CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add hash mappings

Browse Source
This commit is contained in:
Josh Brower
2024-02-21 17:07:08 -05:00
parent d2f7946377
commit 0a9022ba6a
1 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -16,3 +16,33 @@ transformations:
src_port: source.port src_port: source.port
dst_ip: destination.ip.keyword dst_ip: destination.ip.keyword
dst_port: destination.port dst_port: destination.port
- id: hashes_process-creation
type: field_name_mapping
mapping:
winlog.event_data.sha256: process.hash.sha256
winlog.event_data.sha1: process.hash.sha1
winlog.event_data.md5: process.hash.md5
rule_conditions:
- type: logsource
product: windows
category: process_creation
- id: hashes_image-load
type: field_name_mapping
mapping:
winlog.event_data.sha256: dll.hash.sha256
winlog.event_data.sha1: dll.hash.sha1
winlog.event_data.md5: dll.hash.md5
rule_conditions:
- type: logsource
product: windows
category: image_load
- id: hashes_driver-load
type: field_name_mapping
mapping:
winlog.event_data.sha256: dll.hash.sha256
winlog.event_data.sha1: dll.hash.sha1
winlog.event_data.md5: dll.hash.md5
rule_conditions:
- type: logsource
product: windows
category: driver_load