Rule mapping issue

[n00bsteam]

I think it would be better to use sysmon group matching instead windows if_sid. Example: We have Sigma Rule category like image_load, it corresponds to the event sysmon EventID 7 then we can use <if_group>sysmon_event7</if_group>.

[theflakes]

Unfortunately due to the amount of rules it will create an Out Of Memory error the way Wazuh builds those group rule dependencies in memory.

[theflakes]

For reference see: https://groups.google.com/g/wazuh/c/hFlw_w-3tnY

[n00bsteam]

Just tested it and works all good. There only 27 sysmon rules in that groups.

[n00bsteam]

here my sysmon base rules: https://github.com/n00bsteam/SigmaWazuhRules/blob/main/sysmon_groups.xml

[n0rthl1ght]

here my sysmon base rules:

https://github.com/n00bsteam/SigmaWazuhRules/blob/main/sysmon_groups.xml

Dude, do you have hash on filecreation? 11id

[theflakes]

I've changed the logic to prefer any if_group setting defined in the ini config file. If an if_group setting does not exist for a Sigma logsource.product or logsource.service it will use anything in if_sid it finds for them instead.

[n00bsteam]

Dude, do you have hash on filecreation? 11id

no

[n00bsteam]

I've changed the logic to prefer any if_group setting defined in the ini config file. If an if_group setting does not exist for a Sigma logsource.product or logsource.service it will use anything in if_sid it finds for them instead.

Nice job! Thx!

[n00bsteam]

But can you add logsource.category? And will be matched before logsource.service and logsource.product in if_sid?

[theflakes]

Need to think about this. Category is broader than the other two. I may want to make this the last option actually.