tweak

Author: defensivedepth

patterns.sed

@@ -9,6 +9,7 @@ s|%hostname%|{event_data.host.name}|g
 s|%Image%|{event_data.process.executable}|g
 s|%ImageLoaded%|{dll.name}|g
 s|%ParentImage%|{event_data.process.parent.executable}|g
+s|%TargetFilename%|{event_data.file.name}|g
 s|%ParentProcessGuid%|{event_data.process.parent.entity_id}|g
 s|%private_ip%|{network.private_ip}|g
 s|%ProcessGuid%|{event_data.process.entity_id}|g

playbook/dev/sigma/category/file_event.yaml

@@ -1,7 +1,7 @@
 name: Sigma - Category - file_event
 id: f1e2a3b4-5c6d-7e8f-9a0b-1c2d3e4f5a6b
 description: |
-  Generic investigation playbook for file creation, modification, and deletion events.
+  Baseline Playbook for process creation events, OS agnostic.
   File events can indicate persistence mechanisms, data staging, malware drops, or legitimate software operations.
 type: detection
 detection_id: ''
@@ -13,9 +13,9 @@ date: 2025-05-29
 
 questions:
 
-  - question: What was the exact process execution & file creation that triggered the alert?
+  - question: What file creation event triggered this alert?
     context: |
-      Understanding the process and command line provides crucial context.
+      Review the filename, location, and extension to help confirm the legitimacy of the file creation.
     answer_sources:
       - alert
     query: |
@@ -26,17 +26,36 @@ questions:
         selection:
           document_id|expand: '%document_id%'
         condition: selection
+      fields:
+        - hostname
+        - User
+        - TargetFilename
+
+  - question: What process created this file?
+    context: |
+      Reviewing the process and command line provides additional context. Pivoting off the ProcessGuid
+      will show the full process chain leading to the file creation.
+    answer_sources:
+      - process_creation
+    query: |
+      aggregation: false
+      logsource:
+        category: process_creation
+      detection:
+        selection:
+          ProcessGuid|expand: '%ProcessGuid%'
+        condition: selection
       fields:
         - hostname
         - User
         - Image
         - CommandLine
-        - TargetFilename
 
   - question: Is the file location and type expected for the executable?
     context: |
-      Certain executables should only write to specific directories. Unusual locations can indicate malicious activity.
-    range: -7d
+      Certain executables should only write to specific directories. Unusual locations can indicate malicious activity. This query
+      shows the historical pattern of file creation by this executable on this system.
+    range: -30d
     answer_sources:
       - file_event
     query: |
@@ -108,7 +127,7 @@ questions:
 
   - question: Were any processes spawned from the created file location?
     context: |
-      Execution from newly created files often indicates malware drops or persistence mechanisms.
+      Execution from newly created files can indicate malware drops or persistence mechanisms.
     range: +15m
     answer_sources:
       - process_creation
@@ -125,31 +144,10 @@ questions:
         - Image
         - CommandLine
 
-  - question: What was the complete process chain leading to this file event?
-    context: |
-      Tracing back through parent processes reveals the full execution chain.
-    range: -10m
-    answer_sources:
-      - process_creation
-    query: |
-      aggregation: false
-      logsource:
-        category: process_creation
-      detection:
-        selection:
-          hostname|expand: '%hostname%'
-          ProcessGuid|expand: '%ParentProcessGuid%'
-        condition: selection
-      fields:
-        - Image
-        - CommandLine
-        - User
-        - ProcessGuid
-
   - question: Are other hosts showing similar file creation patterns?
     context: |
       Widespread file creation across multiple systems may indicate deployment, malware spread, or policy changes.
-    range: +/-30m
+    range: +/-6h
     answer_sources:
       - file_event
     query: |
@@ -158,7 +156,7 @@ questions:
         category: file_event
       detection:
         selection:
-          TargetFilename|endswith|expand: '%TargetFilename|basename%'
+          TargetFilename|contains|expand: '%TargetFilename%'
         filter:
           hostname|expand: '%hostname%'
         condition: selection and not filter
@@ -245,9 +243,9 @@ questions:
         - Image
         - TargetFilename
 
-  - question: Are there related alerts for file-based attacks?
+  - question: Are there any other alerts associated with this system?
     context: |
-      Other file-related alerts may provide additional context about ongoing campaigns.
+      Other alerts may provide additional context.
     range: -24h
     answer_sources:
       - alert
@@ -256,16 +254,9 @@ questions:
       logsource:
         category: alert
       detection:
-        selection_host:
-          hostname|expand: '%hostname%'
-        selection_file_alerts:
-          rule.name|contains:
-            - 'file'
-            - 'persistence'
-            - 'drop'
-            - 'stage'
-            - 'exfil'
-        condition: all of selection_*
+        selection:
+          related.ip|expand: '%related_ip%'
+        condition: selection
       fields:
         - rule.name
         - rule.level