-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathconfig.ini
274 lines (261 loc) · 9.78 KB
/
config.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
[sigma]
# root of the Sigma rules URL
rules_link = https://github.com/SigmaHQ/sigma/tree/master/rules
# location of the Sigma rules directory
directory = ../sigma/rules
# file that Wazuh rules will be written to
out_file = ./sigma.xml
# convert sigma experimental rules (yes|no)
process_experimental = yes
# Sigma rule IDs to never try and convert
skip_sigma_guids = ()
# Ignore all "convert only's" and convert all rules (yes|no), overides all other convert_only's
# skip_* will still be skipped
convert_all = no
# Convert only these Sigma categories
convert_only_categories = ("")
# Convert only these Sigma services
convert_only_services = ("")
# Convert only Sigma rules targeting these explicit products
convert_only_products = ("windows","windows_defender","zeek")
# skip stuff
skip_products = ("")
skip_services = ("")
skip_categories = ("")
# Convert Sigma rule levels to Wazuh levels
[levels]
informational = 5
low = 7
medium = 10
high = 13
critical = 15
# Wazuh rule settings
[options]
# do not include the full log in the wazuh alert (yes|no)
no_full_log = yes
# enable Wazuh email per Sigma GUID
sigma_guid_email = ()
# have wazuh send an alert email (yes|no)
# if set to no, email_levels variable will be used
alert_by_email = no
# at what levels do we want to enable Wazuh email alerts
email_levels = critical, high
# where to start rule ID numbering
# if you change this variable and want existing rules renumbered,
# then delete the file specified by rule_id_file before the next run
rule_id_start = 900000
# file to track Wazuh rule id to Sigma rule ID use
rule_id_file = ./rule_ids.json
######################################################
# Map Sigma GUID or [logsource][product] to Wazuh if_sid dependencies
#
# NOTE: This can cause Wazuh to go Out of Memory due to the number of associations between rules using if_group
#
# if_group takes precedence over if_sid below
[if_group_guid]
[if_sid_guid]
[if_group]
#sysmon = sysmon
######################################################
# Sigma logsource.service will be matched before logsource.product
#
[if_sid]
windows = 18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012
windefend = 60005
Microsoft Windows Defender = 60005
sysmon = 184665, 185000, 185001, 185002, 185003, 185004, 185005, 185006, 185007, 185008, 185009, 185010, 185011, 185012, 185013, 184666, 184667, 184676, 184677, 184678, 184686, 184687, 184696, 184697, 184698, 184706, 184707, 184716, 184717, 184726, 184727, 184736, 184737, 184746, 184747, 184766, 184767, 184776
######################################################
# Sigma to Wazuh field name mappings
# section should match the sigma product field; e.g. windows, linux, mac, apache, check point fw1
# section/product should be lower case
#
[windows]
Accesses = win.eventdata.accesses
AccessList = win.eventdata.accessList
AccessMask = win.eventdata.accessMask
AccountName = win.eventdata.targetUserName
Action = win.eventdata.action
AllowedToDelegateTo = win.eventdata.allowedToDelegateTo
Application = win.eventdata.application
ApplicationPath = win.eventdata.applicationPath
AttributeLDAPDisplayName = win.eventdata.attributeLDAPDisplayName
AttributeValue = win.eventdata.attributeValue
AuditPolicyChanges = win.evendata.auditPolicyChanges
AuditSourceName = win.eventdata.auditSourceName
AuthenticationPackage = win.eventdata.authenticationPackageName
AuthenticationPackageName = win.eventdata.authenticationPackageName
CallTrace = win.eventdata.callTrace
Caption = win.eventdata.caption
Channel = win.eventdata.channel
ChildImage = win.eventdata.image
CommandLine = win.eventdata.commandLine
Company = win.eventdata.company
ComputerName = win.system.computer
ContextInfo = win.system.contextInfo
CurrentDirectory = win.eventdata.currentDirectory
Description = win.eventdata.description
DestAddress = win.eventdata.destAddress
Destination = win.eventdata.destination
DestinationHostname = win.eventdata.destinationHostname
DestinationIp = win.eventdata.destinationIp
DestinationIsIpv6 = win.eventdata.destinationIsIpv6
DestinationPort = win.eventdata.destinationPort
Details = win.eventdata.details
DeviceClassName = win.eventdata.deviceClassName
DeviceDescription = win.eventdata.deviceDescription
DeviceName = win.eventdata.deviceName
DestPort = win.eventdata.destinationPort
EngineVersion = win.eventdata.engineVersion
EventID = win.system.eventID
EventType = win.eventdata.eventType
FailureCode = win.eventdata.failureCode
FileVersion = win.eventdata.fileVersion
FilterName = win.evendata.filterName
FilterOrigin = win.eventdata.filterOrigin
FolderPath = win.eventdata.image
GrantedAccess = win.eventdata.grantedAccess
Hash = win.eventdata.hashes
Hashes = win.eventdata.hashes
HostApplication = win.eventdata.hostApplication
HostName = win.eventdata.hostName
HostVersion = win.eventdata.hostVersion
Image = win.eventdata.image
ImageName = win.evendata.imageName
ImagePath = win.eventdata.imagePath
ImageLoaded = win.eventdata.imageLoaded
ImpHash = win.eventdata.impHash
ImpersonationLevel = win.eventdata.impersonationLevel
Initiated = win.eventdata.initiated
IntegrityLevel = win.eventdata.integrityLevel
IpAddress = win.eventdata.ipAddress
KeyLength = win.eventdata.keyLength
Keywords = win.eventdata.keywords
LayerRTID = win.eventdata.layerRTID
Level = win.system.level
LogonGuid = win.eventdata.logonGuid
LogonId = win.eventdata.logonId
LogonProcessName = win.eventdata.logonProcessName
LogonType = win.eventdata.logonType
md5 = win.eventdata.hashes
Message = win.system.message
ModifyingApplication = win.system.modifyingApplication
NewName = win.eventdata.newName
NewTargetUserName = win.evendata.newTargetUserName
NewUacValue = win.eventdata.newUacValue
NewValue = win.eventdata.newValue
ObjectClass = win.eventdata.objectClass
ObjectName = win.eventdata.objectName
ObjectServer = win.eventdata.objectServer
ObjectType = win.eventdata.objectType
ObjectValueName = win.eventdata.objectValueName
OldUacValue = win.eventdata.oldUacValue
Origin = win.eventdata.origin
OriginalFileName = win.eventdata.originalFileName
PackageName = win.eventdata.packageName
Param1 = win.evendata.param1
Param2 = win.evendata.param2
Param3 = win.evendata.param3
Param4 = win.evendata.Param4
Param5 = win.evendata.param5
Param6 = win.evendata.param6
Param7 = win.evendata.param7
Param8 = win.evendata.Param8
Param9 = win.evendata.Param9
Param10 = win.evendata.Param10
ParentCommandLine = win.eventdata.parentCommandLine
ParentImage = win.eventdata.parentImage
ParentIntegrityLevel = win.eventdata.parentIntegrityLevel
ParentProcessGuid = win.eventdata.parentProcessGuid
ParentUser = win.eventdata.parentUser
Payload = win.eventdata.payload
PipeName = win.eventdata.pipeName
PrivilegeList = win.eventdata.privilegeList
ProcessCommandLine = win.eventdata.commandLine
ProcessID = win.eventdata.processId
ProcessName = win.eventdata.processName
ProcessPath = win.eventdata.processPath
Product = win.eventdata.product
Properties = win.eventdata.properties
ProviderContextName = win.evendata.providerContextName
ProviderName = win.eventdata.providerName
Provider_Name = win.eventdata.providerName
QueryName = win.eventdata.queryName
RelativeTargetName = win.eventdata.relativeTargetName
RemoteAddress = win.eventdata.remoteAddress
SamAccountName = win.eventdata.samAccountName
ScriptBlockText = win.eventdata.scriptBlockText
Service = win.eventdata.service
ServerName = win.eventdata.serverName
ServiceFileName = win.eventdata.serviceFileName
ServiceName = win.eventdata.serviceName
ServiceStartType = win.evendata.serviceStartType
ServiceType = win.evendata.serviceType
sha1 = win.eventdata.hashes
sha256 = win.eventdata.hashes
ShareName = win.eventdata.shareName
SidHistory = win.eventdata.sidHistory
Signed = win.eventdata.signed
Source = win.eventdata.source
Source_Name = win.eventdata.sourceName
SourceAddress = win.eventdata.sourceAddress
SourceImage = win.eventdata.sourceImage
SourceNetworkAddress = win.eventdata.ipAddress
SourcePort = win.eventdata.sourcePort
SourceWorkstation = win.eventdata.workstation
StartAddress = win.eventdata.startAddress
StartFunction = win.eventdata.startFunction
StartModule = win.eventdata.startModule
State = win.eventdata.state
Status = win.eventdata.status
SubcategoryGuid = win.eventdata.subcategoryGuid
SubjectAccountName = win.eventdata.subjectUserName
SubjectDomainName = win.eventdata.subjectDomainName
SubjectLogonId = win.eventdata.subjectLogonId
SubjectUserName = win.eventdata.subjectUserName
SubjectUserSid = win.eventdata.subjectUserSid
Task = win.eventdata.task
TaskName = win.eventdata.taskName
TargetFilename = win.eventdata.targetFilename
TargetImage = win.eventdata.targetImage
TargetLogonId = win.eventdata.targetLogonId
TargetName = win.eventdata.targetName
TargetObject = win.eventdata.targetObject
TargetOutboundUserName = win.eventdata.targetOutboundUserName
TargetProcessAddress = win.eventdata.targetProcessAddress
TargetServerName = win.eventdata.targetServerName
TargetSid = win.eventdata.targetSid
TargetUserName = win.eventdata.targetUserName
TargetUserSid = win.eventdata.targetUserSid
TicketEncryptionType = win.eventdata.ticketEncryptionType
TicketOptions = win.eventdata.ticketOptions
Type = win.eventdata.type
User = win.eventdata.user
UserName = win.eventdata.samAccountName
Value = win.evendata.value
WorkstationName = win.eventdata.workstationName
[zeek]
answers = data.answers
c-uri = data.c-uri
c-useragent = data.c-useragent
certificate.serial = data.certificate.serial
client_header_names = data.client_header_names
dst_ip = data.dstip
dst_port = data.dstport
endpoint = data.endpoint
id.orig_h = data.srcip
id.orig_p = data.srcport
id.resp_h = data.dstip
id.resp_p = data.dstport
name = data.name
method = data.method
operation = data.operation
path = data.path
qtype_name = data.qtype_name
query = data.query
request_body_len = data.request_body_len
resp_mime_types = data.resp_mime_types
src_ip = data.srcip
src_port = data.srcport
status_code = data.status_code
uri = data.uri
z = data.z