object['minutes'] = int(duration)
+        elif time_unit == "h":
+            timeframe_object['hours'] = int(duration)
+        elif time_unit == "d":
+            timeframe_object['days'] = int(duration)
+        else:
+            timeframe_object['months'] = int(duration)
+        return timeframe_object
+
     def generate(self, sigmaparser):
         """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
         for parsed in sigmaparser.condparsed:
@@ -147,10 +172,20 @@ def generateQuery(self, parsed, sigmaparser):
         else:
             aql_database = "events"
         qradarPrefix = "SELECT UTF8(payload) as search_payload from %s where " % (aql_database)
-        if parsed.parsedAgg:
+
+        try:
+            timeframe = sigmaparser.parsedyaml['detection']['timeframe']
+        except:
+            timeframe = None
+
+        if parsed.parsedAgg and timeframe == None:
             (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg)
             result = qradarPrefix + result
             result += qradarSuffixAgg
+        elif parsed.parsedAgg != None and timeframe != None:
+            (qradarPrefix, qradarSuffixAgg) = self.generateAggregation(parsed.parsedAgg, timeframe)
+            result = qradarPrefix + result
+            result += qradarSuffixAgg
         else:
             result = qradarPrefix + result
         return result