From dcdfaf66f4a0a29afabc24b8158d285581d50adf Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 16 Oct 2024 15:20:52 -0400 Subject: [PATCH 1/5] Add process and file creation mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 66 +++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 8314361f5a..121bc06a60 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,3 +106,69 @@ transformations: - type: include_fields fields: - event.code + # Maps Windows + process_creation rules to endpoint process creation logs + - id: endpoint_process_create_windows_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'windows' + rule_conditions: + - type: logsource + category: process_creation + product: windows + # Maps Linux + file_event rules to endpoint file creation logs + - id: endpoint_process_create_linux_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'linux' + rule_conditions: + - type: logsource + category: process_creation + product: linux + # Maps macOS + file_event rules to endpoint file creation logs + - id: endpoint_process_create_macos_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'macos' + rule_conditions: + - type: logsource + category: process_creation + product: macos + # Maps Windows + file_event rules to endpoint file creation logs + - id: endpoint_file_create_windows_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'windows' + rule_conditions: + - type: logsource + category: file_event + product: windows + # Maps Linux + file_event rules to endpoint file creation logs + - id: endpoint_file_create_linux_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'linux' + rule_conditions: + - type: logsource + category: file_event + product: linux + # Maps macOS + file_event rules to endpoint file creation logs + - id: endpoint_file_create_macos_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'macos' + rule_conditions: + - type: logsource + category: file_event + product: macos \ No newline at end of file From e11c562022978513ac96afbe5d1577160402e41e Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 4 Oct 2024 14:22:27 -0600 Subject: [PATCH 2/5] Added Note to ES Mappings --- .../templates/component/so/detection-mappings.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 5e51b872ba..51e13c829a 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -142,6 +142,9 @@ "userId": { "ignore_above": 1024, "type": "keyword" + }, + "note": { + "type": "text" } } } From 1aa9d87c5db266bb89d79e2256d621047195e7d9 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 09:57:52 -0600 Subject: [PATCH 3/5] Corrected Put the note on the right model this time. --- .../templates/component/so/detection-mappings.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 51e13c829a..9f992f9715 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -97,6 +97,9 @@ "updatedAt": { "type": "date" }, + "note": { + "type": "text" + }, "regex": { "type": "text" }, @@ -143,9 +146,6 @@ "ignore_above": 1024, "type": "keyword" }, - "note": { - "type": "text" - } } } } From 640f53d0857dfffb66db0e8d243e014347c32c4b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 10:15:29 -0600 Subject: [PATCH 4/5] Cleanup Fix indentation and trailing comma. --- .../templates/component/so/detection-mappings.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 9f992f9715..2e405912d5 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -21,10 +21,10 @@ "properties": { "publicId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "title": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" }, "severity": { @@ -38,15 +38,15 @@ "description": { "type": "text" }, - "category": { + "category": { "ignore_above": 1024, "type": "keyword" }, - "product": { + "product": { "ignore_above": 1024, "type": "keyword" }, - "service": { + "service": { "ignore_above": 1024, "type": "keyword" }, @@ -64,7 +64,7 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "ruleset": { "ignore_above": 1024, @@ -145,7 +145,7 @@ "userId": { "ignore_above": 1024, "type": "keyword" - }, + } } } } From f3ca5b1c4248f29422a87e00adbcd781b447bc29 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Mon, 28 Oct 2024 09:19:51 -0400 Subject: [PATCH 5/5] Remove OS-specific mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 58 +++-------------------- 1 file changed, 6 insertions(+), 52 deletions(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 121bc06a60..df8b2709a8 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,69 +106,23 @@ transformations: - type: include_fields fields: - event.code - # Maps Windows + process_creation rules to endpoint process creation logs + # Maps process_creation rules to endpoint process creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS - id: endpoint_process_create_windows_add-fields type: add_condition conditions: event.category: 'process' event.type: 'start' - host.os.type: 'windows' rule_conditions: - type: logsource category: process_creation - product: windows - # Maps Linux + file_event rules to endpoint file creation logs - - id: endpoint_process_create_linux_add-fields - type: add_condition - conditions: - event.category: 'process' - event.type: 'start' - host.os.type: 'linux' - rule_conditions: - - type: logsource - category: process_creation - product: linux - # Maps macOS + file_event rules to endpoint file creation logs - - id: endpoint_process_create_macos_add-fields - type: add_condition - conditions: - event.category: 'process' - event.type: 'start' - host.os.type: 'macos' - rule_conditions: - - type: logsource - category: process_creation - product: macos - # Maps Windows + file_event rules to endpoint file creation logs - - id: endpoint_file_create_windows_add-fields - type: add_condition - conditions: - event.category: 'file' - event.type: 'creation' - host.os.type: 'windows' - rule_conditions: - - type: logsource - category: file_event - product: windows - # Maps Linux + file_event rules to endpoint file creation logs - - id: endpoint_file_create_linux_add-fields - type: add_condition - conditions: - event.category: 'file' - event.type: 'creation' - host.os.type: 'linux' - rule_conditions: - - type: logsource - category: file_event - product: linux - # Maps macOS + file_event rules to endpoint file creation logs - - id: endpoint_file_create_macos_add-fields + # Maps file_event rules to endpoint file creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS + - id: endpoint_file_create_add-fields type: add_condition conditions: event.category: 'file' event.type: 'creation' - host.os.type: 'macos' rule_conditions: - type: logsource - category: file_event - product: macos \ No newline at end of file + category: file_event \ No newline at end of file