search

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend
GNU Lesser General Public License v2.1
34 stars 18 forks source link

Enhancement: add OriginalFileName #23

Closed gs3cl closed 1 year ago

gs3cl commented 1 year ago

Hey,

At the current Stage you get an error when trying to onvert to splunk cim due to missing field: OriginalFileName like here with sigmaio:

grafik

or with sigma-cli

grafik

Could you please add this into the backend ?

OriginalFileName -> Processes.original_file_name

Reference for Rule Example: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml

Splunk CIM for the field: https://docs.splunk.com/Documentation/CIM/5.1.1/User/Endpoint

grafik

At the end the search should be look like this

| tstats summariesonly=false allow_old_summaries=true fillnull_value="null" count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
where Processes.process_path="*\\adplus.exe" 
OR Processes.original_file_name="Adplus.exe" 
Processes.process IN ("* -hang *", "* -pn *", "* -pmn *", "* -p *",
 "* -po *", "* -c *", "* -sc *") 
by Processes.process Processes.dest  Processes.process_path Processes.original_file_name 
 | `drop_dm_object_name(Processes)` 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Regards,

gs3cl commented 1 year ago

@thomaspatzke I tried again with new version 1.0.3 (https://github.com/SigmaHQ/pySigma-backend-splunk/pull/21) also not working could you please take look into this ?

same with new converter: https://sigconverter.io/

grafik

sigma-cli-py3.10) root@csi:/opt/sigma-cli# sigma convert -t splunk -p splunk_cim Rule_test/proc_creation_win_adplus_memory_dump.yml
Parsing Sigma rules  [####################################]  100%
Error while conversion: The Splunk Data Model Sigma backend supports only the following fields for process_creation log source: CommandLine,Computer,CurrentDirectory,Image,IntegrityLevel,ParentCommandLine,ParentImage,ParentProcessGuid,ParentProcessId,ProcessGuid,ProcessId,User

Thanks in advance

thomaspatzke commented 1 year ago

Please re-install the Splunk backend or the virtual Python environment. Just done this from a fresh env and it works:

$ sigma convert -t splunk -p splunk_cim C:\Users\thoma\OneDrive\Devel\sigma\rules\windows\process_creation\proc_creation_win_certutil_encode.yml
Processes.process_path="*\\certutil.exe" OR Processes.original_file_name="CertUtil.exe" Processes.process IN ("*-encode*", "*/encode*")
gs3cl commented 1 year ago

Hey Thomas, yes it works now thanks!