Parse Windows event logs and matches then against Sigma Rules.
NOTE: This is a very simple artifact for demonstration only. For
more extensive Sigma rules use the Server.Import.CuratedSigma
artifact to import a curated set of Sigma rules from
https://sigma.velocidex.com/
name: Windows.Sigma.EventLogs
description: |
Parse Windows event logs and matches then against Sigma Rules.
NOTE: This is a very simple artifact for demonstration only. For
more extensive Sigma rules use the `Server.Import.CuratedSigma`
artifact to import a curated set of Sigma rules from
https://sigma.velocidex.com/
parameters:
- name: EventLogDirectory
default: C:/Windows/System32/WinEvt/Logs/
- name: InlineSigmaRules
description: A single string of sigma rules separated by --- lines
- name: SigmaRuleFile
description: A path to a file containing sigma rules
- name: Debug
type: bool
description: Enable full debug trace
export: |
LET StandardSigmaLogSource <= sigma_log_sources(
`process_creation/windows` = {
SELECT *
FROM parse_evtx(
filename= EventLogDirectory + "/Microsoft-Windows-Sysmon%4Operational.evtx")
},
`*/windows/sysmon` = {
SELECT *
FROM parse_evtx(
filename= EventLogDirectory + "/Microsoft-Windows-Sysmon%4Operational.evtx")
})
LET StandardSigmaFieldMapping <= dict(
AccessList="x=>x.EventData.AccessList",
AccessMask="x=>x.EventData.AccessMask",
Accesses="x=>x.EventData.Accesses",
AccountDomain="x=>x.EventData.AccountDomain",
AccountName="x=>x.EventData.AccountName",
Account_Name="x=>x.EventData.Account_Name",
Action="x=>x.EventData.Action",
AllowedToDelegateTo="x=>x.EventData.AllowedToDelegateTo",
ApplicationPath="x=>x.EventData.ApplicationPath",
AttributeLDAPDisplayName="x=>x.EventData.AttributeLDAPDisplayName",
AttributeValue="x=>x.EventData.AttributeValue",
AuditPolicyChanges="x=>x.EventData.AuditPolicyChanges",
AuditSourceName="x=>x.EventData.AuditSourceName",
AuthenticationPackageName="x=>x.EventData.AuthenticationPackageName",
CallTrace="x=>x.EventData.CallTrace",
CallerProcessName="x=>x.EventData.CallerProcessName",
Caller_Process_Name="x=>x.EventData.Caller_Process_Name",
CallingProcessName="x=>x.EventData.CallingProcessName",
CategoryName="x=>x.EventData.`Category Name`",
CertThumbprint="x=>x.EventData.CertThumbprint",
Channel="x=>x.System.Channel",
ClassName="x=>x.EventData.ClassName",
ClientAddress="x=>x.EventData.ClientAddress",
Client_Address="x=>x.EventData.Client_Address",
ClientName="x=>x.EventData.ClientName",
CommandLine="x=>x.EventData.CommandLine",
Company="x=>x.EventData.Company",
Computer="x=>x.System.Computer",
ComputerName="x=>x.System.Computer",
ContextInfo="x=>x.EventData.ContextInfo",
CurrentDirectory="x=>x.EventData.CurrentDirectory",
Description="x=>x.EventData.Description",
DestAddress="x=>x.EventData.DestAddress",
DestPort="x=>x.EventData.DestPort",
Destination="x=>x.EventData.Destination",
DestinationAddress="x=>x.EventData.DestinationAddress",
DestinationHostname="x=>x.EventData.DestinationHostname",
DestinationIp="x=>x.EventData.DestinationIp",
DestinationIsIpv6="x=>x.EventData.DestinationIsIpv6",
DestinationPort="x=>x.EventData.DestinationPort",
Details="x=>x.EventData.Details",
DetectionSource="x=>x.EventData.DetectionSource",
DetectionUser="x=>x.EventData.`Detection User`",
Device="x=>x.EventData.Device",
DeviceClassName="x=>x.EventData.DeviceClassName",
DeviceDescription="x=>x.EventData.DeviceDescription",
DeviceInstanceID="x=>x.UserData.InstallDeviceID.DeviceInstanceID",
DeviceName="x=>x.EventData.DeviceName",
DomainName="x=>x.EventData.SubjectDomainName",
DriverDescription="x=>x.UserData.InstallDeviceID.DriverDescription",
DriverProvider="x=>x.UserData.InstallDeviceID.DriverProvider",
InstallStatus="x=>x.UserData.InstallDeviceID.InstallStatus",
EngineVersion="x=>x.EventData.EngineVersion",
ErrorCode="x=>x.EventData.ErrorCode",
EventID="x=>x.System.EventID.Value",
EventType="x=>x.EventData.EventType",
ExecutionProcessID="x=>x.System.Execution_attributes.ProcessID",
FailureCode="x=>x.EventData.FailureCode",
FilePath="x=>x.EventData.FilePath",
FileVersion="x=>x.EventData.FileVersion",
Filename="x=>x.EventData.Filename",
GrantedAccess="x=>x.EventData.GrantedAccess",
GroupName="x=>x.EventData.GroupName",
GroupSid="x=>x.EventData.GroupSid",
Hashes="x=>x.EventData.Hashes",
HiveName="x=>x.EventData.HiveName",
HostApplication="x=>x.EventData.HostApplication",
HostName="x=>x.EventData.HostName",
HostVersion="x=>x.EventData.HostVersion",
Image="x=>x.EventData.Image",
image="x=>x.EventData.Image",
ImageLoaded="x=>x.EventData.ImageLoaded",
ImagePath="x=>x.EventData.ImagePath",
Imphash="x=>x.EventData.Hashes",
Initiated="x=>x.EventData.Initiated",
InstanceID="x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId",
IntegrityLevel="x=>x.EventData.IntegrityLevel",
IpAddress="x=>x.EventData.IpAddress",
IpPort="x=>x.EventData.IpPort",
JobTitle="x=>x.EventData.name",
KeyLength="x=>x.EventData.KeyLength",
Keywords="x=>x.System.Keywords",
LDAPDisplayName="x=>x.EventData.LDAPDisplayName",
LayerRTID="x=>x.EventData.LayerRTID",
Level="x=>x.System.Level",
LogFileClearedChannel="x=>x.UserData.LogFileCleared.Channel",
LogFileClearedSubjectUserName="x=>x.UserData.LogFileCleared.SubjectUserName",
LogonId="x=>x.EventData.LogonId",
LogonID="x=>x.EventData.LogonID",
LogonProcessName="x=>x.EventData.LogonProcessName",
LogonType="x=>x.EventData.LogonType",
Logon_Account="x=>x.EventData.Logon_Account",
MachineName="x=>x.EventData.MachineName",
MemberName="x=>x.EventData.MemberName",
MemberSid="x=>x.EventData.MemberSid",
Message="x=>x.EventData",
ModifyingApplication="x=>x.EventData.ModifyingApplication",
NewName="x=>x.EventData.NewName",
NewTemplateContent="x=> Event.EventData.NewTemplateContent",
NewUacValue="x=>x.EventData.NewUacValue",
NewValue="x=>x.EventData.NewValue",
New_Value="x=>x.EventData.`New Value`",
NewProcessName="x=>x.EventData.NewProcessName",
NewProcessId="x=>x.EventData.NewProcessId",
ObjectClass="x=>x.EventData.ObjectClass",
ObjectName="x=>x.EventData.ObjectName",
ObjectServer="x=>x.EventData.ObjectServer",
ObjectType="x=>x.EventData.ObjectType",
ObjectValueName="x=>x.EventData.ObjectValueName",
OldUacValue="x=>x.EventData.OldUacValue",
Origin="x=>x.EventData.Origin",
OriginalFileName="x=>x.EventData.OriginalFileName",
OriginalFilename="x=>x.EventData.OriginalFileName",
param1="x=>x.EventData.param1",
param2="x=>x.EventData.param2",
param3="x=>x.EventData.param3",
param4="x=>x.EventData.param4",
param5="x=>x.EventData.param5",
ParentCommandLine="x=>x.EventData.ParentCommandLine",
ParentImage="x=>x.EventData.ParentImage",
ParentIntegrityLevel="x=>x.EventData.ParentIntegrityLevel",
ParentProcessName="x=>x.EventData.ParentProcessName",
ParentUser="x=>x.EventData.ParentUser",
PasswordLastSet="x=>x.EventData.PasswordLastSet",
Path="x=>x.EventData.Path",
Payload="x=>x.EventData.Payload",
PipeName="x=>x.EventData.PipeName",
PossibleCause="x=>x.UserData.PossibleCause",
PreAuthType="x=>x.EventData.PreAuthType",
PrivilegeList="x=>x.EventData.PrivilegeList",
ProcessCommandLine="x=>x.EventData.ProcessCommandLine",
ProcessGuid="x=>x.EventData.ProcessGuid",
ProcessId="x=>x.EventData.ProcessId",
ProcessName="x=>x.EventData.ProcessName",
Product="x=>x.EventData.Product",
Properties="x=>x.EventData.Properties",
Provider="x=>x.UserData.Provider",
ProviderName="x=>x.System.Provider_attributes.Name",
Provider_Name="x=>x.System.Provider_attributes.Name",
QNAME="x=>x.EventData.QNAME",
query="x=>x.EventData.Query",
Query="x=>x.UserData.Query",
QueryName="x=>x.EventData.QueryName",
QueryResults="x=>x.EventData.QueryResults",
QueryStatus="x=>x.EventData.QueryStatus",
RelativeTargetName="x=>x.EventData.RelativeTargetName",
RuleName="x=>x.EventData.RuleName",
SAMAccountName="x=>x.EventData.SamAccountName",
ScriptBlockText="x=>x.EventData.ScriptBlockText",
SearchFilter="x=>x.System.SearchFilter",
SecurityUserID="x=>x.System.Security_attributes.UserID",
ServerName="x=>x.System.ServerName",
Service="x=>x.EventData.Service",
ServiceFileName="x=>x.EventData.ServiceFileName",
ServiceName="x=>x.EventData.ServiceName",
ServicePrincipalNames="x=>x.EventData.ServicePrincipalNames",
ServiceStartType="x=>x.EventData.ServiceStartType",
ServiceType="x=>x.EventData.ServiceType",
SeverityID="x=>x.EventData.`Severity ID`",
SeverityName="x=>x.EventData.`Severity Name`",
ShareLocalPath="x=>x.EventData.ShareLocalPath",
ShareName="x=>x.EventData.ShareName",
SidHistory="x=>x.EventData.SidHistory",
Signature="x=>x.EventData.Signature",
SignatureStatus="x=>x.EventData.SignatureStatus",
Signed="x=>x.EventData.Signed",
Source="x=>x.System.Provider_Name",
SourceAddress="x=>x.EventData.SourceAddress",
SourceImage="x=>x.EventData.SourceImage",
SourceNetworkAddress="x=>x.EventData.SourceNetworkAddress",
SourcePort="x=>x.EventData.SourcePort",
Source_Name="x=>x.EventData.`Source Name`",
Source_Network_Address="x=>x.EventData.Source_Network_Address",
Source_WorkStation="x=>x.EventData.Source_WorkStation",
StartAddress="x=>x.EventData.StartAddress",
StartFunction="x=>x.EventData.StartFunction",
StartModule="x=>x.EventData.StartModule",
StartType="x=>x.EventData.StartType",
State="x=>x.EventData.State",
Status="x=>x.EventData.Status",
SubStatus="x=>x.EventData.SubStatus",
SubjectDomainName="x=>x.EventData.SubjectDomainName",
SubjectLogonId="x=>x.EventData.SubjectLogonId",
SubjectUserName="x=>x.EventData.SubjectUserName",
SubjectUserSid="x=>x.EventData.SubjectUserSid",
TargetDomainName="x=>x.EventData.TargetDomainName",
TargetFilename="x=>x.EventData.TargetFilename",
TargetInfo="x=>x.EventData.TargetInfo",
TargetImage="x=>x.EventData.TargetImage",
TargetLogonId="x=>x.EventData.TargetLogonId",
TargetObject="x=>x.EventData.TargetObject",
TargetProcessAddress="x=>x.EventData.TargetProcessAddress",
TargetServerName="x=>x.EventData.TargetServerName",
TargetSid="x=>x.EventData.TargetSid",
TargetUserName="x=>x.EventData.TargetUserName",
TaskDate="x=>x.EventData.TaskContent",
TaskName="x=>x.EventData.TaskName",
TemplateContent="x=>x.EventData.TemplateContent",
ThreatName="x=>x.EventData.`Threat Name`",
TicketEncryptionType="x=>x.EventData.TicketEncryptionType",
TicketOptions="x=>x.EventData.TicketOptions",
Url="x=>x.EventData.url",
User="x=>x.EventData.User",
UserName="x=>x.EventData.UserName",
Value="x=>x.EventData.Value",
Version="x=>x.System.Version",
WindowsDefenderProcessName="x=>x.EventData.`Process Name`",
Workstation="x=>x.EventData.Workstation",
WorkstationName="x=>x.EventData.WorkstationName",
param1="x=>x.EventData.param1",
param2="x=>x.EventData.param2",
service="x=>x.EventData.Service",
sha1="x=>x.EventData.Hashes_sha1",
UserDataProviderName="x=>x.UserData.Operation_StartedOperational.ProviderName",
UserDataCode="x=>x.UserData.Operation_StartedOperational.Code",
UserDataHostProcess="x=>x.UserData.Operation_StartedOperational.HostProcess",
UserDataProviderPath="x=>x.UserData.Operation_StartedOperational.ProviderPath",
UserDataProcessID="x=>x.UserData.Operation_StartedOperational.ProcessID",
UserDataNamespace="x=>x.UserData.Operation_ESStoConsumerBinding.Namespace",
UserDataNamespaceName="x=>x.UserData.Operation_TemporaryEssStarted.NamespaceName",
UserDataQuery="x=>x.UserData.Operation_TemporaryEssStarted.Query",
UserDataUser="x=>x.UserData.Operation_TemporaryEssStarted.User",
UserDataProcessid="x=>x.UserData.Operation_TemporaryEssStarted.Processid",
UserDataConsumer="x=>x.UserData.Operation_ESStoConsumerBinding.CONSUMER",
UserDataESS="x=>x.UserData.Operation_ESStoConsumerBinding.ESS",
UserDataPossibleCause="x=>x.UserData.Operation_ESStoConsumerBinding.PossibleCause",
UserDataParam1="x=>x.UserData.EventXML.Param1",
UserDataParam2="x=>x.UserData.EventXML.Param2",
UserDataParam3="x=>x.UserData.EventXML.Param3",
UserDataUser="x=>x.UserData.EventXML.User",
UserDataSessionID="x=>x.UserData.EventXML.SessionID",
UserDataAddress="x=>x.UserData.EventXML.Address",
SysmonVersion="x=>x.EventData.SysmonVersion",
OperationEssStartedNamespaceName="x=>x.UserData.Operation_EssStarted.NamespaceName",
OperationEssStartedQuery="x=>x.UserData.Operation_EssStarted.Query",
OperationEssStartedUser="x=>x.UserData.Operation_EssStarted.User",
OperationEssStartedProcessid="x=>x.UserData.Operation_EssStarted.Processid",
OperationEssStartedProvider="x=>x.UserData.Operation_EssStarted.Provider",
OperationEssStartedPossibleCause="x=>x.UserData.Operation_EssStarted.PossibleCause",
DvrFmwkInstanceId="x=>x.UserData.UMDFHostDeviceRequest.InstanceId",
DvrFmwk2003InstanceId="x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId"
)
sources:
- query: |
LET Rules = InlineSigmaRules ||
if(condition=SigmaRuleFile, then=read_file(path=SigmaRuleFile, length=10000000))
SELECT * FROM sigma(
rules=split(string= Rules, sep_string="\n---\n"),
log_sources= StandardSigmaLogSource, debug=Debug,
field_mapping= StandardSigmaFieldMapping)