zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
skills/incident-response/detection-sigma/references/backend-support.md Normal file
View File

@@ -0,0 +1,390 @@
# Sigma Backend Support Reference
## Supported SIEM/Security Platforms
### Splunk
**Backend**: `splunk`
**Query Language**: SPL (Search Processing Language)
**Installation**:
```bash
pip install pysigma-backend-splunk
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend splunk
```
**Output Format**:
```spl
index=windows EventID=4688 Image="*\\powershell.exe" CommandLine IN ("*-enc*", "*-EncodedCommand*", "*FromBase64String*")
```
**Deployment**:
- Save as saved search via Splunk Web UI
- Deploy via REST API: `/servicesNS/-/-/saved/searches`
- Use Splunk Enterprise Security correlation rules
**Field Mappings**:
- Sigma `Image` → Splunk `Image` (Sysmon)
- Sigma `CommandLine` → Splunk `CommandLine`
- Sigma `User` → Splunk `User`
### Elasticsearch
**Backend**: `elasticsearch` or `elastic`
**Query Language**: Elasticsearch Query DSL / Lucene
**Installation**:
```bash
pip install pysigma-backend-elasticsearch
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend elasticsearch
```
**Output Format**:
```json
{
"query": {
"bool": {
"must": [
{"wildcard": {"Image": "*\\powershell.exe"}},
{"terms": {"CommandLine": ["-enc", "-EncodedCommand"]}}
]
}
}
}
```
**Deployment**:
- Elastic Security Detection Rules
- Kibana Saved Searches
- ElastAlert rules
**Field Mappings** (ECS - Elastic Common Schema):
- Sigma `Image` → ECS `process.executable`
- Sigma `CommandLine` → ECS `process.command_line`
- Sigma `User` → ECS `user.name`
### Microsoft Sentinel (Azure Sentinel)
**Backend**: `sentinel` or `kusto`
**Query Language**: KQL (Kusto Query Language)
**Installation**:
```bash
pip install pysigma-backend-microsoft365defender
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend sentinel
```
**Output Format**:
```kql
SecurityEvent
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| where CommandLine contains "-enc" or CommandLine contains "-EncodedCommand"
```
**Deployment**:
- Azure Sentinel Analytics Rules
- Deploy via ARM templates
- Use Azure Sentinel API
**Field Mappings**:
- Sigma `Image` → Sentinel `ProcessName`
- Sigma `CommandLine` → Sentinel `CommandLine`
- Sigma `User` → Sentinel `AccountName`
### IBM QRadar
**Backend**: `qradar` or `aql`
**Query Language**: AQL (Ariel Query Language)
**Installation**:
```bash
pip install pysigma-backend-qradar
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend qradar
```
**Output Format**:
```sql
SELECT * FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
AND "EventID" = '4688'
AND "Image" ILIKE '%\\powershell.exe'
```
**Deployment**:
- QRadar Custom Rules
- Deploy via QRadar API
- AQL searches
### Elastic Security (EQL)
**Backend**: `eql`
**Query Language**: EQL (Event Query Language)
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend eql
```
**Output Format**:
```eql
process where process.name == "powershell.exe" and
(process.command_line like~ "*-enc*" or
process.command_line like~ "*-EncodedCommand*")
```
**Deployment**:
- Elastic Security Detection Rules
- EQL searches in Kibana
### Chronicle (Google)
**Backend**: `chronicle`
**Query Language**: YARA-L
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend chronicle
```
### Others
Additional backends available via pySigma plugins:
- **LimaCharlie**: EDR platform
- **OpenSearch**: Fork of Elasticsearch
- **LogPoint**: SIEM platform
- **ArcSight**: SIEM platform
- **Carbon Black**: EDR platform
- **CrowdStrike**: EDR platform (Falcon)
- **SentinelOne**: EDR platform
- **Datadog**: Cloud monitoring platform
- **Sumo Logic**: Cloud SIEM
## Backend Installation
### Core pySigma
```bash
pip install pysigma
```
### Backend Plugins
```bash
# Splunk
pip install pysigma-backend-splunk
# Elasticsearch
pip install pysigma-backend-elasticsearch
# Microsoft 365 Defender / Sentinel
pip install pysigma-backend-microsoft365defender
# QRadar
pip install pysigma-backend-qradar
# Multiple backends
pip install pysigma-backend-splunk pysigma-backend-elasticsearch
```
## Backend Limitations
### Field Mapping Gaps
Some backends may not support all Sigma field modifiers:
**Issue**: Backend doesn't support regex field modifier `|re`
**Solution**:
- Use alternative field modifiers (`contains`, `endswith`)
- Implement custom pipeline transformations
- Post-process in SIEM after conversion
### Unsupported Features
| Feature | Splunk | Elasticsearch | Sentinel | QRadar |
|---------|--------|---------------|----------|--------|
| Regex | ✓ | ✓ | ✓ | ✓ |
| Base64 decode | Limited | Limited | ✓ | Limited |
| CIDR matching | ✓ | ✓ | ✓ | ✓ |
| Wildcards | ✓ | ✓ | ✓ | ✓ |
### Data Source Availability
Not all log sources may be available in all backends:
**Check availability**:
1. Verify log source is ingested in your SIEM
2. Confirm field mappings match
3. Test converted query with sample data
## Custom Pipelines
pySigma supports custom processing pipelines for field transformations:
```python
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.backends.splunk import SplunkBackend
# Apply Sysmon field mappings before conversion
backend = SplunkBackend()
pipeline = sysmon_pipeline()
converted = backend.convert_rule(rule, pipeline)
```
## Deployment Automation
### Splunk Deployment
```python
import requests
# Splunk REST API
url = "https://splunk:8089/servicesNS/nobody/search/saved/searches"
auth = ("admin", "password")
data = {
"name": "Sigma - Suspicious PowerShell",
"search": converted_query,
"description": rule.description,
"cron_schedule": "*/5 * * * *", # Every 5 minutes
"actions": "email",
"action.email.to": "soc@company.com"
}
response = requests.post(url, auth=auth, data=data, verify=False)
```
### Elasticsearch Deployment
```python
from elasticsearch import Elasticsearch
es = Elasticsearch(["https://elasticsearch:9200"])
# Deploy as Elasticsearch detection rule
rule_doc = {
"name": rule.title,
"description": rule.description,
"query": converted_query,
"severity": rule.level,
"tags": rule.tags
}
es.index(index="detection-rules", document=rule_doc)
```
### Microsoft Sentinel Deployment
```bash
# ARM template deployment
az sentinel alert-rule create \
--resource-group myResourceGroup \
--workspace-name mySentinelWorkspace \
--rule-name "Sigma - Suspicious PowerShell" \
--query "$converted_query" \
--severity Medium \
--enabled true
```
## Testing Converted Queries
### Splunk
```spl
# Test in Splunk search
index=windows earliest=-24h
| eval match=case(
Image="*\\powershell.exe" AND (CommandLine LIKE "%enc%" OR CommandLine LIKE "%EncodedCommand%"), "MATCH",
1=1, "NO MATCH"
)
| stats count by match
```
### Elasticsearch
```json
POST /winlogbeat-*/_search
{
"query": {
"bool": {
"must": [
{"wildcard": {"process.executable": "*\\powershell.exe"}},
{"terms": {"process.command_line": ["-enc", "-EncodedCommand"]}}
]
}
}
}
```
### Sentinel
```kql
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| summarize count() by bin(TimeGenerated, 1h)
```
## Troubleshooting
### Conversion Fails
**Error**: `Unsupported field modifier for backend`
**Solution**:
```bash
# Use debug mode to see detailed error
python scripts/sigma_convert.py rule.yml --backend splunk --debug
```
Check `references/field-modifiers.md` for backend compatibility.
### Query Doesn't Return Expected Results
**Steps**:
1. Verify log source is ingested
2. Check field name mappings
3. Test with known-positive sample
4. Validate field value case sensitivity
5. Check time range in query
### Performance Issues
Large, complex queries may impact SIEM performance:
**Optimization**:
- Add index/sourcetype filters early
- Use specific time ranges
- Optimize field modifiers (prefer exact match over regex)
- Test query performance before deployment
## Resources
- [pySigma Documentation](https://github.com/SigmaHQ/pySigma)
- [pySigma Backend Plugins](https://github.com/SigmaHQ/pySigma/blob/main/Backends.md)
- [Sigma Converter Web Tool](https://sigconverter.io/)
- [Sigma GitHub Repository](https://github.com/SigmaHQ/sigma)

361
skills/incident-response/detection-sigma/references/compliance-mappings.md Normal file
View File

@@ -0,0 +1,361 @@
# Compliance Framework Mappings for Sigma Detection Rules
## PCI-DSS v3.2.1
### Requirement 10.2 - Implement automated audit trails
#### 10.2.1 - Access to cardholder data
**Detection Requirements**: Monitor all access to cardholder data environments
**Sigma Tags**: `pci-dss.10.2.1`
**Example Rules**:
- File access to cardholder data locations
- Database queries accessing payment card fields
- Application logs showing cardholder data retrieval
```yaml
tags:
- pci-dss.10.2.1
logsource:
category: file_event
detection:
selection:
TargetFilename|contains: '\cardholder-data\'
```
#### 10.2.2 - All actions taken by any individual with root or administrative privileges
**Sigma Tags**: `pci-dss.10.2.2`
**Example Rules**:
- Privileged account usage
- sudo/runas commands
- Administrative actions on critical systems
```yaml
tags:
- pci-dss.10.2.2
logsource:
category: process_creation
detection:
selection:
User|contains: 'admin'
```
#### 10.2.4 - Invalid logical access attempts
**Sigma Tags**: `pci-dss.10.2.4`
**Example Rules**:
- Failed authentication attempts
- Account lockouts
- Access denied events
```yaml
tags:
- pci-dss.10.2.4
logsource:
category: authentication
detection:
selection:
EventID: 4625 # Failed logon
```
#### 10.2.5 - Use of identification and authentication mechanisms
**Sigma Tags**: `pci-dss.10.2.5`
**Example Rules**:
- Account creation/deletion/modification
- Password changes
- Multi-factor authentication events
```yaml
tags:
- pci-dss.10.2.5
logsource:
category: authentication
detection:
selection:
EventID:
- 4720 # Account created
- 4724 # Password reset
```
#### 10.2.7 - Creation and deletion of system-level objects
**Sigma Tags**: `pci-dss.10.2.7`
**Example Rules**:
- System service creation
- Scheduled task creation
- New user account creation
```yaml
tags:
- pci-dss.10.2.7
logsource:
category: process_creation
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains: 'create'
```
## NIST SP 800-53 Rev. 5
### AU-2 - Event Logging
**Controls**: Organization defines auditable events
**Sigma Tags**: `nist-800-53.au-2`
**Coverage**:
- Security-relevant events
- Success and failure of events
- Actions by privileged users
### AU-3 - Content of Audit Records
**Controls**: Audit records contain sufficient information
**Sigma Tags**: `nist-800-53.au-3`
**Required Fields**:
- Event type, date/time, outcome
- Subject identity, object identity
- Data source
### AU-6 - Audit Review, Analysis, and Reporting
**Controls**: Review and analyze audit records
**Sigma Tags**: `nist-800-53.au-6`
**Detection Focus**:
- Automated scanning for anomalies
- Correlation of audit records
- Investigation and reporting
### AU-12 - Audit Generation
**Controls**: System provides audit record generation
**Sigma Tags**: `nist-800-53.au-12`
**Coverage**:
- Generate audit records for defined events
- Allow authorized users to select auditable events
- Privileged commands
### SI-4 - System Monitoring
**Controls**: Monitor the system to detect attacks and indicators
**Sigma Tags**: `nist-800-53.si-4`
**Detection Coverage**:
- Unauthorized access attempts
- Unauthorized use of privileges
- Malicious code detection
```yaml
tags:
- nist-800-53.si-4
- nist-800-53.au-12
logsource:
category: process_creation
detection:
selection:
CommandLine|contains: 'mimikatz'
```
### AC-2 - Account Management
**Controls**: Account creation, modification, removal
**Sigma Tags**: `nist-800-53.ac-2`
**Example Rules**:
- Account lifecycle events
- Privileged account monitoring
- Account attribute changes
### IA-2 - Identification and Authentication
**Controls**: Uniquely identify and authenticate users
**Sigma Tags**: `nist-800-53.ia-2`
**Example Rules**:
- Multi-factor authentication
- Authentication failures
- Session management
## ISO/IEC 27001:2013
### A.12.4.1 - Event logging
**Control**: Event logs recording user activities, exceptions, and security events
**Sigma Tags**: `iso27001.a.12.4.1`
**Requirements**:
- User IDs
- System activities
- Date, time, and details of key events
- Device identity or location
- Records of successful and rejected system access attempts
```yaml
tags:
- iso27001.a.12.4.1
logsource:
category: authentication
detection:
selection:
EventID:
- 4624 # Successful logon
- 4625 # Failed logon
```
### A.12.4.2 - Protection of log information
**Control**: Logging facilities and log information protected
**Sigma Tags**: `iso27001.a.12.4.2`
**Detection Focus**:
- Unauthorized access to logs
- Log deletion or modification
- Log integrity violations
### A.12.4.3 - Administrator and operator logs
**Control**: System administrator and operator activities logged
**Sigma Tags**: `iso27001.a.12.4.3`
**Example Rules**:
- Privileged command execution
- System configuration changes
- Administrative access
```yaml
tags:
- iso27001.a.12.4.3
logsource:
category: process_creation
detection:
selection:
User|contains:
- 'admin'
- 'root'
```
### A.9.2.1 - User registration and de-registration
**Control**: Account management processes
**Sigma Tags**: `iso27001.a.9.2.1`
**Example Rules**:
- Account creation
- Account deletion
- Account modification
### A.9.4.1 - Information access restriction
**Control**: Access to information and systems restricted
**Sigma Tags**: `iso27001.a.9.4.1`
**Detection Focus**:
- Unauthorized access attempts
- Privilege escalation
- Access control violations
## SOC 2 Trust Service Criteria
### CC6.1 - Logical and Physical Access Controls
**Criteria**: Restrict access to authorized users
**Detection Coverage**:
- Authentication monitoring
- Authorization violations
- Privileged access usage
### CC7.2 - System Monitoring
**Criteria**: Monitor system components
**Detection Coverage**:
- Security event monitoring
- Anomaly detection
- Threat detection
### CC7.3 - Evaluation and Response
**Criteria**: Evaluate events and respond
**Detection Focus**:
- Security incident detection
- Alert generation and escalation
- Response actions
## Tag Format
Use this format for compliance tags:
```yaml
tags:
- {framework}.{control-id}
```
**Examples**:
```yaml
tags:
- pci-dss.10.2.5
- nist-800-53.au-2
- iso27001.a.12.4.1
```
## Multi-Framework Mapping
Rules can map to multiple frameworks:
```yaml
title: Failed Authentication Monitoring
tags:
- attack.credential_access
- attack.t1110
- pci-dss.10.2.4
- pci-dss.10.2.5
- nist-800-53.au-2
- nist-800-53.au-12
- nist-800-53.ia-2
- iso27001.a.12.4.1
- iso27001.a.9.2.1
```
## Compliance Coverage Analysis
Use `compliance_coverage.py` script to analyze rule coverage:
```bash
# Analyze PCI-DSS coverage
python scripts/compliance_coverage.py --directory rules/ --framework pci-dss
# Generate coverage report
python scripts/compliance_coverage.py --directory rules/ --framework nist-800-53 --report coverage.md
```
## Resources
- [PCI DSS v3.2.1](https://www.pcisecuritystandards.org/)
- [NIST SP 800-53 Rev. 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- [ISO/IEC 27001:2013](https://www.iso.org/standard/54534.html)
- [SOC 2 Trust Service Criteria](https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/trust-services-criteria)

426
skills/incident-response/detection-sigma/references/field-modifiers.md Normal file
View File

@@ -0,0 +1,426 @@
# Sigma Field Modifiers Reference
## Overview
Field modifiers transform field values during rule matching. Use pipe `|` syntax to apply modifiers to field names.
**Syntax**: `FieldName|modifier: value`
## String Modifiers
### contains
**Description**: Case-insensitive substring match
**Usage**:
```yaml
detection:
selection:
CommandLine|contains: 'powershell'
```
**Matches**:
- `C:\Windows\System32\WindowsPowerShell\powershell.exe -enc`
- `powershell -command "iex"`
- `POWERSHELL.EXE`
**Backend Support**: All backends
### startswith
**Description**: Case-insensitive prefix match
**Usage**:
```yaml
detection:
selection:
CommandLine|startswith: 'powershell'
```
**Matches**:
- `powershell -enc AAAA`
- `PowerShell.exe -command`
**Does Not Match**:
- `C:\Windows\System32\powershell.exe`
**Backend Support**: All backends
### endswith
**Description**: Case-insensitive suffix match
**Usage**:
```yaml
detection:
selection:
Image|endswith: '\powershell.exe'
```
**Matches**:
- `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`
- `powershell.exe`
**Backend Support**: All backends
### all
**Description**: All values in list must match
**Usage**:
```yaml
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- '-enc'
- 'FromBase64'
```
**Requires**: All three substrings present in CommandLine
**Backend Support**: Most backends (check specific backend documentation)
## Regular Expression Modifiers
### re
**Description**: Regular expression match
**Usage**:
```yaml
detection:
selection:
CommandLine|re: 'powershell(.exe)?\s+-enc.*'
```
**Matches**:
- `powershell -enc AAAABBBB`
- `powershell.exe -encodedcommand AAAA`
**Backend Support**: Varies by backend (Splunk ✓, Elasticsearch ✓, Sentinel ✓)
**Performance Note**: Regex can be slow on large datasets
### re (with case-insensitive flag)
**Usage**:
```yaml
detection:
selection:
CommandLine|re: '(?i)powershell.*-enc'
```
## Encoding Modifiers
### base64
**Description**: Match base64-encoded value
**Usage**:
```yaml
detection:
selection:
CommandLine|base64|contains: 'Invoke-Mimikatz'
```
**How it works**: Encodes search string to base64 before matching
**Encoded Value**: `SW52b2tlLU1pbWlrYXR6`
**Backend Support**: Limited (check backend documentation)
### base64offset
**Description**: Match base64 with offset variations
**Usage**:
```yaml
detection:
selection:
CommandLine|base64offset|contains: 'Invoke-Mimikatz'
```
**Why**: Base64 encoding can vary based on string position. This checks all offset variations.
**Generates**:
- `SW52b2tlLU1pbWlrYXR6`
- `ludm9rZS1NaW1pa2F0e`
- `JbnZva2UtTWltaWthdH`
**Backend Support**: Limited
### wide
**Description**: Match UTF-16 wide character encoding
**Usage**:
```yaml
detection:
selection:
FileContent|wide|contains: 'malicious'
```
**Encoded**: `m\x00a\x00l\x00i\x00c\x00i\x00o\x00u\x00s\x00`
## Case Modifiers
### (default - case insensitive)
**Description**: By default, Sigma matches are case-insensitive
**Usage**:
```yaml
detection:
selection:
CommandLine|contains: 'powershell' # Matches PowerShell, POWERSHELL, etc.
```
## Type Conversion Modifiers
### lt / lte / gt / gte
**Description**: Numeric comparison (less than, less/equal, greater than, greater/equal)
**Usage**:
```yaml
detection:
selection:
EventID|gte: 4624
EventID|lte: 4634
```
**Backend Support**: Most backends
## Aggregation Modifiers (in condition)
### count
**Description**: Count occurrences
**Usage**:
```yaml
detection:
selection:
EventID: 4625 # Failed logon
condition: selection | count(TargetUserName) by SourceIp > 5
```
**Meaning**: More than 5 failed logons from same IP within timeframe
**Backend Support**: Varies (typically requires SIEM correlation capabilities)
### near
**Description**: Events occur within proximity
**Usage**:
```yaml
condition: selection1 and selection2 | near(timespan=30s)
```
**Meaning**: Both events occur within 30 seconds
**Backend Support**: Limited (backend-dependent)
## Chaining Modifiers
Modifiers can be chained:
```yaml
detection:
selection:
CommandLine|base64offset|contains: 'Invoke-Mimikatz'
Image|endswith: '\powershell.exe'
```
**Order matters**: Apply modifiers left to right
**Example**: `|base64|contains` first encodes to base64, then checks contains
## Common Patterns
### Pattern 1: Flexible PowerShell Detection
```yaml
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- '-e '
```
### Pattern 2: Process Chain Detection
```yaml
detection:
selection:
ParentImage|endswith: '\winword.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
```
### Pattern 3: File Path Detection
```yaml
detection:
selection:
TargetFilename|contains: '\AppData\Roaming\'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ps1'
```
### Pattern 4: Encoded Command Detection
```yaml
detection:
selection:
CommandLine|base64offset|contains:
- 'Invoke-Expression'
- 'IEX'
- 'Net.WebClient'
```
## Backend Compatibility Matrix
| Modifier | Splunk | Elasticsearch | Sentinel | QRadar |
|----------|--------|---------------|----------|--------|
| contains | ✓ | ✓ | ✓ | ✓ |
| startswith | ✓ | ✓ | ✓ | ✓ |
| endswith | ✓ | ✓ | ✓ | ✓ |
| all | ✓ | ✓ | ✓ | Partial |
| re | ✓ | ✓ | ✓ | ✓ |
| base64 | Limited | Limited | ✓ | Limited |
| base64offset | Limited | Limited | Limited | No |
| wide | Limited | Limited | Limited | No |
| lt/gt/lte/gte | ✓ | ✓ | ✓ | ✓ |
**Legend**:
- ✓: Full support
- Limited: Partial support, may require workarounds
- No: Not supported
## Best Practices
### 1. Prefer Specific Modifiers
**Don't**:
```yaml
CommandLine|contains: 'powershell'
```
**Do**:
```yaml
Image|endswith: '\powershell.exe'
```
**Why**: More precise, better performance
### 2. Use `all` for Multiple Requirements
**Don't**:
```yaml
CommandLine|contains: 'powershell'
CommandLine|contains: '-enc'
```
**Do**:
```yaml
CommandLine|contains|all:
- 'powershell'
- '-enc'
```
**Why**: Clearer intent, single field evaluation
### 3. Avoid Excessive Regex
**Don't**:
```yaml
CommandLine|re: '.*powershell.*-enc.*'
```
**Do**:
```yaml
CommandLine|contains|all:
- 'powershell'
- '-enc'
```
**Why**: Regex is slower, harder to tune
### 4. Test Modifiers with Backend
Always test converted queries in target SIEM:
```bash
# Convert rule
python scripts/sigma_convert.py rule.yml --backend splunk
# Test in Splunk search interface
# Verify expected matches/non-matches
```
### 5. Document Complex Modifiers
When using `base64offset` or `wide`, document why:
```yaml
title: Encoded PowerShell Command Detection
description: |
Detects base64-encoded PowerShell commands with offset variations
to catch encoding attempts regardless of string position.
detection:
selection:
CommandLine|base64offset|contains: 'Invoke-Mimikatz'
```
## Troubleshooting
### Modifier Not Supported in Backend
**Error**: `Field modifier 'base64offset' not supported by backend 'qradar'`
**Solutions**:
1. Use alternative modifier (`contains` instead of `base64offset`)
2. Implement custom pipeline transformation
3. Post-process in SIEM after ingestion
### No Matches Despite Known Positive Data
**Causes**:
- Case sensitivity (shouldn't be issue with Sigma, but check backend)
- Field name mismatch (check field mappings)
- Modifier not applied correctly
**Debug**:
```bash
# Check converted query
python scripts/sigma_convert.py rule.yml --backend splunk --debug
# Test simplified query without modifiers
# Add modifiers incrementally
```
### Performance Issues
**Problem**: Query with `|re` too slow
**Solution**:
- Replace regex with `contains`, `startswith`, `endswith`
- Add more specific filters (EventID, Image path)
- Limit time range
## Resources
- [Sigma Specification - Modifiers](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#field-modifiers)
- [pySigma Transformations](https://github.com/SigmaHQ/pySigma)
- [Regex Testing Tool](https://regex101.com/)

261
skills/incident-response/detection-sigma/references/log-source-guide.md Normal file
View File

@@ -0,0 +1,261 @@
# Sigma Log Source Reference
## Log Source Categories
### process_creation
**Description**: Process creation/execution events
**Common Products**: Windows (Sysmon Event ID 1), Linux (auditd), EDR platforms
**Key Fields**:
- `Image` - Full path to executable
- `CommandLine` - Full command line with arguments
- `ParentImage` - Parent process executable path
- `ParentCommandLine` - Parent process command line
- `User` - User account that created process
- `IntegrityLevel` - Process integrity level (Windows)
- `Hashes` - File hashes (MD5, SHA256)
**Example**:
```yaml
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: '-enc'
```
### network_connection
**Description**: Network connection events
**Common Products**: Sysmon Event ID 3, Firewall logs, EDR
**Key Fields**:
- `Image` - Process making connection
- `DestinationIp` - Remote IP address
- `DestinationPort` - Remote port
- `DestinationHostname` - Remote hostname
- `SourceIp` - Local IP address
- `SourcePort` - Local port
- `Initiated` - Connection initiated (true/false)
**Example**:
```yaml
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort: 4444
```
### file_event
**Description**: File creation, modification, deletion
**Common Products**: Sysmon Events 11/23, File integrity monitoring
**Key Fields**:
- `Image` - Process creating/modifying file
- `TargetFilename` - File path
- `CreationUtcTime` - File creation time
**Example**:
```yaml
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Windows\Temp\'
TargetFilename|endswith: '.exe'
```
### registry_event
**Description**: Registry key/value modifications
**Common Products**: Sysmon Events 12/13/14, Windows Event Logs
**Key Fields**:
- `TargetObject` - Registry key path
- `Details` - Registry value data
- `EventType` - SetValue, CreateKey, DeleteKey
**Example**:
```yaml
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\CurrentVersion\Run'
```
### image_load
**Description**: DLL/image load events
**Common Products**: Sysmon Event ID 7
**Key Fields**:
- `Image` - Process loading the image
- `ImageLoaded` - Path to loaded DLL/image
- `Signed` - Digital signature status
**Example**:
```yaml
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\evil.dll'
Signed: 'false'
```
### dns_query
**Description**: DNS query events
**Common Products**: Sysmon Event ID 22, DNS server logs, proxy logs
**Key Fields**:
- `QueryName` - DNS name queried
- `QueryResults` - DNS response IPs
- `Image` - Process making query
**Example**:
```yaml
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith: '.onion'
```
### web_request
**Description**: HTTP/HTTPS requests
**Common Products**: Proxy logs, web server logs, WAF
**Key Fields**:
- `c-uri` - Requested URI
- `c-useragent` - User agent string
- `cs-method` - HTTP method
- `sc-status` - HTTP status code
### authentication
**Description**: Authentication events (success/failure)
**Common Products**: Windows Security Events 4624/4625, Linux auth.log
**Key Fields**:
- `EventID` - 4624 (success), 4625 (failure), 4768 (Kerberos)
- `LogonType` - Type of logon (2=Interactive, 3=Network, 10=RemoteInteractive)
- `TargetUserName` - Account being authenticated
- `WorkstationName` - Source workstation
- `IpAddress` - Source IP
**Example**:
```yaml
logsource:
category: authentication
product: windows
detection:
selection:
EventID: 4625 # Failed logon
```
## Products
Common product values:
- `windows` - Windows OS
- `linux` - Linux OS
- `macos` - macOS
- `azure` - Microsoft Azure
- `aws` - Amazon Web Services
- `gcp` - Google Cloud Platform
- `m365` - Microsoft 365
- `okta` - Okta identity platform
- `firewall` - Generic firewall
- `proxy` - Web proxy
## Service Definitions
For cloud services, use service field:
```yaml
logsource:
product: azure
service: azuread
```
Common services:
- `azuread` - Azure Active Directory
- `azureactivity` - Azure Activity Logs
- `cloudtrail` - AWS CloudTrail
- `cloudwatch` - AWS CloudWatch
- `gcp.audit` - GCP Audit Logs
## Field Naming Conventions
Sigma uses normalized field names:
### Process Fields
- `Image` - Full executable path
- `CommandLine` - Command line arguments
- `ParentImage` - Parent process path
- `User` - Username
- `ProcessId` - Process ID
### Network Fields
- `SourceIp` / `DestinationIp`
- `SourcePort` / `DestinationPort`
- `Protocol` - Network protocol
### File Fields
- `TargetFilename` - File path
- `SourceFilename` - Original file location (for copies/moves)
### Registry Fields
- `TargetObject` - Registry key path
- `Details` - Registry value data
## Backend-Specific Mappings
Each backend maps these generic fields to product-specific field names:
**Sigma Generic****Splunk Sysmon**:
- `Image``Image`
- `CommandLine``CommandLine`
- `ParentImage``ParentImage`
**Sigma Generic****Elasticsearch ECS**:
- `Image``process.executable`
- `CommandLine``process.command_line`
- `ParentImage``process.parent.executable`
## Log Source Discovery
To identify available log sources:
1. **Review SIEM data sources**: Check what logs are ingested
2. **Verify field mappings**: Ensure Sigma fields map correctly
3. **Test conversions**: Convert sample rules and validate output
4. **Check coverage**: Ensure critical log sources are available
## Resources
- [Sigma Log Sources](https://github.com/SigmaHQ/sigma/wiki/Log-Sources)
- [Sysmon Event IDs](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
- [Windows Security Events](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/)

362
skills/incident-response/detection-sigma/references/mitre-attack-mapping.md Normal file
View File

@@ -0,0 +1,362 @@
# MITRE ATT&CK Mapping for Sigma Rules
## Table of Contents
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Command and Control](#command-and-control)
- [Exfiltration](#exfiltration)
- [Impact](#impact)
## Execution
### T1059.001 - PowerShell
**Description**: Adversaries abuse PowerShell for execution
**Log Sources**: process_creation (Windows)
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
- 'Invoke-Expression'
- 'IEX'
```
**Tags**:
```yaml
tags:
- attack.execution
- attack.t1059.001
```
### T1059.003 - Windows Command Shell
**Description**: Abuse of cmd.exe for execution
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '/c'
- '/k'
- '&'
- '|'
```
## Persistence
### T1053.005 - Scheduled Task
**Description**: Adversaries create scheduled tasks for persistence
**Log Sources**: process_creation, registry_event
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/create'
- '/sc minute'
```
### T1547.001 - Registry Run Keys
**Description**: Persistence via registry run keys
**Log Sources**: registry_event
**Detection Pattern**:
```yaml
logsource:
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
```
## Privilege Escalation
### T1055 - Process Injection
**Description**: Adversaries inject code into processes
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 8 # CreateRemoteThread
TargetImage|endswith:
- '\lsass.exe'
- '\explorer.exe'
```
### T1548.002 - Bypass User Account Control
**Description**: UAC bypass techniques
**Detection Pattern**:
```yaml
detection:
selection:
CommandLine|contains:
- 'eventvwr.exe'
- 'fodhelper.exe'
IntegrityLevel: 'High'
```
## Defense Evasion
### T1027 - Obfuscated Files or Information
**Description**: Files or information made difficult to discover or analyze
**Detection Pattern**:
```yaml
detection:
selection:
CommandLine|contains:
- '-enc'
- 'base64'
- 'FromBase64'
- 'convert]::FromBase64String'
```
### T1070.001 - Clear Windows Event Logs
**Description**: Clearing Windows event logs
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 1102 # Security log cleared
```
## Credential Access
### T1003.001 - LSASS Memory
**Description**: Credential dumping from LSASS memory
**Detection Pattern**:
```yaml
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1010'
- '0x1410'
- '0x147a'
```
### T1558.003 - Kerberoasting
**Description**: Service principal name abuse for credential theft
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 4769
ServiceName|endswith: '$'
TicketEncryptionType: '0x17'
```
## Discovery
### T1087 - Account Discovery
**Description**: Adversaries enumerate account information
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains:
- 'user'
- 'group'
- 'localgroup administrators'
```
### T1082 - System Information Discovery
**Description**: System and hardware information gathering
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith:
- '\systeminfo.exe'
- '\wmic.exe'
CommandLine|contains:
- 'os get'
- 'computersystem'
```
## Lateral Movement
### T1021.001 - Remote Desktop Protocol
**Description**: Remote access via RDP
**Log Sources**: network_connection, authentication
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 4624
LogonType: 10 # RemoteInteractive
```
### T1021.002 - SMB/Windows Admin Shares
**Description**: Lateral movement via SMB
**Detection Pattern**:
```yaml
detection:
selection:
EventID: 5140
ShareName|endswith:
- 'ADMIN$'
- 'C$'
- 'IPC$'
```
## Collection
### T1560 - Archive Collected Data
**Description**: Data archiving before exfiltration
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith:
- '\rar.exe'
- '\7z.exe'
CommandLine|contains:
- ' a ' # Add to archive
- '-p' # Password
```
## Command and Control
### T1071.001 - Web Protocols
**Description**: C2 over HTTP/HTTPS
**Log Sources**: network_connection, proxy
**Detection Pattern**:
```yaml
detection:
selection:
DestinationPort:
- 80
- 443
Initiated: 'true'
filter:
DestinationIp|startswith:
- '10.'
- '172.16.'
- '192.168.'
condition: selection and not filter
```
## Exfiltration
### T1041 - Exfiltration Over C2 Channel
**Description**: Data exfiltration via existing C2
**Detection Pattern**:
```yaml
detection:
selection:
Initiated: 'true'
DestinationPort:
- 4444
- 8080
- 8443
```
## Impact
### T1486 - Data Encrypted for Impact
**Description**: Ransomware encryption activity
**Detection Pattern**:
```yaml
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith:
- '.encrypted'
- '.locked'
- '.crypto'
condition: selection
```
## Tag Format
When tagging rules with MITRE ATT&CK, use this format:
```yaml
tags:
- attack.{tactic} # Lowercase tactic name
- attack.{technique_id} # Technique ID (T####) or sub-technique (T####.###)
```
**Example**:
```yaml
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
```
## Multiple Techniques
Rules can map to multiple tactics and techniques:
```yaml
tags:
- attack.execution # Primary tactic
- attack.t1059.001 # PowerShell
- attack.defense_evasion # Secondary tactic
- attack.t1027 # Obfuscation
- attack.t1140 # Deobfuscate/Decode Files
```
## Resources
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- [Sigma ATT&CK Correlation](https://github.com/SigmaHQ/sigma/wiki/Tags)