From 0a9022ba6a1f6ce82efa28d632b2f4f4bb1cd7b6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 21 Feb 2024 17:07:08 -0500 Subject: [PATCH 1/3] Add hash mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 32 ++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index a1c4d6d62..54ce83eff 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -15,4 +15,34 @@ transformations: src_ip: destination.ip.keyword src_port: source.port dst_ip: destination.ip.keyword - dst_port: destination.port \ No newline at end of file + dst_port: destination.port + - id: hashes_process-creation + type: field_name_mapping + mapping: + winlog.event_data.sha256: process.hash.sha256 + winlog.event_data.sha1: process.hash.sha1 + winlog.event_data.md5: process.hash.md5 + rule_conditions: + - type: logsource + product: windows + category: process_creation + - id: hashes_image-load + type: field_name_mapping + mapping: + winlog.event_data.sha256: dll.hash.sha256 + winlog.event_data.sha1: dll.hash.sha1 + winlog.event_data.md5: dll.hash.md5 + rule_conditions: + - type: logsource + product: windows + category: image_load + - id: hashes_driver-load + type: field_name_mapping + mapping: + winlog.event_data.sha256: dll.hash.sha256 + winlog.event_data.sha1: dll.hash.sha1 + winlog.event_data.md5: dll.hash.md5 + rule_conditions: + - type: logsource + product: windows + category: driver_load \ No newline at end of file From c886e7279363a8f0c614dc8a753166f5d418d5dc Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 22 Feb 2024 08:59:33 -0500 Subject: [PATCH 2/3] Imphash mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 54ce83eff..8121a6f13 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -15,13 +15,15 @@ transformations: src_ip: destination.ip.keyword src_port: source.port dst_ip: destination.ip.keyword - dst_port: destination.port + dst_port: destination.port + winlog.event_data.User: user.name - id: hashes_process-creation type: field_name_mapping mapping: winlog.event_data.sha256: process.hash.sha256 winlog.event_data.sha1: process.hash.sha1 winlog.event_data.md5: process.hash.md5 + winlog.event_data.Imphash: process.pe.imphash rule_conditions: - type: logsource product: windows @@ -32,6 +34,7 @@ transformations: winlog.event_data.sha256: dll.hash.sha256 winlog.event_data.sha1: dll.hash.sha1 winlog.event_data.md5: dll.hash.md5 + winlog.event_data.Imphash: dll.pe.imphash rule_conditions: - type: logsource product: windows @@ -42,6 +45,7 @@ transformations: winlog.event_data.sha256: dll.hash.sha256 winlog.event_data.sha1: dll.hash.sha1 winlog.event_data.md5: dll.hash.md5 + winlog.event_data.Imphash: dll.pe.imphash rule_conditions: - type: logsource product: windows From d04aa06455e7e96b5cbdac6c09953e01bd718c81 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 22 Feb 2024 14:01:02 -0500 Subject: [PATCH 3/3] Fix source.ip --- salt/soc/files/soc/sigma_so_pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 8121a6f13..533823e6f 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -12,7 +12,7 @@ transformations: sid: rule.uuid answer: answers query: dns.query.name - src_ip: destination.ip.keyword + src_ip: source.ip.keyword src_port: source.port dst_ip: destination.ip.keyword dst_port: destination.port