Custom Playbook #4483

Mav1814 · 2023-10-17T11:56:28Z

Mav1814
Oct 17, 2023

Hello, everyone.

I've been trying for a few days to create a playbook that allows me to generate alerts when authentication fails on any operating system, be it linux, windows, mac or other.
So far, I haven't been able to get it to generate any alerts. I don't get any errors, the playbook runs successfully, but it's not triggered.
This is my sigma rule.

title: Detect Generic Brute Force
id: 398c05e2-675f-11ee-8c99-0242ac120002
description: Detects generic brute force attacks in authentication logs.
author: mav1814
status: draft

logsource:
  category: authentication

detection:
    keywords:
        - message: "Authentication Failure"
    count: 2
    condition: keywords
falsepositives:
  - "False positive example"
level: high

The objective of this playbook is failed authentications, not only of ssh, but of various types. Initially I thought of keywords, such as Failed login, invalid user, authentication failure. But I didn't get any results.
I can't figure out what's wrong, I have no experience in creating sigma rules. If anyone can help me.

Answered by nasbench

Oct 17, 2023

Hey @Mav1814

I suggest you give the docs a read to understand the basics of Sigma rules. Then you'll have a more accurate and informed question to ask. Check it out here and the getting started

To give you an over simplified answer.

The logsource needs to be mapped to an actually existing log. For example this rule is using the following log source

logsource:
    category: process_creation
    product: windows

Which according to the taxonomy by default it means that it maps to Sysmon EID 1 and Security Log 4688. So make sure to map it correctly. Read this for the default taxonomy meanings.

Second part of your rule is the detection section which is using an non supported feature which is the

View full answer

nasbench · 2023-10-17T12:33:40Z

nasbench
Oct 17, 2023
Maintainer

Hey @Mav1814

I suggest you give the docs a read to understand the basics of Sigma rules. Then you'll have a more accurate and informed question to ask. Check it out here and the getting started

To give you an over simplified answer.

The logsource needs to be mapped to an actually existing log. For example this rule is using the following log source

logsource:
    category: process_creation
    product: windows

Which according to the taxonomy by default it means that it maps to Sysmon EID 1 and Security Log 4688. So make sure to map it correctly. Read this for the default taxonomy meanings.

Second part of your rule is the detection section which is using an non supported feature which is the count hence this will not be able to convert correctly "by default". Currently correlation isn't supported in the pySigma library. So rule in the form of counting or using temporal conditions aren't supported :)

Its best to give the docs a read as they have actual examples on how to use and write sigma rules :)

Hope this answer your question and feel free to open another discussion if you have further questions

1 reply

Mav1814 Oct 17, 2023
Author

Thank you for the fast response @nasbench .

I'll check what you've told me. Thanks again.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Custom Playbook #4483

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Custom Playbook #4483

Mav1814 Oct 17, 2023

Replies: 1 comment · 1 reply

nasbench Oct 17, 2023 Maintainer

Mav1814 Oct 17, 2023 Author

Mav1814
Oct 17, 2023

Replies: 1 comment 1 reply

nasbench
Oct 17, 2023
Maintainer

Mav1814 Oct 17, 2023
Author