TA-Sigma-Searches
TA-Sigma-Searches copied to clipboard
dstaulcu
Are the fields/logsources correct?
Hey @dstaulcu,
Just a couple of items I found with the conversions. The only field that's changed in https://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/Update_SavedSearches_From_Sigma_YML.ps1 is EventID to EventCode. Are there more fields that are incorrectly matching?
If WinEventLog and WinEventLog w/ Sysmon are onboarded with the default inputs, and the Splunk_TA_windows and TA-microsoft-sysmon apps are installed, then aren't the fields incorrect?
I tried to search for ServiceName as is shown here and noticed that only Service_Name or service_name showed in the results of a field summary.
https://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/default/savedsearches.conf#L28
Some of the other searches are only searching for the source as the sole logsource. E.g. source="WinEventLog:Application". If the Splunk instance is the default configuration, I don't believe any user by default has the index="*" prefix set to ensure that results are returned.
https://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/default/savedsearches.conf#L13
Update:
Edit: I only now noticed how old the repo is, so I don't expect any of these to be fixed. Thank you for the work to put in the initial conversion. I'll leave this open to help anyone else coming across this repo :smile:
Thanks for reaching out! I havent touched this code in years but could take another crack at it if you would find that helpful. A few months after I made this splunk started publishing enterprise security content updates which in part are derived from threat research like sigma.
This message was sent from my iPhone, please excuse any typos.
From: Alex @.> Sent: Friday, August 20, 2021 7:28:30 PM To: dstaulcu/TA-Sigma-Searches @.> Cc: dstaulcu @.>; Mention @.> Subject: [dstaulcu/TA-Sigma-Searches] Are the fields/logsources correct? (#3)
Hey @dstaulcuhttps://github.com/dstaulcu,
Just a couple of items I found with the conversions. The only field that's changed in https://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/Update_SavedSearches_From_Sigma_YML.ps1 is EventID to EventCode. Are there more fields that are incorrectly matching?
If WinEventLog and WinEventLog w/ Sysmon are onboarded with the default inputs, and the Splunk_TA_windows and TA-microsoft-sysmon apps are installed, then aren't the fields incorrect?
I tried to search for ServiceName as is shown herehttps://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/default/savedsearches.conf#L28 and noticed that only Service_Name or service_name showed in the results of a field summary.
https://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/default/savedsearches.conf#L28
Some of the other searcheshttps://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/default/savedsearches.conf#L13 are only searching for the source as the sole logsource. E.g. source="WinEventLog:Application". If the Splunk instance is the default configuration, I don't believe any user as the index="*" prefix to ensure that results are returned.
https://github.com/dstaulcu/TA-Sigma-Searches/blob/245dd779072623530bad74a2e7f8e6cd5ceb80d0/default/savedsearches.conf#L13
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dstaulcu/TA-Sigma-Searches/issues/3, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABUC7WVHAWN5CDLNHO3KSZTT53QJ5ANCNFSM5CRF64CQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email.
