Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Detections with joins failed to properly translate to Sigma #2987

Open
ajkingio opened this issue Mar 29, 2024 · 0 comments
Open

[BUG] Detections with joins failed to properly translate to Sigma #2987

ajkingio opened this issue Mar 29, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@ajkingio
Copy link

Describe the bug

As far as I can tell every detection with a join failed to translated properly to your dev/endpoint/ sigma collection.
According to this search there are 60 rules using joins.

repo:splunk/security_content path:detections/endpoint join

Here is one example:
SPL: https://github.com/splunk/security_content/blob/f6882b10686ba9ba0d5e58ab2a2d3add636c57f7/detections/endpoint/batch_file_write_to_system32.yml

data_source:
- Sysmon Event ID 1
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where 
Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` | join process_guid 
    [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
    where Filesystem.file_path IN ("*\\system32\\*", "*\\syswow64\\*") Filesystem.file_name="*.bat" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid 
    | `drop_dm_object_name(Filesystem)`]
| table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime 
| dedup file_create_time
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `batch_file_write_to_system32_filter`'

Sigma: https://github.com/splunk/security_content/blob/f6882b10686ba9ba0d5e58ab2a2d3add636c57f7/dev/endpoint/batch_file_write_to_system32.yml

data_source:
- Sysmon Event ID 1
search:
  selection1:
    Image|endswith: '*'
  condition: selection1

Expected behavior

For the example above I would create the following Sigma.

data_source:
- Sysmon Event ID 11
search:
    selection1:
        TargetFilename|contains: .bat
    selection2:
        TargetFilename|contains:
            - system32
            - syswow64
     condition: selection1 AND selection2

I'm not sure if this would be an acceptable change since it's not going off the Endpoint Data Model like the original rule. If this is acceptable let me know and I would be happy to work on a PR to get these Sigma rules updated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ajkingio