Skip to content

Commit 3428248

Browse files
jowg-amazonjowg-amazon
authored
* changed windows sample rule and query construction (#746)
* remove wildcard * changed wildcardtest * fixed wildcards * fixed wildcard query test * fixed correlation engine tests * fixed query backend tests * clean up * added two integration tests --------- Signed-off-by: Joanne Wang <[email protected]>
1 parent 5d9c869 commit 3428248

File tree

5 files changed

+450
-22
lines changed

5 files changed

+450
-22
lines changed

src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -132,10 +132,10 @@ public OSQueryBackend(String ruleCategory, boolean collectErrors, boolean enable
132132
this.reExpression = "%s: /%s/";
133133
this.cidrExpression = "%s: \"%s\"";
134134
this.fieldNullExpression = "%s: null";
135-
this.unboundValueStrExpression = "%s: \"%s\"";
136-
this.unboundValueNumExpression = "%s: %s";
137-
this.unboundWildcardExpression = "%s: %s";
138-
this.unboundReExpression = "%s: /%s/";
135+
this.unboundValueStrExpression = "\"%s\"";
136+
this.unboundValueNumExpression = "\"%s\"";
137+
this.unboundWildcardExpression = "%s";
138+
this.unboundReExpression = "/%s/";
139139
this.compareOpExpression = "\"%s\" \"%s\" %s";
140140
this.valExpCount = 0;
141141
this.aggQuery = "{\"%s\":{\"terms\":{\"field\":\"%s\"},\"aggs\":{\"%s\":{\"%s\":{\"field\":\"%s\"}}}}}";
@@ -332,28 +332,18 @@ public Object convertConditionFieldEqValQueryExpr(ConditionFieldEqualsValueExpre
332332
@Override
333333
public Object convertConditionValStr(ConditionValueExpression condition) throws SigmaValueError {
334334
SigmaString value = (SigmaString) condition.getValue();
335-
336-
String field = getFinalValueField();
337-
ruleQueryFields.put(field, Map.of("type", "text", "analyzer", "rule_analyzer"));
338335
boolean containsWildcard = value.containsWildcard();
339-
return String.format(Locale.getDefault(), (containsWildcard? this.unboundWildcardExpression: this.unboundValueStrExpression), field, this.convertValueStr((SigmaString) condition.getValue()));
336+
return String.format(Locale.getDefault(), (containsWildcard? this.unboundWildcardExpression: this.unboundValueStrExpression), this.convertValueStr((SigmaString) condition.getValue()));
340337
}
341338

342339
@Override
343340
public Object convertConditionValNum(ConditionValueExpression condition) {
344-
String field = getFinalValueField();
345-
346-
SigmaNumber number = (SigmaNumber) condition.getValue();
347-
ruleQueryFields.put(field, number.getNumOpt().isLeft()? Collections.singletonMap("type", "integer"): Collections.singletonMap("type", "float"));
348-
349-
return String.format(Locale.getDefault(), this.unboundValueNumExpression, field, condition.getValue().toString());
341+
return String.format(Locale.getDefault(), this.unboundValueNumExpression, condition.getValue().toString());
350342
}
351343

352344
@Override
353345
public Object convertConditionValRe(ConditionValueExpression condition) {
354-
String field = getFinalValueField();
355-
ruleQueryFields.put(field, Map.of("type", "text", "analyzer", "rule_analyzer"));
356-
return String.format(Locale.getDefault(), this.unboundReExpression, field, convertValueRe((SigmaRegularExpression) condition.getValue()));
346+
return String.format(Locale.getDefault(), this.unboundReExpression, convertValueRe((SigmaRegularExpression) condition.getValue()));
357347
}
358348

359349
// TODO: below methods will be supported when Sigma Expand Modifier is supported.

src/main/resources/rules/test_windows/win_sample_rule.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ detection:
1919
EventID: 22
2020
Message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe'
2121
HostName|startswith: 'EC2AMAZ'
22-
condition: selection
22+
keywords:
23+
- "NT AUTHORITY"
24+
condition: selection or keywords
2325
falsepositives:
2426
- Unknown

src/test/java/org/opensearch/securityanalytics/TestHelpers.java

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,100 @@ public static String randomRule() {
168168
"level: high";
169169
}
170170

171+
public static String randomRuleWithKeywords() {
172+
return "title: Remote Encrypting File System Abuse\n" +
173+
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
174+
"description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
175+
"references:\n" +
176+
" - https://attack.mitre.org/tactics/TA0008/\n" +
177+
" - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
178+
" - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
179+
" - https://github.com/zeronetworks/rpcfirewall\n" +
180+
" - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
181+
"tags:\n" +
182+
" - attack.defense_evasion\n" +
183+
"status: experimental\n" +
184+
"author: Sagie Dulce, Dekel Paz\n" +
185+
"date: 2022/01/01\n" +
186+
"modified: 2022/01/01\n" +
187+
"logsource:\n" +
188+
" product: rpc_firewall\n" +
189+
" category: application\n" +
190+
" definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
191+
"detection:\n" +
192+
" selection:\n" +
193+
" EventID: 21\n" +
194+
" keywords:\n" +
195+
" - 1996\n" +
196+
" - EC2AMAZ*\n" +
197+
" condition: selection or keywords\n" +
198+
"falsepositives:\n" +
199+
" - Legitimate usage of remote file encryption\n" +
200+
"level: high";
201+
}
202+
203+
public static String randomRuleWithStringKeywords() {
204+
return "title: Remote Encrypting File System Abuse\n" +
205+
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
206+
"description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
207+
"references:\n" +
208+
" - https://attack.mitre.org/tactics/TA0008/\n" +
209+
" - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
210+
" - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
211+
" - https://github.com/zeronetworks/rpcfirewall\n" +
212+
" - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
213+
"tags:\n" +
214+
" - attack.defense_evasion\n" +
215+
"status: experimental\n" +
216+
"author: Sagie Dulce, Dekel Paz\n" +
217+
"date: 2022/01/01\n" +
218+
"modified: 2022/01/01\n" +
219+
"logsource:\n" +
220+
" product: rpc_firewall\n" +
221+
" category: application\n" +
222+
" definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
223+
"detection:\n" +
224+
" selection:\n" +
225+
" EventID: 21\n" +
226+
" keywords:\n" +
227+
" - \"INFO\"\n" +
228+
" condition: selection or keywords\n" +
229+
"falsepositives:\n" +
230+
" - Legitimate usage of remote file encryption\n" +
231+
"level: high";
232+
}
233+
234+
public static String randomRuleWithDateKeywords() {
235+
return "title: Remote Encrypting File System Abuse\n" +
236+
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
237+
"description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
238+
"references:\n" +
239+
" - https://attack.mitre.org/tactics/TA0008/\n" +
240+
" - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
241+
" - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
242+
" - https://github.com/zeronetworks/rpcfirewall\n" +
243+
" - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
244+
"tags:\n" +
245+
" - attack.defense_evasion\n" +
246+
"status: experimental\n" +
247+
"author: Sagie Dulce, Dekel Paz\n" +
248+
"date: 2022/01/01\n" +
249+
"modified: 2022/01/01\n" +
250+
"logsource:\n" +
251+
" product: rpc_firewall\n" +
252+
" category: application\n" +
253+
" definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
254+
"detection:\n" +
255+
" selection:\n" +
256+
" EventID: 21\n" +
257+
" keywords:\n" +
258+
" - \"2020-02-04T14:59:39.343541+00:00\"\n" +
259+
" condition: selection or keywords\n" +
260+
"falsepositives:\n" +
261+
" - Legitimate usage of remote file encryption\n" +
262+
"level: high";
263+
}
264+
171265
public static String countAggregationTestRule() {
172266
return " title: Test\n" +
173267
" id: 39f919f3-980b-4e6f-a975-8af7e507ef2b\n" +
@@ -1156,6 +1250,48 @@ public static String windowsIndexMapping() {
11561250
" }";
11571251
}
11581252

1253+
public static String windowsIndexMappingOnlyNumericAndDate() {
1254+
return "\"properties\": {\n" +
1255+
" \"@timestamp\": {\"type\":\"date\"},\n" +
1256+
" \"EventTime\": {\n" +
1257+
" \"type\": \"date\"\n" +
1258+
" },\n" +
1259+
" \"ExecutionProcessID\": {\n" +
1260+
" \"type\": \"long\"\n" +
1261+
" },\n" +
1262+
" \"ExecutionThreadID\": {\n" +
1263+
" \"type\": \"integer\"\n" +
1264+
" },\n" +
1265+
" \"EventID\": {\n" +
1266+
" \"type\": \"integer\"\n" +
1267+
" },\n" +
1268+
" \"TaskValue\": {\n" +
1269+
" \"type\": \"integer\"\n" +
1270+
" }\n" +
1271+
" }";
1272+
}
1273+
1274+
public static String windowsIndexMappingOnlyNumericAndText() {
1275+
return "\"properties\": {\n" +
1276+
" \"TaskName\": {\n" +
1277+
" \"type\": \"text\"\n" +
1278+
" },\n" +
1279+
" \"ExecutionProcessID\": {\n" +
1280+
" \"type\": \"long\"\n" +
1281+
" },\n" +
1282+
" \"ExecutionThreadID\": {\n" +
1283+
" \"type\": \"integer\"\n" +
1284+
" },\n" +
1285+
" \"EventID\": {\n" +
1286+
" \"type\": \"integer\"\n" +
1287+
" },\n" +
1288+
" \"TaskValue\": {\n" +
1289+
" \"type\": \"integer\"\n" +
1290+
" }\n" +
1291+
" }";
1292+
}
1293+
1294+
11591295
public static String randomDoc(int severity, int version, String opCode) {
11601296
String doc = "{\n" +
11611297
"\"EventTime\":\"2020-02-04T14:59:39.343541+00:00\",\n" +
@@ -1195,6 +1331,28 @@ public static String randomDoc(int severity, int version, String opCode) {
11951331

11961332
}
11971333

1334+
public static String randomDocOnlyNumericAndDate(int severity, int version, String opCode) {
1335+
String doc = "{\n" +
1336+
"\"EventTime\":\"2020-02-04T14:59:39.343541+00:00\",\n" +
1337+
"\"ExecutionProcessID\":2001,\n" +
1338+
"\"ExecutionThreadID\":2616,\n" +
1339+
"\"EventID\": 1234,\n" +
1340+
"\"TaskValue\":22\n" +
1341+
"}";
1342+
return String.format(Locale.ROOT, doc, severity, version, opCode);
1343+
}
1344+
1345+
public static String randomDocOnlyNumericAndText(int severity, int version, String opCode) {
1346+
String doc = "{\n" +
1347+
"\"TaskName\":\"SYSTEM\",\n" +
1348+
"\"ExecutionProcessID\":2001,\n" +
1349+
"\"ExecutionThreadID\":2616,\n" +
1350+
"\"EventID\": 1234,\n" +
1351+
"\"TaskValue\":22\n" +
1352+
"}";
1353+
return String.format(Locale.ROOT, doc, severity, version, opCode);
1354+
}
1355+
11981356
public static String randomDoc() {
11991357
return "{\n" +
12001358
"\"EventTime\":\"2020-02-04T14:59:39.343541+00:00\",\n" +

0 commit comments

Comments
 (0)