From dcdfaf66f4a0a29afabc24b8158d285581d50adf Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 16 Oct 2024 15:20:52 -0400 Subject: [PATCH 1/2] Add process and file creation mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 66 +++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 8314361f5..121bc06a6 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,3 +106,69 @@ transformations: - type: include_fields fields: - event.code + # Maps Windows + process_creation rules to endpoint process creation logs + - id: endpoint_process_create_windows_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'windows' + rule_conditions: + - type: logsource + category: process_creation + product: windows + # Maps Linux + file_event rules to endpoint file creation logs + - id: endpoint_process_create_linux_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'linux' + rule_conditions: + - type: logsource + category: process_creation + product: linux + # Maps macOS + file_event rules to endpoint file creation logs + - id: endpoint_process_create_macos_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'macos' + rule_conditions: + - type: logsource + category: process_creation + product: macos + # Maps Windows + file_event rules to endpoint file creation logs + - id: endpoint_file_create_windows_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'windows' + rule_conditions: + - type: logsource + category: file_event + product: windows + # Maps Linux + file_event rules to endpoint file creation logs + - id: endpoint_file_create_linux_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'linux' + rule_conditions: + - type: logsource + category: file_event + product: linux + # Maps macOS + file_event rules to endpoint file creation logs + - id: endpoint_file_create_macos_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'macos' + rule_conditions: + - type: logsource + category: file_event + product: macos \ No newline at end of file From f3ca5b1c4248f29422a87e00adbcd781b447bc29 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Mon, 28 Oct 2024 09:19:51 -0400 Subject: [PATCH 2/2] Remove OS-specific mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 58 +++-------------------- 1 file changed, 6 insertions(+), 52 deletions(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 121bc06a6..df8b2709a 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,69 +106,23 @@ transformations: - type: include_fields fields: - event.code - # Maps Windows + process_creation rules to endpoint process creation logs + # Maps process_creation rules to endpoint process creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS - id: endpoint_process_create_windows_add-fields type: add_condition conditions: event.category: 'process' event.type: 'start' - host.os.type: 'windows' rule_conditions: - type: logsource category: process_creation - product: windows - # Maps Linux + file_event rules to endpoint file creation logs - - id: endpoint_process_create_linux_add-fields - type: add_condition - conditions: - event.category: 'process' - event.type: 'start' - host.os.type: 'linux' - rule_conditions: - - type: logsource - category: process_creation - product: linux - # Maps macOS + file_event rules to endpoint file creation logs - - id: endpoint_process_create_macos_add-fields - type: add_condition - conditions: - event.category: 'process' - event.type: 'start' - host.os.type: 'macos' - rule_conditions: - - type: logsource - category: process_creation - product: macos - # Maps Windows + file_event rules to endpoint file creation logs - - id: endpoint_file_create_windows_add-fields + # Maps file_event rules to endpoint file creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS + - id: endpoint_file_create_add-fields type: add_condition conditions: event.category: 'file' event.type: 'creation' - host.os.type: 'windows' rule_conditions: - type: logsource - category: file_event - product: windows - # Maps Linux + file_event rules to endpoint file creation logs - - id: endpoint_file_create_linux_add-fields - type: add_condition - conditions: - event.category: 'file' - event.type: 'creation' - host.os.type: 'linux' - rule_conditions: - - type: logsource - category: file_event - product: linux - # Maps macOS + file_event rules to endpoint file creation logs - - id: endpoint_file_create_macos_add-fields - type: add_condition - conditions: - event.category: 'file' - event.type: 'creation' - host.os.type: 'macos' - rule_conditions: - - type: logsource - category: file_event - product: macos \ No newline at end of file + category: file_event \ No newline at end of file