Merge pull request SigmaHQ#2238 from frack113/fix_logsource

Fix logsource
cyb3rplis · Nov 10, 2021 · a089a83 · a089a83
2 parents ca17949 + 6c19303
commit a089a83
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 7 deletions.
diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
     product: windows
-    service: Microsoft-ServiceBus-Client
+    service: microsoft-servicebus-client
 detection:
     selection:
         EventID:

diff --git a/...mand_execution_by_office_applications.yml → ...mand_execution_by_office_applications.yml b/...mand_execution_by_office_applications.yml → ...mand_execution_by_office_applications.yml
@@ -1,4 +1,4 @@
-title: WMI Command Execution by Office Applications
+title: EDR WMI Command Execution by Office Applications
 id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32
 references:
@@ -13,9 +13,10 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/09
 logsource:
-  product: EndPoint Detection Logs
-  category: process_creation
+  product: windows
+  category: edr
 detection:
   #useful_information: Add more office applications to the rule logic of choice
   selection1:

diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml
@@ -9,8 +9,8 @@ references:
     - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
     - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs
 logsource:
-    category: ldap_query
     product: windows
+    service: ldap_debug
     definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging'
 detection:
     generic_search:

diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml
@@ -5,7 +5,7 @@ related:
       type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/09/21
+modified: 2021/11/09
 author: Ján Trenčanský, frack113
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -17,7 +17,7 @@ tags:
     - attack.t1562.001
 logsource:
     product: windows
-    category: system
+    service: system
 detection:
     selection3:
         EventID: 7036

diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
@@ -100,6 +100,11 @@ logsources:
     service: msexchange-management
     conditions:
       winlog.channel: 'MSExchange Management'
+  microsoft-servicebus-client:
+    product: windows
+    service: microsoft-servicebus-client
+    conditions:
+      winlog.channel: 'Microsoft-ServiceBus-Client'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'