-
|
Hello all - I am currently trying to understand and use SIGMA rules in my home lab and am pretty new to using them. If anyone could help me understand where the "default" field names are located or derived from that would be a great help. I believe I understand the concept of creating a custom configuration file in YAML format that can be used at runtime to help with the field name conversations, but am still having a hard time understanding what the default field names are to then create proper field mappings. Would love to take any findings from my home lab and help contribute to the community, but need to get over this hurdle first. Lab Setup Example: When using sigmac to point to the elasticsearch backend if my SIGMA rules field is not 'process.name' it of course will not produce the desired output for the query and being SIGMA is meant to be agnostic I want to ensure the rules I write are not specific to my setup. Thanks for any responses! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Hello, Next you use sigmac option Then you get a query in ECS field name |
Beta Was this translation helpful? Give feedback.
-
|
Hello - Thank for taking the time to explain. The winlogbeat-modules-enabled.yml is exactly what I was looking for and seems to have all the mappings I need. |
Beta Was this translation helpful? Give feedback.
-
|
Honestly. Just go to the this website https://uncoder.io/ if you need to convert. |
Beta Was this translation helpful? Give feedback.
Hello,
the idea is to always use the original name field of the log in the sigma rule
exemple:
Windows secutity 5145 use
RelativeTargetNamenotAccount_NameorAccount NameYou can see it in xml view of events viewer
Next you use sigmac option
for ELK with ECS
sigmac -t es-qs -c config\generic\sysmon.yml -c config\winlogbeat-modules-enabled.yml name_of_the_rule.ymlThen you get a query in ECS field name