You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR adds a Linux pipeline for converting Sigma rules targeting Linux/auditd logs into Logpoint queries. This was split out from #27 per feedback to keep separation of concerns, now that #28 (pySigma v1.0.0 upgrade) has been merged (and many more enhancements of course). As this is touching only a fraction of volume, I'll be working on expanding logic and mapping to more sources!
New Features
logpoint_linux_pipeline with support for:
Linux auditd field mappings (type, proctitle, auid, exe, comm, etc.)
Generic Linux taxonomy (Image, CommandLine, ParentImage, etc.)
Snake_case conversion for unmapped fields
Files Changed
File
Change
sigma/pipelines/logpoint/linux.py
new Linux pipeline module
sigma/pipelines/logpoint/logpoint_mapping.py
added logpoint_linux_auditd_mapping and logpoint_linux_common_taxonomy
sigma/pipelines/logpoint/__init__.py
registered logpoint_linux pipeline
tests/test_pipelines_linux.py
tests for auditd mapping, generic taxonomy, and snake_case
Testing
All existing tests pass + three new tests added: test_logpoint_linux_auditd which validates auditd field mapping test_logpoint_linux_generic which validates generic Linux taxonomy test_logpoint_linux_snake_case which validates snake_case fallback for unmapped fields
Hi @vl43den ,
Thank you for the contribution. We would love to have this pipeline introduced in our backend.
I have suggested couple of taxonomy changes based on the actual knowledge base of the Logpoint System. Please change them accordingly. Feel free correct the review if you have evidence of otherwise.
And also update README.md file by adding new pipeline.
We would love to see gradual expansion of linux event logs as well.
@suryamajhi Hi, thank you for the detailed feedback! I have adapted all the mapping fields and the taxonomy according to your input. I also added the new linux pipeline to the README.md - as requested. If anything else pops into your mind or if any adjustments are needed, just let me know & we're going to fix it quickly!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
vl43den
force-pushed
the
linux-pipeline
branch
from
Description
This PR adds a Linux pipeline for converting Sigma rules targeting Linux/auditd logs into Logpoint queries. This was split out from #27 per feedback to keep separation of concerns, now that #28 (pySigma v1.0.0 upgrade) has been merged (and many more enhancements of course). As this is touching only a fraction of volume, I'll be working on expanding logic and mapping to more sources!
New Features
logpoint_linux_pipelinewith support for:type,proctitle,auid,exe,comm, etc.)Image,CommandLine,ParentImage, etc.)Files Changed
sigma/pipelines/logpoint/linux.pysigma/pipelines/logpoint/logpoint_mapping.pylogpoint_linux_auditd_mappingandlogpoint_linux_common_taxonomysigma/pipelines/logpoint/__init__.pylogpoint_linuxpipelinetests/test_pipelines_linux.pyTesting
All existing tests pass + three new tests added:
test_logpoint_linux_auditdwhich validates auditd field mappingtest_logpoint_linux_genericwhich validates generic Linux taxonomytest_logpoint_linux_snake_casewhich validates snake_case fallback for unmapped fields