Wrong network direction values #57

cospirho · 2024-04-18T18:40:23Z

The default winlogbeat sysmon pipeline values for the network direction are changed from true/false to egress/ingress, and winlog.event_data.Initiated is removed (changed to network.direction). This backend will output the values of true/false

detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
        DestinationPort:
            - 80
            - 443

I'm not sure what the best way to handle this would be....also not 100% sure if it's an issue with this repo, the rules, both, or neither. I didn't see 'Initiated' anywhere in the sigma rule taxonomy specification.

andurin · 2024-10-17T08:29:36Z

@cospirho If I understood you correctly you would like to see a transformation like:

# Initiated: true 
network.direction: 'egress'

or

# Initiated: false
network.direction: 'ingress'

?

andurin · 2024-10-17T08:31:03Z

@thomaspatzke Would this be possible in the pipeline? A value determined conditional?

cospirho · 2024-10-17T13:32:38Z

@cospirho If I understood you correctly you would like to see a transformation like:
# Initiated: true 
network.direction: 'egress'
?

Yes that's right, like network.direction:egress instead of network.direction:true. Thank you for looking in to it.

cospirho changed the title ~~Fix network direction~~ Wrong network direction values Apr 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wrong network direction values #57

Wrong network direction values #57

cospirho commented Apr 18, 2024 •

edited

Loading

andurin commented Oct 17, 2024

andurin commented Oct 17, 2024

cospirho commented Oct 17, 2024

Wrong network direction values #57

Wrong network direction values #57

Comments

cospirho commented Apr 18, 2024 • edited Loading

andurin commented Oct 17, 2024

andurin commented Oct 17, 2024

cospirho commented Oct 17, 2024

cospirho commented Apr 18, 2024 •

edited

Loading