Field mapping : "Image" field not converted for Splunk

[Enarior]

Hello,

I am trying to convert some sigma rules into Splunk queries. I use pySigma like this : sigma convert -t splunk -p splunk_windows rule_path

The resulting queries keep the "Image" field as such, so my splunk app does not detect the suspicious event that it should. e.g, the rule Whoami execution is converted into the following query :

Image=\\whoami.exe" OR OriginalFileName="whoami.exe

Which works perfectly on Sysmon logs since they have an OriginalFileName field, but not on windows security auditing events (EventID 4688) which corresponding field is ProcessName (not sure that this is the exact corresponding field, but it contains the same information).

I thought about field mapping, searched pySigma splunk backend and found this pipeline.

The Image field is indeed not mapped for windows security auditing logs.

So, here are my questions : How do I convert sigma rules using the Image field into a Splunk query that correctly matches against windows security auditing events ? Less specific, how do I convert a sigma rule into a Splunk query that correctly matches against any native windows event and Sysmon events ? Do I have to create a custom pipeline like described in this doc ?

Thanks !!

[thomaspatzke]

Hi! Yes, you have to create a pipeline similar to the Sysmon pipeline. The Windows pipeline project was intended for this purpose, but until now there's no mapping for the Image field for Security/4688 events.

[Enarior]

Thank you for taking the time to answer me ! I have a few questions following your answer, let me know if I should create a new issue for them.

Before getting into creating an entire pipeline on the python source code level, I am simply trying to use a yaml file as a custom pipeline to pass with -p parameter, following this part of the docs.

• Are there more examples somewhere to rest on ? I am having trouble with conditions.
• Is there a way to convert a sigma field condition into multiple field conditions with OR ? e.g Image|endswith: 'suspicious.exe' Would become ParentImage="*suspicious.exe" OR ProcessName="*whoami.exe"

EDIT : found the answer to my second question, it's just like the old sigmac config files. For anyone wondering :

transformations:
    - id: field_mapping
    type: field_name_mapping
    mapping:
        Image:
          - ProcessName
          - OriginalFileName

Converts into ProcessName="whoami.exe" OR OriginalFileName="whoami.exe" For proc_creation_win_whoami_priv rule.

[thomaspatzke]

If you struggle with implementing the pipeline as Python project, feel free to post the YAML source and I'm fine to integrate it into the pySigma-pipeline-windows project. Generally, the pySigma tests are a good source for examples. For YAML there are not many because YAML is just another form of the Python representation, [this] is a test containing an example of a YAML pipeline.

[thomaspatzke]

I had to update the pySigma-windows-pipeline anyways, so I've migrated the sigmac windows-audit config to a pipeline. It's available in the latest version 1.1.0 of the pipeline. Please check the condition and field name mapping. It might be incomplete, so pull requests are much appreciated!

[Enarior]

Thank you so much !

This will help me understand better how the whole thing works. Your update covers exactly what I need for now, but I'll make sure to PR if I need anything ! Thank you for your awesome work, and for the help <3

(Link in your first message is broken 😺 )