Skip to content

Commit f1aae0d

Browse files
thomaspatzkethomaspatzke
authored
Merge pull request #38 from RolandRoure/RR-dev-web_proxy-data_model
Add support for Web.Proxy Splunk data model
2 parents 52e6330 + 27bcb8d commit f1aae0d

File tree

3 files changed

+65
-1
lines changed

3 files changed

+65
-1
lines changed

pyproject.toml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[tool.poetry]
22
name = "pysigma-backend-splunk"
3-
version = "1.1.0"
3+
version = "1.1.1"
44
description = "pySigma Splunk backend"
55
readme = "README.md"
66
authors = ["Thomas Patzke <[email protected]>"]

sigma/backends/splunk/splunk.py

+8
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
splunk_sysmon_process_creation_cim_mapping,
1818
splunk_windows_registry_cim_mapping,
1919
splunk_windows_file_event_cim_mapping,
20+
splunk_web_proxy_cim_mapping,
2021
)
2122
import sigma
2223
from typing import Any, Callable, ClassVar, Dict, List, Optional, Pattern, Tuple, Union
@@ -380,6 +381,13 @@ def finalize_query_data_model(
380381
cim_fields = " ".join(
381382
splunk_sysmon_process_creation_cim_mapping.values()
382383
)
384+
385+
elif rule.logsource.category == "proxy":
386+
data_model = "Web"
387+
data_set = "Proxy"
388+
cim_fields = " ".join(
389+
splunk_web_proxy_cim_mapping.values()
390+
)
383391

384392
try:
385393
data_model_set = state.processing_state["data_model_set"]

sigma/pipelines/splunk/splunk.py

+56
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,17 @@
6363
"TargetFilename": "Filesystem.file_path",
6464
}
6565

66+
splunk_web_proxy_cim_mapping = {
67+
"c-uri": "Web.url",
68+
"c-uri-query": "Web.uri_query",
69+
"c-uri-stem": "Web.uri_path",
70+
"c-useragent": "Web.http_user_agent",
71+
"cs-method": "Web.http_method",
72+
"cs-host": "Web.dest",
73+
"cs-referrer": "Web.http_referrer",
74+
"src_ip": "Web.src",
75+
"dst_ip": "Web.dest_ip",
76+
}
6677

6778
def splunk_windows_pipeline():
6879
return ProcessingPipeline(
@@ -265,6 +276,48 @@ def splunk_cim_data_model():
265276
logsource_windows_file_event(),
266277
],
267278
),
279+
ProcessingItem(
280+
identifier="splunk_dm_mapping_web_proxy_unsupported_fields",
281+
transformation=DetectionItemFailureTransformation(
282+
"The Splunk Data Model Sigma backend supports only the following fields for web proxy log source: "
283+
+ ",".join(splunk_web_proxy_cim_mapping.keys())
284+
),
285+
rule_conditions=[
286+
LogsourceCondition(category="proxy"),
287+
],
288+
field_name_conditions=[
289+
ExcludeFieldCondition(
290+
fields=splunk_web_proxy_cim_mapping.keys()
291+
)
292+
],
293+
),
294+
ProcessingItem(
295+
identifier="splunk_dm_mapping_web_proxy",
296+
transformation=FieldMappingTransformation(
297+
splunk_web_proxy_cim_mapping
298+
),
299+
rule_conditions=[
300+
LogsourceCondition(category="proxy"),
301+
],
302+
),
303+
ProcessingItem(
304+
identifier="splunk_dm_fields_web_proxy",
305+
transformation=SetStateTransformation(
306+
"fields", splunk_web_proxy_cim_mapping.values()
307+
),
308+
rule_conditions=[
309+
LogsourceCondition(category="proxy"),
310+
],
311+
),
312+
ProcessingItem(
313+
identifier="splunk_dm_mapping_web_proxy_data_model_set",
314+
transformation=SetStateTransformation(
315+
"data_model_set", "Web.Proxy"
316+
),
317+
rule_conditions=[
318+
LogsourceCondition(category="proxy"),
319+
],
320+
),
268321
ProcessingItem(
269322
identifier="splunk_dm_mapping_log_source_not_supported",
270323
rule_condition_linking=any,
@@ -282,6 +335,9 @@ def splunk_cim_data_model():
282335
RuleProcessingItemAppliedCondition(
283336
"splunk_dm_mapping_sysmon_file_event"
284337
),
338+
RuleProcessingItemAppliedCondition(
339+
"splunk_dm_mapping_web_proxy"
340+
),
285341
],
286342
),
287343
],

0 commit comments

Comments
 (0)