Skip to content

Commit

Permalink
Improved DnsQuery event handling
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomaspatzke
thomaspatzke committed Mar 11, 2022
1 parent 03b6e5c commit 8256503
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 9 deletions.
41 changes: 32 additions & 9 deletions sigma/pipelines/crowdstrike/crowdstrike.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,15 +73,6 @@ def crowdstrike_fdr_pipeline():
logsource_windows_network_connection(),
]
),
ProcessingItem(
identifier="cs_network_connection_fieldmapping",
transformation=FieldMappingTransformation({
"QueryName": "DomainName",
}),
rule_conditions=[
logsource_windows_dns_query(),
]
),
ProcessingItem(
identifier="cs_network_connection_drop_initiated",
transformation=DropDetectionItemTransformation(),
Expand All @@ -104,6 +95,38 @@ def crowdstrike_fdr_pipeline():
]
),

# DNS Requests
ProcessingItem(
identifier="cs_dns_query_eventtype",
transformation=AddConditionTransformation({
"event_simpleName": "DnsRequest",
}),
rule_conditions=[
logsource_windows_dns_query(),
]
),
ProcessingItem(
identifier="cs_dns_query_fieldmapping",
transformation=FieldMappingTransformation({
"QueryName": "DomainName",
"QueryResults": "IP4Records",
}),
rule_conditions=[
logsource_windows_dns_query(),
]
),
ProcessingItem(
identifier="cs_dns_query_logsource",
transformation=ChangeLogsourceTransformation(
category="dns_query",
product="windows",
service="crowdstrike",
),
rule_conditions=[
logsource_windows_dns_query(),
]
),

# ParentBaseFileName handling
ProcessingItem(
identifier="cs_parentbasefilename_fail_completepath",
Expand Down
19 changes: 19 additions & 0 deletions tests/test_processing_pipelines_crowdstrike.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,20 @@ def incoming_network_connection_sigma_rule():
condition: sel
""")

@pytest.fixture
def dns_query_sigma_rule():
return SigmaCollection.from_yaml("""
title: DNS Query Test
status: test
logsource:
category: dns_query
product: windows
detection:
sel:
QueryName: test.invalid
condition: sel
""")

def test_crowdstrike_pipeline(resolver : ProcessingPipelineResolver, process_creation_sigma_rule):
pipeline = resolver.resolve_pipeline("crowdstrike")
backend = TextQueryTestBackend(pipeline)
Expand All @@ -111,3 +125,8 @@ def test_crowdstrike_network_connect_incoming(resolver : ProcessingPipelineResol
pipeline = resolver.resolve_pipeline("crowdstrike")
backend = TextQueryTestBackend(pipeline)
assert backend.convert(incoming_network_connection_sigma_rule) == ["event_simpleName=\"NetworkReceiveAcceptIP4\" and RemoteAddressIP4=\"1.2.3.4\""]

def test_crowdstrike_dns_query(resolver : ProcessingPipelineResolver, dns_query_sigma_rule):
pipeline = resolver.resolve_pipeline("crowdstrike")
backend = TextQueryTestBackend(pipeline)
assert backend.convert(dns_query_sigma_rule) == ["event_simpleName=\"DnsRequest\" and DomainName=\"test.invalid\""]

0 comments on commit 8256503

Please sign in to comment.