Hello all,
I am working on a project to expand Sigma detections rule/correlations to Operational Technology protocols like Modbus, DNP3, etc. Currently, I have not been able to find a pipeline that takes into account zeek:conn and zeek:modbus field mappings. This will allow SO detection rules/correlations to assist in making cyber threat intelligence for OT action able.
What I am asking is validation of this initial pipeline based on the current Sigma documentation. I have pulled an existing/default pipeline from my SO instance and attempted to RE to align with Sigma pipeline instructions. My intent is to place this pipeline in the sigma_so_final.yaml (or through the SO web interface).
name: Zeek Network/OT Baseline Pipeline priority: 90 transformations: - id: baseline_field_name_mapping type: field_name_mapping mapping: timestamp: ts correlationID: uid origHost: id.orig_h origPort: id.orig_p respHost: id.resp_h respPort: id.resp_p ## Begin zeek.conn mappings protocol: proto service: service duration: durtation orig_bytes: orig_bytes resp_bytes: resp_bytes conn_state: conn_state flags: history ja4l: ja4l ja4ls: ja4ls ja4t: ja4t ja4ts: ja4ts orig_mac_oui: orig_mac_oui ## End zeek.conn mappings ## Begin zeek.modbus mappings tid: tid clientID: unit funtion: func pdu_type: pdu_type ## End zeek.modbus mappings # Maps "zeek.conn" product to SO logs - id: zeek_conn_specific type: add_condition conditions: event.module: 'zeek' event.dataset: 'zeek.conn' rule_conditions: - type: logsource product: Zeek # Maps "zeek.modbus" product to SO logs - id: zeek_modbus_specific type: add_condition conditions: event.module: 'zeek' event.dataset: 'zeek.modbus' rule_conditions: - type: logsource product: zeek
I appreciate any feedback as I am hoping to build out OT for Sigma. Thanks in advance.
Hello all,
I am working on a project to expand Sigma detections rule/correlations to Operational Technology protocols like Modbus, DNP3, etc. Currently, I have not been able to find a pipeline that takes into account zeek:conn and zeek:modbus field mappings. This will allow SO detection rules/correlations to assist in making cyber threat intelligence for OT action able.
What I am asking is validation of this initial pipeline based on the current Sigma documentation. I have pulled an existing/default pipeline from my SO instance and attempted to RE to align with Sigma pipeline instructions. My intent is to place this pipeline in the sigma_so_final.yaml (or through the SO web interface).
name: Zeek Network/OT Baseline Pipeline priority: 90 transformations: - id: baseline_field_name_mapping type: field_name_mapping mapping: timestamp: ts correlationID: uid origHost: id.orig_h origPort: id.orig_p respHost: id.resp_h respPort: id.resp_p ## Begin zeek.conn mappings protocol: proto service: service duration: durtation orig_bytes: orig_bytes resp_bytes: resp_bytes conn_state: conn_state flags: history ja4l: ja4l ja4ls: ja4ls ja4t: ja4t ja4ts: ja4ts orig_mac_oui: orig_mac_oui ## End zeek.conn mappings ## Begin zeek.modbus mappings tid: tid clientID: unit funtion: func pdu_type: pdu_type ## End zeek.modbus mappings # Maps "zeek.conn" product to SO logs - id: zeek_conn_specific type: add_condition conditions: event.module: 'zeek' event.dataset: 'zeek.conn' rule_conditions: - type: logsource product: Zeek # Maps "zeek.modbus" product to SO logs - id: zeek_modbus_specific type: add_condition conditions: event.module: 'zeek' event.dataset: 'zeek.modbus' rule_conditions: - type: logsource product: zeekI appreciate any feedback as I am hoping to build out OT for Sigma. Thanks in advance.