pySigma QRadarAQL backend
Project description
PySigma QRadar AQL
This is the QRadar AQL backend for pySigma which parses and converts Sigma Rules into QRadar queries in AQL. It consists of a backend and two pipelines as describes below. The project is using pySigma_QRadar_base submodule.
Backend
- QRadarAQL: It provides the package
sigma.backends.QRadarAQL
with theQRadarAQLBackend
class.
Pipelines
Further, it contains the following processing pipelines in sigma.pipelines.QRadarAQL
:
- QRadarAQL_fields_pipeline: Supports only the
Sigma fields
in the Field Mapping. - QRadarAQL_payload_pipeline: Uses
UTF8(payload)
instead of fields unsupported by the Field Mapping. For unsupported fields, the following value types are not supported–- Boolean
- Null
- CIDR
- Regular Expression
- Numeric Comparison
Installation
PyPI
pip install ibm-qradar-aql
Sigma plugin
Sigma CLI
- install sigma-cli
- install with Sigma plugins:
sigma plugin install ibm-qradar-aql
pySigma
from sigma.plugins import SigmaPluginDirectory
plugins = SigmaPluginDirectory.default_plugin_directory()
plugins.get_plugin_by_id("ibm-qradar-aql").install()
Usage
Convert Sigma rules to AQL by using ibm-qradar-aql
as backend, and one of qradar-aql-fields
and qradar-aql-payload
as pipeline:
Sigma CLI
sigma convert -t ibm-qradar-aql -p <qradar-aql-fields | qradar-aql-payload> <rule path> -o <output file name>
Input example:
PLEASE NOTE: you should have Sigma rules
in your project to use the
following
command
sigma convert -t ibm-qradar-aql -p qradar-aql-payload rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml -o output_file.txt
Output example:
['SELECT * FROM events WHERE devicetype=12 AND LOWER("Target Process Path") LIKE \'%\\keepass.exe\'']
pySigma
Input example:
from sigma.collection import SigmaCollection
from sigma.backends.QRadarAQL import QRadarAQLBackend
from sigma.pipelines.QRadarAQL import QRadarAQL_fields_pipeline, QRadarAQL_payload_pipeline
pipeline = QRadarAQL_fields_pipeline # or QRadarAQL_payload_pipeline
rule = SigmaCollection.from_yaml("""
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\KeePass.exe'
condition: selection
""")
print(QRadarAQLBackend(pipeline()).convert(rule)[0])
Output example:
SELECT * FROM events WHERE devicetype=12 AND LOWER("Target Process Path") LIKE '%\keepass.exe'
Develop
This project is using
pySigma_QRadar_base submodule.
After cloning the project, make sure to update the submodule from the sigma
directory
by running:
git submodule update --init --recursive
QRadar Content Packs
- Properties Dictionary (required)
- Windows Custom Properties (recommended)
- Linux Custom Properties (recommended)
other properties you may find in the App Exchange
Mapping
Field Mapping
Sigma field | QRadar AQL field |
---|---|
AccessList | Rule Name |
AccessMask | Access Mask |
Accesses | Accesses |
AppID | Application |
AppId | Application |
AppName | Application |
AttributeLDAPDisplayName | Username, Account Name, Distinguished Name |
AttributeValue | Attribute Old Value, Attribute New Value |
c-useragent | User Agent |
cs-user-agent | User Agent |
cs-username | Username |
CallTrace | Call Trace |
CallerProcessName | Process Path |
cipher | Ticket Encryption Type |
CommandLine | Command |
cs-method | Method |
DestinationHostname | Destination Hostname |
ErrorCode | Error Code |
ExceptionCode | Error Code |
EventID | Event ID |
eventSource | devicetype |
FailureCode | Error Code |
FileName | Filename |
Filename | Filename |
GrantedAccess | Granted Access |
Hashes | CONCAT(MD5=, MD5 Hash , SHA1=, SHA1 Hash , SHA256=, SHA256 Hash , IMPHASH=, IMP HASH) |
HostApplication | Process Path |
HostName | Hostname |
Initiated | Initiated |
Image | Process Path, Process Name |
ImageName | Process Name |
ImagePath | Process Path |
Imphash | IMP Hash |
IntegrityLevel | Integrity Level |
InterfaceUuid | Source Interface UUID |
LogonType | Logon Type |
Message | Message |
Name | File Path |
ObjectName | Object Name |
ObjectType | Object Type |
OriginalFileName | Filename |
ParentCommandLine | Parent Command |
ParentImage | Parent Process Path |
ParentProcessId | Parent Process ID |
Path | File Path |
path | File Path |
Payload | UTF8(payload) |
payload | UTF8(payload) |
PipeName | Pipe Name |
ProcessId | Process ID |
ProcessName | Process Name |
ProcessPath | Process Path |
SamAccountName | SAM Account Name |
Service | Service Name |
ServiceFileName | Service Filename |
ServiceName | Service Name |
ShareName | Share Name |
Signed | Signed |
Status | Status |
StartAddress | Start Address |
TargetFilename | Filename |
TargetImage | Target Process Path |
TargetObject | Process Name, Target Process Name, Object Name |
TargetUserName | Target Username |
TaskName | Task Name |
TicketEncryptionType | Ticket Encryption Type |
UserName | Username |
Username | Username |
md5 | MD5 Hash |
method | Method |
NewTargetUserName | Target Username |
sha1 | SHA1 Hash |
sha256 | SHA256 Hash |
SourceFilename | filename |
SourceImage | Source Process Path |
USER | Username |
User | Username |
userAgent | User Agent |
user_agent | User Agent |
eventName | QIDNAME(qid) |
ImageLoaded | CONCAT(file directory, /, filename) |
DestinationIp | destinationip |
DestPort | destinationport |
DestinationPort | destinationport |
destination.port | destinationport |
dst_ip | destinationip |
dst_port | destinationport |
SourcePort | sourceport |
src_ip | sourceip |
c-uri | URL |
c-uri-extension | URL |
c-uri-query | URL |
cs-uri | URL |
cs-uri-query | URL |
cs-uri-stem | URL |
properties.message | Message |
ScriptBlockText | Message |
uri | URL |
a0 | Command |
a1 | Command |
a2 | Command |
a3 | Command |
a4 | Command |
a5 | Command |
Log-Source Mapping
Sigma service mapping to QRadar AQL device type
Sigma service | QRadar AQL device type name | QRadar AQL device type id |
---|---|---|
aaa | BridgewaterAAA | 143 |
apache | Apache | 10 |
auditd | LinuxServer | 11 |
auth | WindowsAuthServer | 12 |
clamav | LinuxServer | 11 |
cloudtrail | AmazonAWSCloudTrail | 347 |
cron | LinuxServer | 11 |
exchange | MicrosoftExchange | 99 |
gcp.audit | GoogleCloudAudit | 449 |
iis | IIS | 13 |
ldp | NetScreenIDP | 17 |
lsa-server | ISA | 191 |
microsoft365portal | Office365, Office365MessageTrace, Microsoft365Defender | 397, 452, 515 |
okta | OktaIdentityManagement | 382 |
powershell | WindowsAuthServer | 12 |
rdp | LinuxServer, WindowsAuthServer | 11, 12 |
smbclient-security | LinuxServer, WindowsAuthServer | 11, 12 |
sshd | LinuxServer | 11 |
sudo | LinuxServer | 11 |
syslog | LinuxServer, WindowsAuthServer | 11, 12 |
sysmon | WindowsAuthServer | 12 |
taskscheduler | LinuxServer, WindowsAuthServer | 11, 12 |
threat_detection | SAPEnterpriseThreatDetection | 424 |
windefend | MicrosoftWindowsDefenderATP | 433 |
wmi | WindowsAuthServer | 12 |
Sigma product mapping to QRadar AQL device type
Sigma product | QRadar AQL device type name | QRadar AQL device type id |
---|---|---|
aws | AmazonAWSCloudTrail, AWSSecurityHub, AmazonAWSNetworkFirewall, AmazonAWSALBAccessLogs, AmazonAWSWAF, AmazonAWSKubernetes, AmazonAWSRoute53, AmazonCloudFront, AWSVerifiedAccess | 347, 440, 456, 460, 501, 502, 507, 516, 519 |
MicrosoftAzure | MicrosoftAzure | 413 |
cisco | Pix, IOS, VpnConcentrator, CSA, IDS, FWSM, ASA, CatOS, ACS, Cisco, NAC, Series12000, Series6500, Series7600, SeriesCRS, SeriesISR, IronPort, Aironet, Wism, ACE, CiscoWirelessNCS, Nexus, CiscoWLC, CiscoCallManager, CiscoISE, CiscoCWS, CiscoStealthwatch, CiscoUmbrella, CiscoMeraki, CiscoAMP, CiscoFirepowerThreatDefense, CiscoDuo | 6, 20, 23, 26, 30, 31, 41, 56, 90, 94, 95, 113, 114, 115, 116, 117, 179, 182, 183, 194, 248, 250, 273, 274, 316, 419, 429, 431, 435, 437, 448, 508 |
gcp | GoogleGSuite, GoogleCloudAudit, GoogleCloudPlatformFirewall, GoogleCloudDNS | 442, 449, 455, 461 |
huawei | SSeriesSwitch, ARSeriesRouter | 269, 283 |
juniper | NetScreenFirewall, NetScreenIDP, JuniperSA, NetScreenNSM, InfranetController, JuniperRouter, JuniperSBR, JuniperDX, JuniperMSeries, JuniperMXSeries, JuniperTSeries, JuniperEXSeries, JuniperSRX, Avt, SRC, JuniperAltorVGW, SecurityBinaryLogCollector, JuniperMykonosWebSecurity, JuniperWirelessLAN, JuniperDDoSSecure | 5, 17, 36, 45, 59, 64, 83, 111, 118, 122, 123, 139, 150, 168, 192, 235, 264, 290, 320, 344 |
linux | LinuxServer | 11 |
m365 | Office365 | 397 |
macos | AppleOSX | 102 |
okta | OktaIdentityManagement | 382 |
sql | MicrosoftSQL | 101 |
windows | WindowsAuthServer | 12 |
Mapping Contribution
Pull requests are welcome. After updating the Mapping, please run generate_readme.py for updating the mapping tables in the README file.
Field Mapping:
####field mapping from Sigma to AQL
field_mapping
: mapping for fields with exact mach from Sigma to AQLhost_field_mapping
: mapping for host fields- values with wildcards converts to CIDRunstructured_field_mapping
: mapping for fields that their value is a substring of another field's value- equal sign ('=') will be replaced with 'LIKE' operatorunstructured_part_field_mapping
: mapping for fields that are part of another field- equal sign ('=') will be replaced with 'LIKE' operator, and the value transforms to the form '{field}%{value}'
Log-Source Mapping:
####mapping from Sigma log source to AQL device type id
- aql_log_source_mapping: AQL mapping from device type name to device type id – PLEASE DO NOT CHANGE THIS MAPPING
- aql_service_mapping: mapping from Sigma services to AQL device type id
- aql_product_mapping: mapping from Sigma products to AQL device type id
License
pySigma-backend-QRadar-AQL is licensed under the MIT License.
Maintainers
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pysigma_backend_qradar_aql-0.2.6.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5b9a0a19af6bd158d6c8d45ebb9c9ce1ea792bfc801f53aa5e67def05d728d07 |
|
MD5 | 48507b7452e7cc1032fbb68c1d30e499 |
|
BLAKE2b-256 | 96b9505fa86c51a1083b5b0e7408ee7469ec5fc531a378084cb1a755d3510e47 |
Hashes for pysigma_backend_qradar_aql-0.2.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b9e78c9a3b8d8cd364a6576a3627f2a0444fb1fd69bf46a5df15a4e94e5e0c93 |
|
MD5 | 240b8bc048854a51a0354b5fb628aeb6 |
|
BLAKE2b-256 | 5f18cb60d423ddddc5896e96cb2f0e9b7118a8f63fe506775468570d2cf561b0 |