From e36f06491e7d169bb0c0426f6aca5ef9853869a9 Mon Sep 17 00:00:00 2001 From: m4dh4t Date: Fri, 18 Oct 2024 16:59:05 +0200 Subject: [PATCH 1/2] Fix: TextQueryBackend chained correlation rules --- sigma/conversion/base.py | 6 ++- tests/test_conversion_correlations.py | 67 +++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 1 deletion(-) diff --git a/sigma/conversion/base.py b/sigma/conversion/base.py index b30038c..474eaf7 100644 --- a/sigma/conversion/base.py +++ b/sigma/conversion/base.py @@ -1689,7 +1689,11 @@ def convert_correlation_search( ), ) for rule_reference in rule.rules - for query in rule_reference.rule.get_conversion_result() + for query in ( + rule_reference.rule.get_conversion_result() + if not isinstance(rule_reference.rule, SigmaCorrelationRule) + else self.convert_correlation_rule(rule_reference.rule) + ) ) ), **kwargs, diff --git a/tests/test_conversion_correlations.py b/tests/test_conversion_correlations.py index 28bfdc7..03b9c52 100644 --- a/tests/test_conversion_correlations.py +++ b/tests/test_conversion_correlations.py @@ -342,6 +342,73 @@ def test_correlation_generate_rule(test_backend): ] +def test_correlation_generate_chained_rule(test_backend): + rule_collection = SigmaCollection.from_yaml( + """ +title: Successful login +name: successful_login +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 528 + - 4624 + condition: selection +--- +title: Single failed login +name: failed_login +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 529 + - 4625 + condition: selection +--- +title: Multiple failed logons +name: multiple_failed_login +correlation: + type: event_count + rules: + - failed_login + generate: true + group-by: + - User + timespan: 10m + condition: + gte: 10 +--- +title: Multiple Failed Logins Followed by Successful Login +status: test +correlation: + type: temporal_ordered + rules: + - multiple_failed_login + - successful_login + generate: true + group-by: + - User + timespan: 10m + """ + ) + + assert test_backend.convert(rule_collection) == [ + """EventID in (528, 4624)""", + """EventID in (529, 4625)""", + """EventID in (529, 4625) +| aggregate window=10min count() as event_count by User +| where event_count >= 10""", + """subsearch { EventID in (529, 4625)\n| aggregate window=10min count() as event_count by User\n| where event_count >= 10 | set event_type="multiple_failed_login" } +subsearch { EventID in (528, 4624) | set event_type="successful_login" } +| temporal ordered=true window=10min eventtypes=multiple_failed_login,successful_login by User +| where eventtype_count >= 2 and eventtype_order=multiple_failed_login,successful_login""", + ] + + def test_correlation_not_supported(monkeypatch, test_backend, event_count_correlation_rule): monkeypatch.setattr(test_backend, "correlation_methods", None) with pytest.raises(NotImplementedError, match="Backend does not support correlation"): From 0711cc6317c5d57d2ff315fdeed0adbc6d48a033 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 20 Oct 2024 09:41:56 +0200 Subject: [PATCH 2/2] Bump MacOS test environment to 14 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c773d0b..68ef9aa 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ jobs: test: strategy: matrix: - os: ["ubuntu-20.04", "windows-2019", "macos-12"] + os: ["ubuntu-20.04", "windows-2019", "macos-14"] python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] runs-on: ${{ matrix.os }} steps: