pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard
verified publisher icon SigmaHQ

Wrong network direction values

Open cospirho opened this issue 1 year ago • 4 comments

The default winlogbeat sysmon pipeline values for the network direction are changed from true/false to egress/ingress, and winlog.event_data.Initiated is removed (changed to network.direction). This backend will output the values of true/false

detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
        DestinationPort:
            - 80
            - 443

I'm not sure what the best way to handle this would be....also not 100% sure if it's an issue with this repo, the rules, both, or neither. I didn't see 'Initiated' anywhere in the sigma rule taxonomy specification.

cospirho avatar Apr 18 '24 18:04 cospirho

@cospirho If I understood you correctly you would like to see a transformation like:

# Initiated: true 
network.direction: 'egress'

or

# Initiated: false
network.direction: 'ingress'

?

andurin avatar Oct 17 '24 08:10 andurin

@thomaspatzke Would this be possible in the pipeline? A value determined conditional?

andurin avatar Oct 17 '24 08:10 andurin

@cospirho If I understood you correctly you would like to see a transformation like:

# Initiated: true 
network.direction: 'egress'

?

Yes that's right, like network.direction:egress instead of network.direction:true. Thank you for looking in to it.

cospirho avatar Oct 17 '24 13:10 cospirho

It's already implemented but not yet merged because of required breaking changes in pySigma. Should be done in few weeks.

thomaspatzke avatar Feb 10 '25 07:02 thomaspatzke

Just merged the fix.

thomaspatzke avatar Aug 18 '25 11:08 thomaspatzke