Skip to content

Commit

Permalink
Merge pull request #38 from RolandRoure/RR-dev-web_proxy-data_model
Browse files Browse the repository at this point in the history 
Add support for Web.Proxy Splunk data model
  • Loading branch information
@thomaspatzke
thomaspatzke authored Apr 2, 2024
2 parents 52e6330 + 27bcb8d commit f1aae0d
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 1 deletion.
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "pysigma-backend-splunk"
version = "1.1.0"
version = "1.1.1"
description = "pySigma Splunk backend"
readme = "README.md"
authors = ["Thomas Patzke <[email protected]>"]
Expand Down
8 changes: 8 additions & 0 deletions sigma/backends/splunk/splunk.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
splunk_sysmon_process_creation_cim_mapping,
splunk_windows_registry_cim_mapping,
splunk_windows_file_event_cim_mapping,
splunk_web_proxy_cim_mapping,
)
import sigma
from typing import Any, Callable, ClassVar, Dict, List, Optional, Pattern, Tuple, Union
Expand Down Expand Up @@ -380,6 +381,13 @@ def finalize_query_data_model(
cim_fields = " ".join(
splunk_sysmon_process_creation_cim_mapping.values()
)

elif rule.logsource.category == "proxy":
data_model = "Web"
data_set = "Proxy"
cim_fields = " ".join(
splunk_web_proxy_cim_mapping.values()
)

try:
data_model_set = state.processing_state["data_model_set"]
Expand Down
56 changes: 56 additions & 0 deletions sigma/pipelines/splunk/splunk.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,17 @@
"TargetFilename": "Filesystem.file_path",
}

splunk_web_proxy_cim_mapping = {
"c-uri": "Web.url",
"c-uri-query": "Web.uri_query",
"c-uri-stem": "Web.uri_path",
"c-useragent": "Web.http_user_agent",
"cs-method": "Web.http_method",
"cs-host": "Web.dest",
"cs-referrer": "Web.http_referrer",
"src_ip": "Web.src",
"dst_ip": "Web.dest_ip",
}

def splunk_windows_pipeline():
return ProcessingPipeline(
Expand Down Expand Up @@ -265,6 +276,48 @@ def splunk_cim_data_model():
logsource_windows_file_event(),
],
),
ProcessingItem(
identifier="splunk_dm_mapping_web_proxy_unsupported_fields",
transformation=DetectionItemFailureTransformation(
"The Splunk Data Model Sigma backend supports only the following fields for web proxy log source: "
+ ",".join(splunk_web_proxy_cim_mapping.keys())
),
rule_conditions=[
LogsourceCondition(category="proxy"),
],
field_name_conditions=[
ExcludeFieldCondition(
fields=splunk_web_proxy_cim_mapping.keys()
)
],
),
ProcessingItem(
identifier="splunk_dm_mapping_web_proxy",
transformation=FieldMappingTransformation(
splunk_web_proxy_cim_mapping
),
rule_conditions=[
LogsourceCondition(category="proxy"),
],
),
ProcessingItem(
identifier="splunk_dm_fields_web_proxy",
transformation=SetStateTransformation(
"fields", splunk_web_proxy_cim_mapping.values()
),
rule_conditions=[
LogsourceCondition(category="proxy"),
],
),
ProcessingItem(
identifier="splunk_dm_mapping_web_proxy_data_model_set",
transformation=SetStateTransformation(
"data_model_set", "Web.Proxy"
),
rule_conditions=[
LogsourceCondition(category="proxy"),
],
),
ProcessingItem(
identifier="splunk_dm_mapping_log_source_not_supported",
rule_condition_linking=any,
Expand All @@ -282,6 +335,9 @@ def splunk_cim_data_model():
RuleProcessingItemAppliedCondition(
"splunk_dm_mapping_sysmon_file_event"
),
RuleProcessingItemAppliedCondition(
"splunk_dm_mapping_web_proxy"
),
],
),
],
Expand Down

0 comments on commit f1aae0d

Please sign in to comment.