Open
Description
Hi,
I am trying to convert the following correlation rule :
title: Multiple failed logons
id: a8418a5a-5fc4-46b5-b23b-6c73beb19d41
description: Detects multiple failed logins within a certain amount of time
name: multiple_failed_login
correlation:
type: event_count
rules:
- failed_login
group-by:
- User
timespan: 10m
condition:
gte: 10
---
title: Single failed login
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
name: failed_login
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 529
- 4625
condition: selection
With the following piece of code :
from sigma.collection import SigmaCollection
from sigma.backends.splunk import SplunkBackend
from sigma.pipelines.splunk import (
splunk_windows_pipeline,
splunk_windows_sysmon_acceleration_keywords,
splunk_cim_data_model,
)
from sigma.pipelines.common import windows_logsource_mapping
from sigma.exceptions import SigmaTransformationError
import yaml
stream = open("/home/user/correl_rule/test.yml", "r")
sigma_rule_yaml = yaml.load_all(stream, yaml.FullLoader)
pipeline = splunk_windows_pipeline()
backend = SplunkBackend(pipeline)
rule = SigmaCollection.from_yaml(yaml.dump_all(sigma_rule_yaml))
result = backend.convert(rule, "savedsearches")
print(result)
The result if the following :
[default]
dispatch.earliest_time = -30d
dispatch.latest_time = now
[Single failed login]
description =
search = source="WinEventLog:Security" EventCode IN (529, 4625)
| bin _time span=10m
| stats count as event_count by _time User
| search event_count >= 10
I would like to know why the stanza name is not the correlation rule name itself but the detection rule one ? same for description, etc. ?
Thank you in advance !
Cheers