From 27bcb8d8af2d399df252c5f208b512f33100fcac Mon Sep 17 00:00:00 2001 From: Roland Roure Date: Tue, 26 Mar 2024 14:28:18 +0100 Subject: [PATCH] Add support for Web.Proxy Splunk data model --- pyproject.toml | 2 +- sigma/backends/splunk/splunk.py | 8 +++++ sigma/pipelines/splunk/splunk.py | 56 ++++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 84b3c75..4ef4297 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "pysigma-backend-splunk" -version = "1.1.0" +version = "1.1.1" description = "pySigma Splunk backend" readme = "README.md" authors = ["Thomas Patzke "] diff --git a/sigma/backends/splunk/splunk.py b/sigma/backends/splunk/splunk.py index 7281118..e55f18a 100644 --- a/sigma/backends/splunk/splunk.py +++ b/sigma/backends/splunk/splunk.py @@ -16,6 +16,7 @@ splunk_sysmon_process_creation_cim_mapping, splunk_windows_registry_cim_mapping, splunk_windows_file_event_cim_mapping, + splunk_web_proxy_cim_mapping, ) import sigma from typing import Callable, ClassVar, Dict, List, Optional, Pattern, Tuple @@ -280,6 +281,13 @@ def finalize_query_data_model( cim_fields = " ".join( splunk_sysmon_process_creation_cim_mapping.values() ) + + elif rule.logsource.category == "proxy": + data_model = "Web" + data_set = "Proxy" + cim_fields = " ".join( + splunk_web_proxy_cim_mapping.values() + ) try: data_model_set = state.processing_state["data_model_set"] diff --git a/sigma/pipelines/splunk/splunk.py b/sigma/pipelines/splunk/splunk.py index 6075cdb..b33143d 100644 --- a/sigma/pipelines/splunk/splunk.py +++ b/sigma/pipelines/splunk/splunk.py @@ -63,6 +63,17 @@ "TargetFilename": "Filesystem.file_path", } +splunk_web_proxy_cim_mapping = { + "c-uri": "Web.url", + "c-uri-query": "Web.uri_query", + "c-uri-stem": "Web.uri_path", + "c-useragent": "Web.http_user_agent", + "cs-method": "Web.http_method", + "cs-host": "Web.dest", + "cs-referrer": "Web.http_referrer", + "src_ip": "Web.src", + "dst_ip": "Web.dest_ip", +} def splunk_windows_pipeline(): return ProcessingPipeline( @@ -265,6 +276,48 @@ def splunk_cim_data_model(): logsource_windows_file_event(), ], ), + ProcessingItem( + identifier="splunk_dm_mapping_web_proxy_unsupported_fields", + transformation=DetectionItemFailureTransformation( + "The Splunk Data Model Sigma backend supports only the following fields for web proxy log source: " + + ",".join(splunk_web_proxy_cim_mapping.keys()) + ), + rule_conditions=[ + LogsourceCondition(category="proxy"), + ], + field_name_conditions=[ + ExcludeFieldCondition( + fields=splunk_web_proxy_cim_mapping.keys() + ) + ], + ), + ProcessingItem( + identifier="splunk_dm_mapping_web_proxy", + transformation=FieldMappingTransformation( + splunk_web_proxy_cim_mapping + ), + rule_conditions=[ + LogsourceCondition(category="proxy"), + ], + ), + ProcessingItem( + identifier="splunk_dm_fields_web_proxy", + transformation=SetStateTransformation( + "fields", splunk_web_proxy_cim_mapping.values() + ), + rule_conditions=[ + LogsourceCondition(category="proxy"), + ], + ), + ProcessingItem( + identifier="splunk_dm_mapping_web_proxy_data_model_set", + transformation=SetStateTransformation( + "data_model_set", "Web.Proxy" + ), + rule_conditions=[ + LogsourceCondition(category="proxy"), + ], + ), ProcessingItem( identifier="splunk_dm_mapping_log_source_not_supported", rule_condition_linking=any, @@ -282,6 +335,9 @@ def splunk_cim_data_model(): RuleProcessingItemAppliedCondition( "splunk_dm_mapping_sysmon_file_event" ), + RuleProcessingItemAppliedCondition( + "splunk_dm_mapping_web_proxy" + ), ], ), ],