Merge pull request #2877 from splunk/BA_eval_change

Add lower to evals

.vscode/launch.json

@@ -49,6 +49,15 @@
             "justMyCode": true,
             "args": ["-p", "detections", "content_changer", "-cf", "fix_kill_chain"]
         },
+        {
+            "name": "contentctl convert",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/contentctl.py",
+            "console": "integratedTerminal",
+            "justMyCode": true,
+            "args": ["-p", ".", "convert", "-dm", "ocsf", "-dp", "dev_ssa/endpoint/ssa___windows_wmiprvse_spawn_msbuild.yml", "-o", "ssa_detections/endpoint"]
+        },
         {
             "name": "Python: Current File",
             "type": "python",

bin/contentctl_project/contentctl_infrastructure/builder/backend_splunk_ba.py

@@ -67,6 +67,7 @@ class SplunkBABackend(TextQueryBackend):
     wildcard_match_expression : ClassVar[Optional[str]] = "{field} LIKE {value}"
 
 
+
     def __init__(self, processing_pipeline: Optional["sigma.processing.pipeline.ProcessingPipeline"] = None, collect_errors: bool = False, min_time : str = "-30d", max_time : str = "now", detection : Detection = None, field_mapping: dict = None, **kwargs):
         super().__init__(processing_pipeline, collect_errors, **kwargs)
         self.min_time = min_time or "-30d"
@@ -110,13 +111,29 @@ def finalize_query_data_model(self, rule: SigmaRule, query: str, index: int, sta
                     parent = new_val
                     i = i + 1
                     continue
-                parser_str = '| eval ' + new_val + ' = ' + parent + '.' + val + ' '
+                new_val_spaces = new_val + "="
+                if new_val_spaces not in query:
+                    parser_str = '| eval ' + new_val + ' = ' + parent + '.' + val + ' '
+                else:
+                    parser_str = '| eval ' + new_val + ' = ' + 'lower(' + parent + '.' + val + ') '
                 detection_str = detection_str + parser_str
                 parsed_fields.append(new_val)
                 parent = new_val
                 i = i + 1
 
-        detection_str = detection_str + "| where " + query
+        ### Convert sigma values into lower case
+        lower_query = ""
+        in_quotes = False
+        for char in query:
+            if char == '"':
+                in_quotes = not in_quotes
+            if in_quotes:
+                lower_query += char.lower()
+            else:
+                lower_query += char
+
+        detection_str = detection_str + "| where " + lower_query
+
         detection_str = detection_str.replace("\\\\\\\\", "\\\\")
         return detection_str
 

ssa_detections/endpoint/ssa___anomalous_usage_of_archive_tools.yml

@@ -11,12 +11,12 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
-  | eval device_hostname = device.hostname | where (process_file_name="WinRAR.exe"
+  | eval device_hostname = device.hostname | where (process_file_name="winrar.exe"
   OR process_file_name LIKE "7z%" OR process_file_name LIKE "winzip%") AND (actor_process_file_name
   LIKE "%powershell.exe" OR actor_process_file_name LIKE "%cmd.exe") --finding_report--'
 how_to_implement: To successfully implement this search you need to be ingesting information

ssa_detections/endpoint/ssa___attempt_to_delete_services.yml

@@ -14,7 +14,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___attempt_to_disable_services.yml

@@ -14,7 +14,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml

@@ -12,7 +12,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___bcdedit_failure_recovery_modification.yml

@@ -12,7 +12,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___clear_unallocated_sector_using_cipher_app.yml

@@ -12,13 +12,13 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =
   actor_process_file.path | eval actor_process_file_name = actor_process_file.name
   | eval device_hostname = device.hostname | where process_file_name="cipher.exe"
-  AND process_cmd_line LIKE "%/W:%" --finding_report--'
+  AND process_cmd_line LIKE "%/w:%" --finding_report--'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Processes` node.

ssa_detections/endpoint/ssa___delete_a_net_user.yml

@@ -15,7 +15,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___deleting_shadow_copies.yml

@@ -12,7 +12,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___deny_permission_using_cacls_utility.yml

@@ -13,7 +13,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___detect_prohibited_applications_spawning_cmd_exe.yml

@@ -13,11 +13,11 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
-  = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
-  | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
-  | eval actor_process_file = actor_process.file | eval actor_process_file_path =
-  actor_process_file.path | eval actor_process_file_name = actor_process_file.name
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
+  = lower(process.cmd_line) | eval actor_user = actor.user | eval actor_user_name
+  = actor_user.name | eval actor_process = actor.process | eval actor_process_pid
+  = actor_process.pid | eval actor_process_file = actor_process.file | eval actor_process_file_path
+  = actor_process_file.path | eval actor_process_file_name = lower(actor_process_file.name)
   | eval device_hostname = device.hostname | where ((actor_process_file_name="winword.exe"
   OR actor_process_file_name="excel.exe" OR actor_process_file_name="outlook.exe"
   OR actor_process_file_name="acrobat.exe" OR actor_process_file_name="acrord32.exe"

ssa_detections/endpoint/ssa___detect_rclone_command_line_usage.yml

@@ -16,7 +16,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___disable_net_user_account.yml

@@ -13,7 +13,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___dns_exfiltration_using_nslookup_app.yml

@@ -15,7 +15,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___fsutil_zeroing_file.yml

@@ -12,7 +12,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___grant_permission_using_cacls_utility.yml

@@ -13,7 +13,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___hiding_files_and_directories_with_attrib_exe.yml

@@ -13,7 +13,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___modify_acls_permission_of_files_or_folders.yml

@@ -15,7 +15,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___office_product_spawning_windows_script_host.yml

@@ -12,7 +12,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =

ssa_detections/endpoint/ssa___resize_shadowstorage_volume.yml

@@ -13,7 +13,7 @@ data_source:
 - Windows Security 4688
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |
   eval process_pid = process.pid | eval process_file = process.file | eval process_file_path
-  = process_file.path | eval process_file_name = process_file.name | eval process_cmd_line
+  = process_file.path | eval process_file_name = lower(process_file.name) | eval process_cmd_line
   = process.cmd_line | eval actor_user = actor.user | eval actor_user_name = actor_user.name
   | eval actor_process = actor.process | eval actor_process_pid = actor_process.pid
   | eval actor_process_file = actor_process.file | eval actor_process_file_path =