Merge pull request #9 from SigmaHQ/fdr_updates

FDR pipeline updates
SigmaHQ · Jul 7, 2024 · 1d673ea · 1d673ea
2 parents 009f4b5 + 7e69f06
commit 1d673ea
Show file tree

Hide file tree

Showing 9 changed files with 1,344 additions and 1,399 deletions.
diff --git a/README.md b/README.md
@@ -6,29 +6,22 @@
 
 This is the CrowdStrike backend for pySigma. It provides the package `sigma.backends.crowdstrike` with the `LogScaleBackend` class.
 
-Further it contains the following processing pipelines:
-- `crowdstrike_fdr_pipeline` which was mainly written for the Falcon data Replicator data but Splunk queries should work in the legacy CrowdStrike Splunk
-- `crowdstrike_falcon_pipeline` which was written for data collected by the CrowdStrike Falcon Agent stored in CrowdStrike Logscale. It effectively translates rules to the CrowdStrike Query Language used by LogScale.
+Further it contains the following processing pipelines under `sigma.pipelines.crowdstrike`:
+- `crowdstrike_fdr_pipeline` which was mainly written for the Falcon Data Replicator data but Splunk queries should work in the legacy CrowdStrike Splunk. The pipeline can also be used with other backends in case you ingest Falcon data to a different SIEM.
+- `crowdstrike_falcon_pipeline` which was written for data collected by the CrowdStrike Falcon Agent stored natively in CrowdStrike Logscale. It effectively translates rules to the CrowdStrike Query Language used by LogScale. This is designed to be used with the `LogScaleBackend`. 
 
 ## Supported Rules
 ### Falcon Pipeline
-The following categories and products are supported by  the `crowdstrike_falcon_pipeline` pipeline:
+The following categories and products are supported by the pipelines:
 | category | product | CrowdStrike event_simpleName |
 |-|-|-|
-|`process_creation` | `windows`, `linux`| ProcessRollup2 |
+|`process_creation` | `windows`, `linux`| ProcessRollup2, SyntheticProcessRollup2 |
 |`network_connection` | `windows`| NetworkConnectIP4, NetworkReceiveAcceptIP4 |
 |`dns_query` | `windows`| DnsRequest |
 |`image_load` | `windows`| ClassifiedModuleLoad |
 |`driver_load` | `windows`| DriverLoad |
 |`ps_script` | `windows`| CommandHistory, ScriptControlScanTelemetry |
 
-### Falcon Data Replicator Pipeline
-The following categories and products are supported by  the `crowdstrike_fdr_pipeline` pipeline:
-| category | product | CrowdStrike event_simpleName |
-|-|-|-|
-|`process_creation` | `windows`| ProcessRollup2 |
-|`network_connection` | `windows`| NetworkConnectIP4, NetworkReceiveAcceptIP4 |
-
 There's likely more windows categories that can be supported by the pipelines; We will be adding support gradually as availability allows. 
 
 ## Limitations and caveats:
@@ -43,6 +36,9 @@ Falcon `dns_query` events return the IP records of a successful query in [semico
 - **Unsupported fields**:
 Falcon does not always capture the same fields as sysmon for the categories supported. In cases where the rule requires unsupported fields, the transformation fails.
 
+- **PS Script Logging**:
+There is not a clean equivelant between the events Falcon generates and PowerShell Script Logging. Our transformation is a best-effort approach that contains multiple fields that might contain the value in the field.
+
 ## References
 - [LogScale Community Content](https://github.com/CrowdStrike/logscale-community-content)
 

diff --git a/sigma/backends/crowdstrike/logscale.py b/sigma/backends/crowdstrike/logscale.py
@@ -251,15 +251,6 @@ def convert_condition_field_eq_val_cidr(
             state, cond.field, super().convert_condition_field_eq_val_cidr(cond, state)
         ).postprocess(None, cond)
 
-    def convert_condition_as_in_expression(
-        self, cond: ConditionOR, state: ConversionState
-    ) -> LogScaleDeferredInOperator:
-        return LogScaleDeferredInOperator(
-            state,
-            cond.args[0].field,
-            super().convert_condition_as_in_expression(cond, state),
-        ).postprocess(None, cond)
-
     def convert_condition_field_eq_val_str(
         self, cond: ConditionFieldEqualsValueExpression, state: ConversionState
     ) -> Union[str, DeferredQueryExpression]:
@@ -293,12 +284,6 @@ def convert_condition_field_eq_val_str(
             ):
                 expr = self.contains_expression
                 value = cond.value[1:-1]
-            elif (  # wildcard match expression: string contains wildcard
-                self.wildcard_match_expression is not None
-                and cond.value.contains_special()
-            ):
-                expr = self.wildcard_match_expression
-                value = cond.value
             else:
                 expr = self.re_exact_match
                 value = cond.value

diff --git a/sigma/pipelines/crowdstrike/__init__.py b/sigma/pipelines/crowdstrike/__init__.py
@@ -1,5 +1,5 @@
-from .crowdstrike_fdr import crowdstrike_fdr_pipeline
-from .crowdstrike_falcon import crowdstrike_falcon_pipeline
+from .crowdstrike import crowdstrike_fdr_pipeline
+from .crowdstrike import crowdstrike_falcon_pipeline
 
 pipelines = {
     "crowdstrike_fdr": crowdstrike_fdr_pipeline,