pySigma-backend-loki icon indicating copy to clipboard operation
pySigma-backend-loki copied to clipboard

Published 20 hours ago verified publisher icon grafana

Some generated rules do not work with LogQL

Open l00d3r opened this issue 7 months ago • 3 comments

Sorry if this is the wrong place for this but I figured this is the repo to ask if there's somehow a way to make this work... I generated all sigma windows rules to Loki rules and some of the rules fail to evaluate after conversion:

alert: Potential_PowerShell_Command_Line_Obfuscation
expr: '(sum(count_over_time({job=~"windows_eventlog"} | json | label_format Message="{{
  .message | replace \"\\\\\" \"\\\\\\\\\" | replace \"\\\"\" \"\\\\\\\"\" }}" | line_format
  "{{ regexReplaceAll \"([^:]+): ?((?:[^\\\\r]*|$))(\\r\\n|$)\" .Message \"${1}=\\\"${2}\\\"
  \"}}" | logfmt | ( ( ( ( ( event_id==1 , ( ( ( Image=~`(?i).*\\powershell\.exe$`
  or Image=~`(?i).*\\pwsh\.exe$` ) or OriginalFileName=~`(?i)^PowerShell\.EXE$` )
  or OriginalFileName=~`(?i)^pwsh\.dll$` ) ) , ( ( ( CommandLine=~`\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+`
  or CommandLine=~`\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{` ) or CommandLine=~`\^.*\^.*\^.*\^.*\^`
  ) or CommandLine=~``.*`.*`.*`.*`` ) ) , ParentImage!~"(?i)^C:\\\\Program\\ Files\\\\Amazon\\\\SSM\\\\ssm\\-document\\-worker\\.exe$"
  ) , CommandLine!~"(?i).*new\\ EventSource\\(\"Microsoft\\.Windows\\.Sense\\.Client\\.Management\".*"
  ) , CommandLine!~"(?i).*public\\ static\\ extern\\ bool\\ InstallELAMCertificateInfo\\(SafeFileHandle\\
  handle\\);.*" )[1m])) or (vector(0.000000) > 0))'
labels:
  severity: high
annotations:
  author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
    (fp)
  description: Detects the PowerShell command lines with special characters
  summary: Potential PowerShell Command Line Obfuscation

This rule fails with the following error:

rule evaluation failed: parse error at line 1, col 662: syntax error: unexpected .

Despite what the error message says I believe the issue is with the last CommandLine regex in this sigma rule.

It looks like the cause is LogQL's inability to escape backticks and I don't understand how if at all should I escape them from this blog post

There are other rules from sigma Windows that fail, should I create a separate issue for each rule that fails? this rule and this rule are the ones I'm talking about.

They look related to my suspected inability to escape backticks but they fail with a different message:

rule evaluation failed: parse error at line 1, col 93: syntax error: unexpected IDENTIFIER and rule evaluation failed: parse error at line 1, col 323: syntax error: unexpected IDENTIFIER respectively

l00d3r avatar Mar 10 '25 16:03 l00d3r