Failed to detect JSONL log

[tpseers]

This is my JSON log from sandbox detonation:

{ "EventID": "11", "ProcessId": "3548", "Image": "C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE", "ProcessGuid": "{C784478D-BE7B-63C5-0506-000000004800}", "CreationUtcTime": "1673903762", "UtcTime": "1673903762", "RuleName": "-", "TargetFilename": "C:\\Users\\tester\\AppData\\Roaming\\auu.vbs" }

and here is the converted JSONL version (using https://www.convertjson.com/json-to-jsonlines.htm): test_jsonl.json

{"EventID":"11","ProcessId":"3548","Image":"C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE","ProcessGuid":"{C784478D-BE7B-63C5-0506-000000004800}","CreationUtcTime":"1673903762","UtcTime":"1673903762","RuleName":"-","TargetFilename":"C:\\Users\\tester\\AppData\\Roaming\\auu.vbs"}

And this is my Sigma rule (test_rule.json) which should trigger the event, but it failed:

"title": "Test - CVE-2017-11882 exploit", "status": "experimental", "description": "File dropped by EQ32 (CVE-2017-11882)", "author": "test user", "date": "2021-10-29T00:00:00.000Z", "id": 2, "threatname": null, "behaviorgroup": 5, "classification": 3, "logsource": { "service": "sysmon", "product": "windows" }, "detection": { "selection": { "EventID": 11, "Image": "*\\EQUATION\\EQNEDT32.EXE*", "TargetFilename": [ "*\\\\*.vbs*" ] }, "condition": "selection" }, "level": "critical" }

This is the test command I used:
python zircolite.py --events log/test_jsonl.json --ruleset rules/test_rule.json --jsononly

Did I miss anything? Thanks!

[wagga40]

Hello,

I think this is because your rule is just a yaml to json conversion. It seems it has not been converted to Zircolite (more precisly SQLite) format. The related docs are here : https://github.com/wagga40/Zircolite/blob/master/docs/Usage.md#sysmon-rulesets-when-investigated-endpoints-have-sysmon-logs

[tpseers]

Great to know that, it works now!