forked from ppll0p1s/SigmaShooter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsiemTips.txt
88 lines (73 loc) · 2.53 KB
/
siemTips.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#--------------------------------------------------
# SigmaShooter SIEM Tips File siemTips.txt
#
# For more information:
# https://github.com/ppll0p1s/SigmaShooter
#
# Version - v0.01 - 28/03/2020
#
#--------------------------------------------------
###################################################
# This file contains some SIEM tips to improve SigmaShooter results
###################################################
###################################################
# GRAYLOG
###################################################
==> Add stream parameter in the url path to run the queries (function web/helpers.runRuleQueryToGraylog()). If we do not edit sigma query to specificate in what logs search, we could get bad results with sigma rules composed with only OR conditions.
==> Configure HTTPS in SIEM and send communicate to Graylog via TLS to avoid sending data in clear text.
==> Allow wildcard for sigma queries:
Change in "server.conf" allow_leading_wildcard_searches variable to true.
By the default, wildcard is allowed only in fields message, full_message and source.
If you want to enable wildcard to other fields, continue next steps:
- Create new template: vim graylog-custom-mapping.json
- Configure the new fields:
# e.g. configuring Channel and Version field
# versions <3
{
"template": "graylog_*",
"mappings": {
"message": {
"properties": {
"Channel": {
"analyzer": "standard",
"index": "analyzed",
"type": "string"
},
"Version": {
"analyzer": "standard",
"index": "analyzed",
"type": "string"
}
}
}
}
}
# versions >= 3
{
"template": "graylog_*",
"mappings": {
"message": {
"properties": {
"Image": {
"analyzer": "standard",
"fielddata": "false",
"type" : "text"
},
"ParentImage": {
"analyzer": "standard",
"fielddata": "false",
"type" : "text"
}
}
}
}
}
- Upload new template: curl -X PUT -d @'graylog-custom-mapping.json' 'http://localhost:9200/_template/graylog-custom-mapping?pretty'
- Rotate index: from webapp > System > Indices > Default index set > Maintenance > Rotate active write index
- From now, new field configured will have wildcard enabled.
Reference:
http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings
###################################################
# Other SIEM
###################################################
# In Construction...