search

SigmaHQ / pySigma-backend-elasticsearch

pySigma Elasticsearch backend
GNU Lesser General Public License v3.0
42 stars 26 forks source link

Installation of 'elasticsearch' backend plugin not working for sigma cli #74

Closed v1p3r0u5 closed 2 months ago

v1p3r0u5 commented 2 months ago

It looks like atm the installation of the elasticsearch backend plugin via sigma cli is not working. Tried it with version 1.0.3 and 1.0.4 of sigma cli on MacOS as well as on a rocky linux instance.

$ sigma version 1.0.4 (online pypi.org: 1.0.4)

$ sigma plugin install elasticsearch Successfully installed plugin 'elasticsearch' pySigma version is compatible with sigma-cli

$ sigma list formats elasticsearch Usage: sigma list formats [OPTIONS] {lucene|eql|esql|splunk} Try 'sigma list formats -h' for help.

Error: Invalid value for '{lucene|eql|esql|splunk}': 'elasticsearch' is not one of 'lucene', 'eql', 'esql', 'splunk'.

Same error also occurs when I try to do a convertion. Installing the plugin splunk was working like a charm.

Thx for having a look at it.

frack113 commented 2 months ago

I make a test on windows:

>sigma version
1.0.4 (online pypi.org: 1.0.4)

>sigma  plugin install elasticsearch
Successfully installed plugin 'elasticsearch'
pySigma version is compatible with sigma-cli

> sigma list targets
+------------+-----------------------+------------------------------+
| Identifier | Target Query Language | Processing Pipeline Required |
+------------+-----------------------+------------------------------+
| lucene     | Elasticsearch Lucene  | Yes                          |
| eql        | Elasticsearch EQL     | Yes                          |
| esql       | ES|QL backend         | Yes                          |
| sqlite     | SQLite backend        | No                           |
+------------+-----------------------+------------------------------+

>sigma convert -t eql   --without-pipeline rules\windows\process_creation\proc_creation_win_7zip_exfil_dmp_files.yml
Parsing Sigma rules  [####################################]  100%
any where (Description:"*7-Zip*" or (Image like~ ("*\\7z.exe", "*\\7zr.exe", "*\\7za.exe")) or (OriginalFileName like~ ("7z.exe", "7za.exe"))) and (CommandLine like~ ("*.dmp*", "*.dump*", "*.hdmp*"))

> sigma list formats eql
+------------------+----------------------------------------------------------+
| Format           | Description                                              |
+------------------+----------------------------------------------------------+
| default          | Plain Elasticsearch EQL queries.                         |
| eqlapi           | Plain EQL queries ready for '/_eql/search' API endpoint. |
| siem_rule        | Elasticsearch EQL queries as SIEM Rule.                  |
| siem_rule_ndjson | Elasticsearch EQL Query as SIEM Rules in NDJSON Format.  |
+------------------+----------------------------------------------------------+

>sigma convert -t eql -f siem_rule  --without-pipeline rules\windows\process_creation\proc_creation_win_7zip_exfil_dmp_files.yml
Parsing Sigma rules  [####################################]  100%
{"name": "SIGMA - 7Zip Compressing Dump Files", "consumer": "siem", "enabled": true, "throttle": null, "schedule": {"interval": "5m"}, "params": {"author": ["Nasreddine Bencherchali (Nextron Systems)"], "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "ruleId": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "falsePositives": ["Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally", "Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting"], "from": "now-5m", "immutable": false, "license": "DRL", "outputIndex": "", "meta": {"from": "1m"}, "maxSignals": 100, "riskScore": 47, "riskScoreMapping": [], "severity": "medium", "severityMapping": [], "threat": [{"tactic": {"id": "TA0009", "reference": "https://attack.mitre.org/tactics/TA0009", "name": "Collection"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1560", "reference": "https://attack.mitre.org/techniques/T1560", "name": "Archive Collected Data", "subtechnique": [{"id": "T1560.001", "reference": "https://attack.mitre.org/techniques/T1560/001", "name": "Archive via Utility"}]}]}], "to": "now", "references": ["https://thedfirreport.com/2022/09/26/bumblebee-round-two/"], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "lucene", "index": ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*"], "query": "any where (Description:\"*7-Zip*\" or (Image like~ (\"*\\\\7z.exe\", \"*\\\\7zr.exe\", \"*\\\\7za.exe\")) or (OriginalFileName like~ (\"7z.exe\", \"7za.exe\"))) and (CommandLine like~ (\"*.dmp*\", \"*.dump*\", \"*.hdmp*\"))", "filters": []}, "rule_type_id": "siem.queryRule", "notify_when": "onActiveAlert", "tags": [], "actions": []}
thomaspatzke commented 2 months ago

The Elasticsearch plugin provides the backends for Lucene, EQL and ES|QL. Please use one of these as needed.