search

wagga40 / Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
671 stars 91 forks source link

Field with space #19

Closed frack113 closed 2 years ago

frack113 commented 2 years ago

Trouble

Can not match rule when the Microsoft field name have a space in it

Usefull Informations

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_event_log_cleared.yml https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/DE_104_system_log_cleared.evtx

 "rule": [
     "SELECT * FROM logs WHERE (EventID = \"1102\" AND Provider_Name = \"Microsoft-Windows-Eventlog\")"

In the DB it is simply Name

wagga40 commented 2 years ago

Hi,

Zircolite has its own mapping system located in : https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json

To import the EVTX into a SQLite DB, Zircolite Flattens the field name into Event.System.Provider.#attributes.Name because in the EVTX it is : 

,
            "Provider": {
                "#attributes": {
                    "Guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
                    "Name": "Microsoft-Windows-Eventlog"
                }
            },

So if you want the field name to be "Provider_name" you just have to update the fieldMappings.json file with : "Event.System.Provider.#attributes.Name" : "Provider_Name", instead of "Event.System.Provider.#attributes.Name" : "Name",.

I will update the repository later after some testing.

Thank you for reporting this !

teddy-ROxPin commented 2 years ago

@wagga40 I ran into an issue with the 'Provider_Name' field myself. It's not a widely used field, only in about 12 rules currently, and seems to be redundant to the 'logsource' section. So far, I've found it easiest to delete the line that contains 'Provider_Name:' in any rule file where it exists and then processing the rules to create the query syntax.

frack113 commented 2 years ago

It is simple mapping trouble (same in sigmac backend configs yml). Provider_Name is a valid and usefull information :

wagga40 commented 2 years ago

@wagga40 I ran into an issue with the 'Provider_Name' field myself. It's not a widely used field, only in about 12 rules currently, and seems to be redundant to the 'logsource' section. So far, I've found it easiest to delete the line that contains 'Provider_Name:' in any rule file where it exists and then processing the rules to create the query syntax.

It is effectively a way to solve the problem 😅 I don’t have access to my laptop but I will update the field mappings in Zircolite soon.

frack113 commented 2 years ago

A option to have missing sigma rule field in config/fieldMappings.json would be great