Merge pull request #12430 from Security-Onion-Solutions/feature/sigma-pipeline

Feature/sigma pipeline
2025-12-06 09:12:45 +01:00 · 2024-02-26 08:00:00 -05:00
parent 1824d7b36d d04aa06455
commit 77cb5748f6
1 changed files with 36 additions and 2 deletions
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -12,7 +12,41 @@ transformations:
        sid: rule.uuid
        answer: answers
        query: dns.query.name
-        src_ip: destination.ip.keyword
+        src_ip: source.ip.keyword
        src_port: source.port
        dst_ip: destination.ip.keyword
-        dst_port: destination.port
+        dst_port: destination.port
+        winlog.event_data.User: user.name   
+    - id: hashes_process-creation
+      type: field_name_mapping
+      mapping:
+        winlog.event_data.sha256: process.hash.sha256
+        winlog.event_data.sha1: process.hash.sha1
+        winlog.event_data.md5: process.hash.md5
+        winlog.event_data.Imphash: process.pe.imphash
+      rule_conditions:
+      - type: logsource
+        product: windows
+        category: process_creation
+    - id: hashes_image-load
+      type: field_name_mapping
+      mapping:
+        winlog.event_data.sha256: dll.hash.sha256
+        winlog.event_data.sha1: dll.hash.sha1
+        winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
+      rule_conditions:
+      - type: logsource
+        product: windows
+        category: image_load
+    - id: hashes_driver-load
+      type: field_name_mapping
+      mapping:
+        winlog.event_data.sha256: dll.hash.sha256
+        winlog.event_data.sha1: dll.hash.sha1
+        winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
+      rule_conditions:
+      - type: logsource
+        product: windows
+        category: driver_load