You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I am working on a larger Sigma correlation rule. As part of that rule, I want to use the "aliases" attribute to create a shared name for fields form different logsources.
While converting the correlation rule with the Splunk backend, the resulting rule does not seem to have considered the alias (as far as I can read splunk queries).
I've stripped down my rule to following MVP:
title: MVP Sigma conversion test with aliases
id: 192c842d-a934-44a7-aeea-3e72bba6291f
status: experimental
description: minimum sigma rule to show conversion of "aliases" with Splunk backend
author: Herbert Bärschneider @SEC Consult
date: 2024-10-17
correlation:
type: event_count
rules:
- 2a239bba-583c-4afc-a1f7-6736e8e9e5b0 # user remote logon
aliases:
targeted_useraccount:
logon_remote: TargetUserName
group-by:
- targeted_useraccount
timespan: 5m
condition:
gte: 100
level: medium
---
title: User Remote Logon
id: 2a239bba-583c-4afc-a1f7-6736e8e9e5b0
status: test
description: Detect remote login
author: Herbert Bärschneider @SEC Consult
date: 2024-10-08
name: logon_remote
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
condition: selection
fields:
- TargetUserName
- IpAddress # where the connection came from
falsepositives:
- Legitimate remote desktop activity.
level: informational
When running the command sigma convert -t splunk -p splunk_windows mvp.yml, I get following output:
source="WinEventLog:Security" EventCode=4624 LogonType=10 | table TargetUserName,IpAddress
| bin _time span=5m
| stats count as event_count by _time targeted_useraccount
| search event_count >= 100
The alias name is used in the query, but it is seemingly not connected with the event fields.
I am unsure, if this problem comes from the backend or an error on my side. I would appreciate feedback.
Kind Regards
Herbert
The text was updated successfully, but these errors were encountered:
Hi,
I am working on a larger Sigma correlation rule. As part of that rule, I want to use the "aliases" attribute to create a shared name for fields form different logsources.
While converting the correlation rule with the Splunk backend, the resulting rule does not seem to have considered the alias (as far as I can read splunk queries).
I've stripped down my rule to following MVP:
When running the command
sigma convert -t splunk -p splunk_windows mvp.yml, I get following output:The alias name is used in the query, but it is seemingly not connected with the event fields.
I am unsure, if this problem comes from the backend or an error on my side. I would appreciate feedback.
Kind Regards
Herbert
The text was updated successfully, but these errors were encountered: