CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add process and file creation mappings

Browse Source
This commit is contained in:
defensivedepth
2024-10-16 15:20:52 -04:00
parent a3933bdc79
commit dcdfaf66f4
1 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -106,3 +106,69 @@ transformations:
- type: include_fields - type: include_fields
fields: fields:
- event.code - event.code
# Maps Windows + process_creation rules to endpoint process creation logs
- id: endpoint_process_create_windows_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
host.os.type: 'windows'
rule_conditions:
- type: logsource
category: process_creation
product: windows
# Maps Linux + file_event rules to endpoint file creation logs
- id: endpoint_process_create_linux_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
host.os.type: 'linux'
rule_conditions:
- type: logsource
category: process_creation
product: linux
# Maps macOS + file_event rules to endpoint file creation logs
- id: endpoint_process_create_macos_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
host.os.type: 'macos'
rule_conditions:
- type: logsource
category: process_creation
product: macos
# Maps Windows + file_event rules to endpoint file creation logs
- id: endpoint_file_create_windows_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
host.os.type: 'windows'
rule_conditions:
- type: logsource
category: file_event
product: windows
# Maps Linux + file_event rules to endpoint file creation logs
- id: endpoint_file_create_linux_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
host.os.type: 'linux'
rule_conditions:
- type: logsource
category: file_event
product: linux
# Maps macOS + file_event rules to endpoint file creation logs
- id: endpoint_file_create_macos_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
host.os.type: 'macos'
rule_conditions:
- type: logsource
category: file_event
product: macos