CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove OS-specific mappings

Browse Source
This commit is contained in:
defensivedepth
2024-10-28 09:19:51 -04:00
parent dcdfaf66f4
commit f3ca5b1c42
1 changed files with 6 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -106,69 +106,23 @@ transformations:
- type: include_fields - type: include_fields
fields: fields:
- event.code - event.code
# Maps Windows + process_creation rules to endpoint process creation logs # Maps process_creation rules to endpoint process creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_process_create_windows_add-fields - id: endpoint_process_create_windows_add-fields
type: add_condition type: add_condition
conditions: conditions:
event.category: 'process' event.category: 'process'
event.type: 'start' event.type: 'start'
host.os.type: 'windows'
rule_conditions: rule_conditions:
- type: logsource - type: logsource
category: process_creation category: process_creation
product: windows # Maps file_event rules to endpoint file creation logs
# Maps Linux + file_event rules to endpoint file creation logs # This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_process_create_linux_add-fields - id: endpoint_file_create_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
host.os.type: 'linux'
rule_conditions:
- type: logsource
category: process_creation
product: linux
# Maps macOS + file_event rules to endpoint file creation logs
- id: endpoint_process_create_macos_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
host.os.type: 'macos'
rule_conditions:
- type: logsource
category: process_creation
product: macos
# Maps Windows + file_event rules to endpoint file creation logs
- id: endpoint_file_create_windows_add-fields
type: add_condition type: add_condition
conditions: conditions:
event.category: 'file' event.category: 'file'
event.type: 'creation' event.type: 'creation'
host.os.type: 'windows'
rule_conditions: rule_conditions:
- type: logsource - type: logsource
category: file_event category: file_event
product: windows
# Maps Linux + file_event rules to endpoint file creation logs
- id: endpoint_file_create_linux_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
host.os.type: 'linux'
rule_conditions:
- type: logsource
category: file_event
product: linux
# Maps macOS + file_event rules to endpoint file creation logs
- id: endpoint_file_create_macos_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
host.os.type: 'macos'
rule_conditions:
- type: logsource
category: file_event
product: macos