Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sigma metadatas in results #74

Closed
jurelou opened this issue May 2, 2022 · 7 comments
Closed

Add sigma metadatas in results #74

jurelou opened this issue May 2, 2022 · 7 comments

Comments

@jurelou
Copy link

jurelou commented May 2, 2022

It would be really nice to have sigma metadatas (especially level and tags) directly in the json output file.

This would be usefull when indexing results in a SIEM !

Thanks
@alexkornitzer
Copy link
Collaborator

Will factor it into the v2 rework which is now underway.

@jurelou
Copy link
Author

jurelou commented May 26, 2022

Do you know when this will be implemented?
This is a major feature for me.
tell me if i can help you

@alexkornitzer
Copy link
Collaborator

Apologies for the delay, potentially this weekend, I should be able to get an alpha ready by the end of Sunday.

@alexkornitzer
Copy link
Collaborator

Okay so a tad delayed and not properly finished but the next branch can now do what you requested. So if urgent while I still finish up the code if you are happy with no guarantees then you can make use of that. Eventually when the code is ready, I will prepare a proper alpha release. For now you can do:

git clone https://github.com/countercept/chainsaw.git
cd chainsaw
git checkout next
cargo build --release
cd target/release
./chainsaw hunt -m ../../mappings/sigma-event-logs.yml /tmp/sigma/rules /tmp/evtx-attack-samples --json > /tmp/test.json

The output will look something like this:

[
    {
        "authors": [
            "Daniil Yugoslavskiy",
            "oscd.community"
        ],
        "group": "Suspicious Command Line",
        "kind": "individual",
        "document": {
            "kind": "evtx",
            "data": {
                "Event": {
                    "EventData": {
                        "CommandLine": "",
                        "NewProcessId": "0xcfc",
                        "NewProcessName": "C:\\Users\\user01\\Desktop\\plink.exe",
                        "ProcessId": "0xe60",
                        "SubjectDomainName": "EXAMPLE",
                        "SubjectLogonId": "0x2ed80",
                        "SubjectUserName": "user01",
                        "SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-1106",
                        "TokenElevationType": "%%1936"
                    },
                    "System": {
                        "Channel": "Security",
                        "Computer": "PC01.example.corp",
                        "Correlation": null,
                        "EventID": 4688,
                        "EventRecordID": 227714,
                        "Execution_attributes": {
                            "ProcessID": 4,
                            "ThreadID": 56
                        },
                        "Keywords": "0x8020000000000000",
                        "Level": 0,
                        "Opcode": 0,
                        "Provider_attributes": {
                            "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
                            "Name": "Microsoft-Windows-Security-Auditing"
                        },
                        "Security": null,
                        "Task": 13312,
                        "TimeCreated_attributes": {
                            "SystemTime": "2019-02-13T18:03:28.318440Z"
                        },
                        "Version": 1
                    }
                },
                "Event_attributes": {
                    "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
                }
            }
        },
        "level": "medium",
        "name": "Exfiltration and Tunneling Tools Execution",
        "rule": "sigma",
        "status": "test",
        "timestamp": "2019-02-13T18:03:28.318440"
    },
    {
        "authors": [
            "frack113"
        ],
...

Hopefully that output format will not change but this is alpha, and I am double checking my design decisions today along with trying to get this stuff finished up.

@alexkornitzer
Copy link
Collaborator

Have made more progress today, currently chainsaw will run slower than v1 as I have not put the optimisations in yet. But I should be able to get a stable alpha out soon for user feedback due the huge number of changes I have made.

@alexkornitzer
Copy link
Collaborator

This is addressed in v2.0.0-alpha.0

@jvmendezp
Copy link

jvmendezp commented Jun 22, 2022
edited
Loading

hello, I added this comment #77 (comment) requesting sigma tags, and sigma rule id in the results. if we can get arbitrary data from matched sigma rule, this will be wonderful

FYI: @jurelou

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexkornitzer @jurelou @jvmendezp