Add sigma metadatas in results
jurelou opened this issue · comments
It would be really nice to have sigma metadatas (especially level and tags) directly in the json output file.
This would be usefull when indexing results in a SIEM !
Thanks
Will factor it into the v2 rework which is now underway.
Do you know when this will be implemented?
This is a major feature for me.
tell me if i can help you
Apologies for the delay, potentially this weekend, I should be able to get an alpha ready by the end of Sunday.
Okay so a tad delayed and not properly finished but the next branch can now do what you requested. So if urgent while I still finish up the code if you are happy with no guarantees then you can make use of that. Eventually when the code is ready, I will prepare a proper alpha release. For now you can do:
git clone https://github.com/countercept/chainsaw.git
cd chainsaw
git checkout next
cargo build --release
cd target/release
./chainsaw hunt -m ../../mappings/sigma-event-logs.yml /tmp/sigma/rules /tmp/evtx-attack-samples --json > /tmp/test.json
The output will look something like this:
[
{
"authors": [
"Daniil Yugoslavskiy",
"oscd.community"
],
"group": "Suspicious Command Line",
"kind": "individual",
"document": {
"kind": "evtx",
"data": {
"Event": {
"EventData": {
"CommandLine": "",
"NewProcessId": "0xcfc",
"NewProcessName": "C:\\Users\\user01\\Desktop\\plink.exe",
"ProcessId": "0xe60",
"SubjectDomainName": "EXAMPLE",
"SubjectLogonId": "0x2ed80",
"SubjectUserName": "user01",
"SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-1106",
"TokenElevationType": "%%1936"
},
"System": {
"Channel": "Security",
"Computer": "PC01.example.corp",
"Correlation": null,
"EventID": 4688,
"EventRecordID": 227714,
"Execution_attributes": {
"ProcessID": 4,
"ThreadID": 56
},
"Keywords": "0x8020000000000000",
"Level": 0,
"Opcode": 0,
"Provider_attributes": {
"Guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"Name": "Microsoft-Windows-Security-Auditing"
},
"Security": null,
"Task": 13312,
"TimeCreated_attributes": {
"SystemTime": "2019-02-13T18:03:28.318440Z"
},
"Version": 1
}
},
"Event_attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
}
}
},
"level": "medium",
"name": "Exfiltration and Tunneling Tools Execution",
"rule": "sigma",
"status": "test",
"timestamp": "2019-02-13T18:03:28.318440"
},
{
"authors": [
"frack113"
],
...
Hopefully that output format will not change but this is alpha, and I am double checking my design decisions today along with trying to get this stuff finished up.
Have made more progress today, currently chainsaw will run slower than v1 as I have not put the optimisations in yet. But I should be able to get a stable alpha out soon for user feedback due the huge number of changes I have made.
This is addressed in v2.0.0-alpha.0
hello, I added this comment #77 (comment) requesting sigma tags, and sigma rule id in the results. if we can get arbitrary data from matched sigma rule, this will be wonderful
FYI: @jurelou