Add new pipelines (#1)

* Add first pipeline

Signed-off-by: frack113 <[email protected]>

* Update Readme

* Add ecs_1_winlogbeat.yml

* Add ecs_1_filebeat.yml

---------

Signed-off-by: frack113 <[email protected]>

README.md

@@ -1,2 +1,27 @@
 # pySigma-yml-pipeline
 Unofficial pySigma Yaml pipeline
+
+# Useful information
+
+This depot is not linked to SigmaHQ or pySigma.
+
+This is an open library for pySigma pipelines in yaml format.
+You can use them, improve them or add new ones.
+
+# Folder
+## elastalert
+- elastalert_any from https://x.com/frack113/status/1697904485031399431
+
+## elastic
+- ecs_1_winlogbeat ECS 1.xx winlogbeat field mapping 
+- ecs_1_filebeat ECS 1.xx filebeat field mapping (only auditd module)
+
+## misc
+- placerholder from [sigmahq bloq](https://blog.sigmahq.io/building-flexible-detections-with-sigma-placeholders-7c1b814e2860)
+- processing from [sigmahq bloq](https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070)
+- field_mapping from [sigmahq bloq](https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070)
+
+## splunk
+- splunk-savedsearches-concat from [sigmahq bloq](https://blog.sigmahq.io/introducing-query-post-processing-and-output-finalization-to-processing-pipelines-4bfe74087ac1)
+- splunk-savedsearches-template from [sigmahq bloq](https://blog.sigmahq.io/introducing-query-post-processing-and-output-finalization-to-processing-pipelines-4bfe74087ac1)
+

elastalert/elastalert_any.yml

@@ -0,0 +1,22 @@
+postprocessing:
+  - type: template
+    template: |+
+      name: {{ rule.id }}
+      description: {{ rule.title }}
+      owner: {{ rule.author }}
+     
+      type: any
+      priority:{% set priority = ({"critical":4, "high":3, "medium":2, "low":1, "informational":0 })%} {{ priority["%s" % rule.level]}}
+      alert:
+        - debug    
+   
+      # The Detection Warning miss the index information in the lucene output
+      index: linux-*
+      filter:
+        - query:
+            query_string:
+              query: '{{ query }}'
+
+
+finalizers:
+  - type: concat

elastic/ecs_1_filebeat.yml

@@ -0,0 +1,60 @@
+name: Mapping Filebeat ECS 1.x
+priority: 30
+transformations:
+
+# Auditd Module
+  - id: field_mapping_module_auditd
+    type: field_name_mapping
+    mapping:
+      acct: user.name
+      addr: source.address
+      agid: user.audit.group.id
+      arch: host.architecture
+      auid: user.audit.id
+      comm: process.name
+      cwd: process.working_directory
+      dst: destination.address
+      egid: user.effective.group.id
+      euid: user.effective.id
+      exe: process.executable
+      exit: process.exit_code
+      fsgid: user.filesystem.group.id
+      fsuid: user.filesystem.id
+      gid: user.group.id
+      msg: message
+      ogid: user.owner.group.id
+      ouid: user.owner.id
+      pid: process.pid
+      ppid: process.ppid
+      record_type: event.action
+      res: event.outcome
+      sgid: user.saved.group.id
+      src: source.address
+      suid: user.saved.id
+      terminal: user.terminal
+      uid: user.id
+      user: user.name
+    rule_conditions:
+      - type: logsource
+        service: auditd
+
+  - id: auditd_field_prefix
+    type: field_name_prefix
+    prefix: "auditd.log."
+    field_name_cond_not: true
+    field_name_conditions:
+      - type: processing_item_applied
+        processing_item_id: field_mapping_module_auditd
+    rule_conditions:
+      - type: logsource
+        service: auditd
+
+
+# Global filebeat index
+  - id: index_condition
+    type: add_condition
+    conditions:
+      index: filebeat
+    rule_conditions:
+      - type: logsource
+        service: auditd

elastic/ecs_1_winlogbeat.yml

@@ -0,0 +1,172 @@
+name: Mapping Winlogbeat ECS 1.x
+priority: 30
+transformations:
+
+  - id: field_mapping
+    type: field_name_mapping
+    mapping:
+      AccountDomain: user.domain
+      AccountName: user.name
+      Application: process.executable
+      Archived: sysmon.file.archived
+      Channel: winlog.channel
+      ClientAddress: source.ip
+      ClientName: source.domain
+      CommandName: powershell.command.name
+      CommandPath: powershell.command.path
+      CommandType: powershell.command.type
+      ComputerName: winlog.computer_name
+      CurrentDirectory: process.working_directory
+      DestAddress: destination.ip
+      Destination: process.executable
+      DestinationHostname: destination.domain
+      DestinationIp: destination.ip
+      DestinationPort: destination.port
+      DestinationPortName: network.protocol
+      DestPort: destination.port
+      Device: file.path
+      FileName: file.path
+      HostApplication: process.command_line
+      HostId: process.entity_id
+      HostName: process.title
+      Image: process.executable
+      ImageLoaded: file.path
+      IpAddress: source.ip
+      IpPort: source.port
+      IsExecutable: sysmon.file.is_executable
+      MessageNumber: powershell.sequence
+      MessageTotal: powershell.total
+      NewEngineState: powershell.engine.new_state
+      NewProcessId: process.pid
+      NewProcessName: process.executable
+      NewProviderState: powershell.provider.new_state
+      ParentCommandLine: process.parent.command_line
+      ParentImage: process.parent.executable
+      ParentProcessGuid: process.parent.entity_id
+      ParentProcessId: process.parent.pid
+      ParentProcessName: process.parent.name
+      PipelineId: powershell.pipeline_id
+      PipeName: file.name
+      PreviousEngineState: powershell.engine.previous_state
+      ProcessGuid: process.entity_id
+      ProcessId: process.pid
+      ProcessName: process.executable
+      Provider_Name: winlog.provider_name
+      ProviderName: powershell.provider.name
+      QueryName: dns.question.name
+      QueryStatus: sysmon.dns.status
+      RunspaceId: powershell.runspace_id
+      ScriptBlockId: powershell.file.script_block_id
+      ScriptBlockText: powershell.file.script_block_text
+      ScriptName: file.path
+      SequenceNumber: event.sequence
+      SignatureStatus: file.code_signature.status
+      Signed: file.code_signature.signed
+      SourceAddress: source.ip
+      SourceHostname: source.domain
+      SourceImage: process.executable
+      SourceIp: source.ip
+      SourcePort: source.port
+      SourceProcessGuid: process.entity_id
+      SourceProcessId: process.pid
+      SourceThreadId: process.thread.id
+      TargetDomainName: user.domain
+      TargetFilename: file.path
+      TargetObject: registry.path
+      WorkstationName: source.domain
+
+  - id: field_mapping_driver_loaded
+    type: field_name_mapping
+    mapping:
+      Signature: file.code_signature.subject_name
+    rule_conditions:
+      - type: logsource
+        category: driver_loaded
+
+  - id: field_mapping_image_load
+    type: field_name_mapping
+    mapping:
+      FileVersion: file.pe.file_version
+      Description: file.pe.description
+      Company: file.pe.company
+      Product: file.pe.product
+      OriginalFileName: file.pe.original_file_name
+      Signature: file.code_signature.subject_name
+    rule_conditions:
+      - type: logsource
+        category: image_load
+
+  - id: field_mapping_network_connection
+    type: field_name_mapping
+    mapping:
+      Protocol: network.transport
+      Initiated: network.direction
+    rule_conditions:
+      - type: logsource
+        category: network_connection
+
+  - id: field_mapping_powershell_classic
+    type: field_name_mapping
+    mapping:
+      CommandLine: powershell.command.value
+      EngineVersion: powershell.engine.version
+      HostVersion: powershell.process.executable_version
+    rule_conditions:
+      - type: logsource
+        service: powershell-classic
+
+  - id: field_mapping_process_creation
+    type: field_name_mapping
+    mapping:
+      FileVersion: process.pe.file_version
+      Description: process.pe.description
+      Product: process.pe.product
+      Company: process.pe.company
+      OriginalFileName: process.pe.original_file_name
+      CommandLine: process.command_line
+    rule_conditions:
+      - type: logsource
+        category: process_creation
+
+  - id: field_mapping_security
+    type: field_name_mapping
+    mapping:
+      CommandLine: process.command_line
+      SubjectLogonId: winlog.logon.id
+      ServiceName: service.name
+      SubjectDomainName: user.domain
+      SubjectUserName: user.name
+      SubjectUserSid: user.id
+      TargetLogonId: winlog.logon.id
+    rule_conditions:
+      - type: logsource
+        service: security
+
+  - id: windows_field_prefix
+    type: field_name_prefix
+    prefix: "winlog.event_data."
+    field_name_cond_not: true
+    field_name_cond_op: or
+    field_name_conditions:
+      - type: processing_item_applied
+        processing_item_id: field_mapping
+      - type: processing_item_applied
+        processing_item_id: field_mapping_driver_loaded
+      - type: processing_item_applied
+        processing_item_id: field_mapping_image_load
+      - type: processing_item_applied
+        processing_item_id: field_mapping_network_connection
+      - type: processing_item_applied
+        processing_item_id: field_mapping_powershell_classic
+      - type: processing_item_applied
+        processing_item_id: field_mapping_process_creation
+      - type: processing_item_applied
+        processing_item_id: field_mapping_security       
+
+  - id: index_condition
+    type: add_condition
+    conditions:
+      index: winlogbeat
+    rule_conditions:
+      - type: logsource
+        product: windows

misc/field_mapping.yml

@@ -0,0 +1,43 @@
+name: Fixing the field naming mess
+priority: 30
+transformations:
+- id: image_fail_path
+  type: detection_item_failure
+  message: Image must only contain file name without any further path components.
+  field_name_conditions:
+  - type: include_fields
+    fields:
+    - Image
+  detection_item_conditions:
+  - type: match_string
+    cond: any
+    pattern: "^\\*\\\\?[^\\\\]+$"
+    negate: true
+- id: image_file_only
+  type: replace_string
+  regex: "^\\*\\\\([^\\\\]+)$"
+  replacement: "\\1"
+  field_name_conditions:
+  - type: include_fields
+    fields:
+    - Image
+- id: field_mapping
+  type: field_name_mapping
+  mapping:
+    EventID:
+    - event_id
+    - evtid
+- id: windows_field_prefix
+  type: field_name_prefix
+  prefix: "win."
+  field_name_cond_not: true
+  field_name_conditions:
+  - type: processing_item_applied
+    processing_item_id: field_mapping
+- id: index_condition
+  type: add_condition
+  conditions:
+    index: windows
+  rule_conditions:
+  - type: logsource
+    product: windows

misc/placeholders.yml

@@ -0,0 +1,18 @@
+name: Placeholder example
+priority: 10
+allowed_backends:
+- splunk
+transformations:
+- id: value_placeholders
+  type: value_placeholders
+  include:
+  - client
+- id: generic_query_excpression_placeholders
+  type: query_expression_placeholders
+  include:
+  - client_operations
+  expression: "[ inputlookup {id} | rename dest as {field} ]"
+vars:
+  client:
+  - "DESKTOP-*"
+  - "NOTEBOOK-*"

misc/processing.yml

@@ -0,0 +1,43 @@
+name: Fixing the field naming mess
+priority: 30
+transformations:
+- id: image_fail_path
+  type: detection_item_failure
+  message: Image must only contain file name without any further path components.
+  field_name_conditions:
+  - type: include_fields
+    fields:
+    - Image
+  detection_item_conditions:
+  - type: match_string
+    cond: any
+    pattern: "^\\*\\\\?[^\\\\]+$"
+    negate: true
+- id: image_file_only
+  type: replace_string
+  regex: "^\\*\\\\([^\\\\]+)$"
+  replacement: "\\1"
+  field_name_conditions:
+  - type: include_fields
+    fields:
+    - Image
+- id: field_mapping
+  type: field_name_mapping
+  mapping:
+    EventID:
+    - event_id
+    - evtid
+- id: windows_field_prefix
+  type: field_name_prefix
+  prefix: "win."
+  field_name_cond_not: true
+  field_name_conditions:
+  - type: processing_item_applied
+    processing_item_id: field_mapping
+- id: index_condition
+  type: add_condition
+  conditions:
+    index: windows
+  rule_conditions:
+  - type: logsource
+    product: windows