Merge pull request #625 from Security-Onion-Solutions/jertel/an2

use Sigma tags, not detection tags
Security-Onion-Solutions · Aug 27, 2024 · fcdb762 · fcdb762
2 parents 6cbc897 + d7079b7
commit fcdb762
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -16,4 +16,5 @@ __pycache__
 .coverage
 *.pyc
 
-__debug_bin*
+__debug_bin*
+.venv
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
@@ -1582,9 +1582,9 @@ func (e *ElastAlertEngine) MergeAuxiliaryData(detect *model.Detection) error {
 }
 
 func (e *ElastAlertEngine) getCustomAlerters(tags []string) ([]string, string) {
-	alertersKey := ""
-	paramsKey := ""
 	if e.moduleConfig != nil {
+		alertersKey := ""
+		paramsKey := ""
 		for _, tag := range tags {
 			if strings.HasPrefix(tag, "so.alerters.") {
 				alertersKey = strings.TrimPrefix(tag, "so.alerters.")
@@ -1804,7 +1804,14 @@ func (e *ElastAlertEngine) wrapRule(det *model.Detection, rule string) (string,
 		model.SeverityCritical:      5,
 	}
 
-	alerters, params := e.getCustomAlerters(det.Tags)
+	var sigmaTags []string
+	sigmaRule, err := ParseElastAlertRule([]byte(det.Content))
+	if err != nil {
+		log.WithError(err).WithField("detectionPublicId", det.PublicID).Error("failed to parse Sigma rule content")
+	} else {
+		sigmaTags = sigmaRule.Tags
+	}
+	alerters, params := e.getCustomAlerters(sigmaTags)
 	if len(alerters) == 0 {
 		alerters, params = e.getAdditionalAlerters(severities[det.Severity])
 	}
@@ -1831,7 +1838,7 @@ func (e *ElastAlertEngine) wrapRule(det *model.Detection, rule string) (string,
 		Filter:            []map[string]interface{}{{"eql": rule}},
 	}
 
-	if slices.Contains(det.Tags, "so.notification") {
+	if slices.Contains(sigmaTags, "so.notification") {
 		// This is a detection for sending notifications only, do not add a new alert to Security Onion.
 		wrapper.Alert = nil
 	}

diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
@@ -492,7 +492,24 @@ func TestSigmaToElastAlertCustomNotificationLicensed(t *testing.T) {
 
 	det := &model.Detection{
 		PublicID: "00000000-0000-0000-0000-000000000000",
-		Content:  "totally good sigma",
+		Content: `
+title: Test Detection
+id: 00000000-0000-0000-0000-000000000000
+logsource:
+    product: linux
+    service: auth
+detection:
+    selection:
+        event.outcome: failure
+        process.name: sshd
+        tags|contains: so-grid-node
+    filter:
+        system.auth.ssh.method: '*'
+    condition: selection and not filter
+tags:
+- so.alerters.MyAlerters
+- so.params.MyParams
+`,
 		Title:    "Test Detection",
 		Tags:     []string{"so.alerters.MyAlerters", "so.params.MyParams"},
 		Severity: model.SeverityHigh,
@@ -568,9 +585,25 @@ func TestSigmaToElastAlertCustomNotificationUnlicensed(t *testing.T) {
 
 	det := &model.Detection{
 		PublicID: "00000000-0000-0000-0000-000000000000",
-		Content:  "totally good sigma",
+		Content: `
+title: Test Detection
+id: 00000000-0000-0000-0000-000000000000
+logsource:
+    product: linux
+    service: auth
+detection:
+    selection:
+        event.outcome: failure
+        process.name: sshd
+        tags|contains: so-grid-node
+    filter:
+        system.auth.ssh.method: '*'
+    condition: selection and not filter
+tags:
+- so.alerters.MyAlerters
+- so.params.MyParams
+`,
 		Title:    "Test Detection",
-		Tags:     []string{"so.alerters.MyAlerters", "so.params.MyParams"},
 		Severity: model.SeverityHigh,
 	}
 
@@ -633,7 +666,23 @@ func TestSigmaToElastAlertNotificationOnlyLicensed(t *testing.T) {
 
 	det := &model.Detection{
 		PublicID: "00000000-0000-0000-0000-000000000000",
-		Content:  "totally good sigma",
+		Content: `
+title: Test Detection
+id: 00000000-0000-0000-0000-000000000000
+logsource:
+    product: linux
+    service: auth
+detection:
+    selection:
+        event.outcome: failure
+        process.name: sshd
+        tags|contains: so-grid-node
+    filter:
+        system.auth.ssh.method: '*'
+    condition: selection and not filter
+tags:
+- so.notification
+`,
 		Title:    "Test Detection",
 		Tags:     []string{"so.notification"},
 		Severity: model.SeverityHigh,
@@ -700,7 +749,23 @@ func TestSigmaToElastAlertNotificationOnlyUnlicensed(t *testing.T) {
 
 	det := &model.Detection{
 		PublicID: "00000000-0000-0000-0000-000000000000",
-		Content:  "totally good sigma",
+		Content: `
+title: Test Detection
+id: 00000000-0000-0000-0000-000000000000
+logsource:
+    product: linux
+    service: auth
+detection:
+    selection:
+        event.outcome: failure
+        process.name: sshd
+        tags|contains: so-grid-node
+    filter:
+        system.auth.ssh.method: '*'
+    condition: selection and not filter
+tags:
+- so.notification
+`,
 		Title:    "Test Detection",
 		Tags:     []string{"so.notification"},
 		Severity: model.SeverityHigh,