forked from theflakes/sigma_to_wazuh
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.ini
More file actions
243 lines (230 loc) · 8.58 KB
/
config.ini
File metadata and controls
243 lines (230 loc) · 8.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
[sigma]
# root of the Sigma rules URL
rules_link = https://github.com/SigmaHQ/sigma/tree/master/rules
# location of the Sigma rules directory
directory = ../sigma/rules
# file that Wazuh rules will be written to
out_file = ./sigma.xml
# convert sigma experimental rules (yes|no)
process_experimental = yes
# Sigma rule IDs to never try and convert
skip_sigma_guids = ()
# Ignore all "convert only's" and convert all rules (yes|no), overides all other convert_only's
# skip_* will still be skipped
convert_all = no
# Convert only these Sigma categories
convert_only_categories = ("")
# Convert only these Sigma services
convert_only_services = ("")
# Convert only Sigma rules targeting these explicit products
convert_only_products = ("windows","windows_defender","zeek")
# skip stuff
skip_products = ("")
skip_services = ("")
skip_categories = ("")
# Convert Sigma rule levels to Wazuh levels
[levels]
informational = 5
low = 7
medium = 10
high = 13
critical = 15
# Wazuh rule settings
[options]
# do not include the full log in the wazuh alert (yes|no)
no_full_log = yes
# enable Wazuh email per Sigma GUID
sigma_guid_email = ()
# have wazuh send an alert email (yes|no)
# if set to no, email_levels variable will be used
alert_by_email = no
# at what levels do we want to enable Wazuh email alerts
email_levels = critical, high
# where to start rule ID numbering
# if you change this variable and want existing rules renumbered,
# then delete the file specified by rule_id_file before the next run
rule_id_start = 900000
# file to track Wazuh rule id to Sigma rule ID use
rule_id_file = ./rule_ids.json
######################################################
# Map Sigma GUID or [logsource][product] to Wazuh if_sid dependencies
#
# NOTE: This can cause Wazuh to go Out of Memory due to the number of associations between rules using if_group
#
# if_group takes precedence over if_sid below
[if_group_guid]
[if_sid_guid]
[if_group]
#sysmon = sysmon
######################################################
# Sigma logsource.service will be matched before logsource.product
#
[if_sid]
windows = 18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012
windefend = 60005
Microsoft Windows Defender = 60005
sysmon = 184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776
######################################################
# Sigma to Wazuh field name mappings
# section should match the sigma product field; e.g. windows, linux, mac, apache, check point fw1
# section/product should be lower case
#
[windows]
Accesses = win.eventdata.accesses
AccessList = win.eventdata.accessList
AccessMask = win.eventdata.accessMask
AccountName = win.eventdata.targetUserName
AllowedToDelegateTo = win.eventdata.allowedToDelegateTo
Application = win.eventdata.application
AttributeLDAPDisplayName = win.eventdata.attributeLDAPDisplayName
AttributeValue = win.eventdata.attributeValue
AuditSourceName = win.eventdata.auditSourceName
AuthenticationPackage = win.eventdata.authenticationPackageName
AuthenticationPackageName = win.eventdata.authenticationPackageName
CallTrace = win.eventdata.callTrace
Caption = win.eventdata.caption
Channel = win.eventdata.channel
ChildImage = win.eventdata.image
CommandLine = win.eventdata.commandLine
Company = win.eventdata.company
ComputerName = win.system.computer
ContextInfo = win.system.contextInfo
CurrentDirectory = win.eventdata.currentDirectory
Description = win.eventdata.description
Destination = win.eventdata.destination
DestinationHostname = win.eventdata.destinationHostname
DestinationIp = win.eventdata.destinationIp
DestinationIsIpv6 = win.eventdata.destinationIsIpv6
DestinationPort = win.eventdata.destinationPort
Details = win.eventdata.details
DeviceClassName = win.eventdata.deviceClassName
DeviceDescription = win.eventdata.deviceDescription
DeviceName = win.eventdata.deviceName
DestPort = win.eventdata.destinationPort
EngineVersion = win.eventdata.engineVersion
EventID = win.system.eventID
EventType = win.eventdata.eventType
FailureCode = win.eventdata.failureCode
FileVersion = win.eventdata.fileVersion
FolderPath = win.eventdata.image
GrantedAccess = win.eventdata.grantedAccess
Hash = win.eventdata.hashes
Hashes = win.eventdata.hashes
HostApplication = win.eventdata.hostApplication
HostName = win.eventdata.hostName
HostVersion = win.eventdata.hostVersion
Image = win.eventdata.image
ImagePath = win.eventdata.imagePath
ImageLoaded = win.eventdata.imageLoaded
ImpHash = win.eventdata.impHash
Initiated = win.eventdata.initiated
IntegrityLevel = win.eventdata.integrityLevel
IpAddress = win.eventdata.ipAddress
KeyLength = win.eventdata.keyLength
Level = win.system.level
LogonGuid = win.eventdata.logonGuid
LogonId = win.eventdata.logonId
LogonProcessName = win.eventdata.logonProcessName
LogonType = win.eventdata.logonType
md5 = win.eventdata.hashes
Message = win.system.message
NewName = win.eventdata.newName
NewUacValue = win.eventdata.newUacValue
NewValue = win.eventdata.newValue
ObjectClass = win.eventdata.objectClass
ObjectName = win.eventdata.objectName
ObjectServer = win.eventdata.objectServer
ObjectType = win.eventdata.objectType
ObjectValueName = win.eventdata.objectValueName
OldUacValue = win.eventdata.oldUacValue
Origin = win.eventdata.origin
OriginalFileName = win.eventdata.originalFileName
PackageName = win.eventdata.packageName
ParentCommandLine = win.eventdata.parentCommandLine
ParentImage = win.eventdata.parentImage
ParentIntegrityLevel = win.eventdata.parentIntegrityLevel
ParentProcessGuid = win.eventdata.parentProcessGuid
ParentUser = win.eventdata.parentUser
Payload = win.eventdata.payload
PipeName = win.eventdata.pipeName
PrivilegeList = win.eventdata.privilegeList
ProcessCommandLine = win.eventdata.commandLine
ProcessID = win.eventdata.processId
ProcessName = win.eventdata.processName
ProcessPath = win.eventdata.processPath
Product = win.eventdata.product
Properties = win.eventdata.properties
ProviderName = win.eventdata.providerName
Provider_Name = win.eventdata.providerName
QueryName = win.eventdata.queryName
RelativeTargetName = win.eventdata.relativeTargetName
RemoteAddress = win.eventdata.remoteAddress
SamAccountName = win.eventdata.samAccountName
ScriptBlockText = win.eventdata.scriptBlockText
Service = win.eventdata.service
ServerName = win.eventdata.serverName
ServiceFileName = win.eventdata.serviceFileName
ServiceName = win.eventdata.serviceName
sha1 = win.eventdata.hashes
sha256 = win.eventdata.hashes
ShareName = win.eventdata.shareName
SidHistory = win.eventdata.sidHistory
Signed = win.eventdata.signed
Source = win.eventdata.source
Source_Name = win.eventdata.sourceName
SourceImage = win.eventdata.sourceImage
SourceNetworkAddress = win.eventdata.ipAddress
SourcePort = win.eventdata.sourcePort
SourceWorkstation = win.eventdata.workstation
StartAddress = win.eventdata.startAddress
StartFunction = win.eventdata.startFunction
StartModule = win.eventdata.startModule
Status = win.eventdata.status
SubjectAccountName = win.eventdata.subjectUserName
SubjectDomainName = win.eventdata.subjectDomainName
SubjectLogonId = win.eventdata.subjectLogonId
SubjectUserName = win.eventdata.subjectUserName
SubjectUserSid = win.eventdata.subjectUserSid
Task = win.eventdata.task
TaskName = win.eventdata.taskName
TargetFilename = win.eventdata.targetFilename
TargetImage = win.eventdata.targetImage
TargetName = win.eventdata.targetName
TargetObject = win.eventdata.targetObject
TargetProcessAddress = win.eventdata.targetProcessAddress
TargetSid = win.eventdata.targetSid
TargetUserName = win.eventdata.targetUserName
TargetUserSid = win.eventdata.targetUserSid
TicketEncryptionType = win.eventdata.ticketEncryptionType
TicketOptions = win.eventdata.ticketOptions
Type = win.eventdata.type
User = win.eventdata.user
UserName = win.eventdata.samAccountName
Value = win.evendata.value
WorkstationName = win.eventdata.workstationName
[zeek]
answers = data.answers
c-uri = data.c-uri
c-useragent = data.c-useragent
certificate.serial = data.certificate.serial
client_header_names = data.client_header_names
dst_ip = data.dstip
dst_port = data.dstport
endpoint = data.endpoint
id.orig_h = data.srcip
id.orig_p = data.srcport
id.resp_h = data.dstip
id.resp_p = data.dstport
name = data.name
method = data.method
operation = data.operation
path = data.path
qtype_name = data.qtype_name
query = data.query
request_body_len = data.request_body_len
resp_mime_types = data.resp_mime_types
src_ip = data.srcip
src_port = data.srcport
status_code = data.status_code
uri = data.uri
z = data.z