search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.58k stars 589 forks source link

Allow Timesketch to have sketch-specific Sigma rules #3004

Open sedoy107 opened 10 months ago

sedoy107 commented 10 months ago

Is your feature request related to a problem? Please describe. My problem is that the Sigma rules are global for each of the sketches. In my case I have multiple unrelated timelines. I have a set of generic Sigma rules that I run on each of the timelines. Then I create Sigma rules that take into account the sketch specifics. The problem is that there is no way for me to restrict particular rules only for certain timelines. All the rules are globally available. This clogs the list of rules in the UI and makes it hard to work with sketches.

Describe the solution you'd like Having global and sketch-specific sigma rules would be a solution to my problem. The user should be able to enter the sketch and view/create sketch-specific rules. The Sigma Analyzer should take into account this sketch-to-rule(s) relationship and run sketch-specific rules on the correct sketch.

Describe alternatives you've considered Currently I've patched the UI to filter the list of Sigma rules based on the sketch name. This gives the desired cosmetic effect but it is a rather simplistic workaround for the sake of demo. The rules are still global.

Additional context Here's the patch that will make the UI filter the rules:

diff --git a/timesketch/frontend-ng/src/store.js b/timesketch/frontend-ng/src/store.js
index 56aaa72c..bc6b8652 100644
--- a/timesketch/frontend-ng/src/store.js
+++ b/timesketch/frontend-ng/src/store.js
@@ -85,8 +85,11 @@ export default new Vuex.Store({
       Vue.set(state, 'currentSearchNode', payload)
     },
     SET_SIGMA_LIST(state, payload) {
-      Vue.set(state, 'sigmaRuleList', payload['objects'])
-      Vue.set(state, 'sigmaRuleList_count', payload['meta']['rules_count'])
+      let split_char = '_'
+      let prefix = state.sketch.name.split(split_char)[0]
+      let filtered_rules = payload['objects'].filter(rule => rule.title.startsWith(split_char + prefix) || !rule.title.startsWith(split_char))
+      Vue.set(state, 'sigmaRuleList', filtered_rules)
+      Vue.set(state, 'sigmaRuleList_count', filtered_rules.length)
     },
     SET_ACTIVE_USER(state, payload) {
       ApiClient.getLoggedInUser().then((response) => {
jaegeral commented 9 months ago

Hi thank you for the idea. I see where you are coming from, I would say the quickest way for this is to use saved searches instead, those are sketch specific.

Sigma and the usage of Sigma rules in Timesketch and the corresponding analyzer are designed to be tool wide, so changing that would require a not trivial amount of thoughts. What you can also do, that might not be as elegant, you can use the API in combination with Colab, store your Sigma rules outside of Timesketch, and then query your external system, e.g. Yeti, get the Sigma rule, parse it with the TS API to get the TS Search query and run it over the sketch you are interested in.

Hope that helps.