Improving Sysmon config parsing

[MihhailSokolov]

Issues

1. Python code for merging sysmon configs only considers one RuleGroup
   For example, merging the following two configs would result in an incomplete output config:

<Sysmon schemaversion="4.90">
    <HashAlgorithms>sha256</HashAlgorithms>
    <CheckRevocation>False</CheckRevocation>
    <EventFiltering>
        <RuleGroup groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="is">C:\Windows\System32\cmd.exe</Image>
            </ProcessCreate>
        </RuleGroup>
        <RuleGroup groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="is">C:\Windows\SysWOW64\wscript.exe</Image>
            </ProcessCreate>
        </RuleGroup>
    </EventFiltering>
</Sysmon>

and

<Sysmon schemaversion="4.90">
    <HashAlgorithms>sha256</HashAlgorithms>
    <CheckRevocation>False</CheckRevocation>
    <EventFiltering>
        <RuleGroup groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
            </ProcessCreate>
        </RuleGroup>
    </EventFiltering>
</Sysmon>

would result in the following merge when using merge_sysmon_configs.py:

<Sysmon schemaversion="4.90">
    <HashAlgorithms>sha256</HashAlgorithms>
    <CheckRevocation>False</CheckRevocation>
    <EventFiltering>
       <RuleGroup groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="is">C:\Windows\System32\cmd.exe</Image>
            </ProcessCreate>
        </RuleGroup>
        <RuleGroup groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
            </ProcessCreate>
        </RuleGroup>
    </EventFiltering>
</Sysmon>

Note that it misses the rule that includes C:\Windows\SysWOW64\wscript.exe because the second rule group wasn't processed.
2) Both Python and PowerShell implementations for merging configs don't consider the case when rules are outside of the rule group.
The following config is also considered valid:

<Sysmon schemaversion="4.90">
    <HashAlgorithms>sha256</HashAlgorithms>
    <CheckRevocation>False</CheckRevocation>
    <EventFiltering>
        <ProcessCreate onmatch="include">
            <Image condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
        </ProcessCreate>
    </EventFiltering>
</Sysmon>

Note that it doesn't have the RuleGroup - this is equivalent to having the rules inside <RuleGroup groupRelation="or">
When trying to merge with such config, the following error is thrown:

Desired result

In both cases, the final merged config should look like this (in my opinion):

<Sysmon schemaversion="4.90">
    <HashAlgorithms>sha256</HashAlgorithms>
    <CheckRevocation>False</CheckRevocation>
    <EventFiltering>
        <RuleGroup groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="is">C:\Windows\System32\cmd.exe</Image>
                <Image condition="is">C:\Windows\SysWOW64\wscript.exe</Image>
                <Image condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
            </ProcessCreate>
        </RuleGroup>
    </EventFiltering>
</Sysmon>

Proposed solutions

1. Loop over all children of EventFiltering - 7bad2d9
2. Treat non-RuleGroup tags inside EventFiltering as rules - 6480a03 and 3735be9

Comment

Since there is no concrete specification for the Sysmon config, this way of merging is my interpretation of how it should be, however, I might be wrong, so I am open to different opinions :)