Skip to main content

pySigma Rapid7 InsightIDR backend

Project description

pySigma InsightIDR Backend

Tests Coverage Badge Status

Overview

This is the Rapid7 InsightIDR backend for pySigma, capable of converting Sigma rules into Log Entry Query Language (LEQL) queries compatible with the InsightIDR SIEM. It provides the package sigma.backends.insight_idr with the InsightIDRBackend class. Further, it contains the processing pipeline sigma.pipelines.insight_idr, which performs field mapping and error handling. The InsightIDR pipeline is the automatic/default processing pipeline for the InsightIDR backend.

Installation

The pySigma InsightIDR Backend is available on Python Package Index (PyPI) here: https://pypi.org/project/pysigma-backend-insightidr/. It can be installed using pip with the command: pip install pysigma-backend-insightidr.

Rule Support

The InsightIDR backend supports the following log entry/rule types:

  • Process start events
  • DNS query events
  • Web proxy events
  • Firewall events
  • Ingress authentication events

Output Format Support

It supports the following output formats which can be used for log search, custom alerts, dashboards, and reporting:

  • default: queries output in the InsightIDR "Simple" format*
  • leql_advanced_search: queries in the "Advanced" format**
  • leql_detection_definition: queries matching the LEQL detection rule logic format roughly matching what is shown in the InsightIDR Detection Rules -> Detection Rule -> Rule Logic screen***

*Ideal for use in custom alerts.
**Ideal for use with InsightIDR4Py, a module offering streamlined access to the Rapid7 LogSearch API.
***Conceptual only - these queries are not usable within the InsightIDR interfaces mentioned above.

Sigma rules using the Sigma endswith modifier uses a regular expression for pattern matching, as LEQL contains no IENDS-WITH or IENDS-WITH-ANY modifier.

Usage example

Sigma CLI

You can quickly convert a single rule or rules in a directory structure using Sigma CLI. You can use: sigma convert -t insightidr -f leql_advanced_search -s ~/sigma/rules where -t is the target query language, -f is the desired output format, and -s is the Sigma rule or rules directory you wish to convert.

Stand-alone Script

The following example script demonstrates how you can use the InsightIDR backend to generate advanced LEQL queries for the following Sigma rules:

# demonstrates basic usage of InsightIDR backend
from sigma.collection import SigmaCollection
from sigma.backends.insight_idr import insight_idr

# create pipeline and backend
insight_idr_backend = insight_idr.InsightIDRBackend()

# load a ruleset
process_start_rules = [r"C:\SigmaRules\rules\windows\process_creation\proc_creation_win_webshell_detection.yml",
                       r"C:\SigmaRules\rules\windows\process_creation\proc_creation_win_cmd_delete.yml",
                       r"C:\SigmaRules\rules\windows\process_creation\proc_creation_win_susp_rundll32_activity.yml"]

process_start_rule_collection = SigmaCollection.load_ruleset(process_start_rules)

# convert the rules
for rule in process_start_rule_collection.rules:
    print(rule.title + " conversion:")
    print(insight_idr_backend.convert_rule(rule, "leql_advanced_search")[0])
    print("\n")

with resulting output:

Webshell Detection With Command Line Keywords conversion:
where((parent_process.exe_path=/(.*\\w3wp\.exe$|.*\\php\-cgi\.exe$|.*\\nginx\.exe$|.*\\httpd\.exe$)/i OR parent_process.exe_path ICONTAINS-ANY ["\apache", "\tomcat"]) AND ((process.exe_path=/(.*\\net\.exe$|.*\\net1\.exe$)/i) AND (process.cmd_line ICONTAINS-ANY [" user ", " use ", " group "]) OR process.exe_path=/.*\\ping\.exe$/i AND process.cmd_line ICONTAINS " -n " OR process.cmd_line ICONTAINS-ANY ["&cd&echo", "cd /d "] OR process.exe_path=/.*\\wmic\.exe$/i AND process.cmd_line ICONTAINS " /node:" OR process.exe_path=/(.*\\whoami\.exe$|.*\\systeminfo\.exe$|.*\\quser\.exe$|.*\\ipconfig\.exe$|.*\\pathping\.exe$|.*\\tracert\.exe$|.*\\netstat\.exe$|.*\\schtasks\.exe$|.*\\vssadmin\.exe$|.*\\wevtutil\.exe$|.*\\tasklist\.exe$)/i OR process.cmd_line ICONTAINS-ANY [" Test-NetConnection ", "dir \"]))

Windows Cmd Delete File conversion:
where(process.cmd_line ICONTAINS-ALL ["del ", "/f"] OR process.cmd_line ICONTAINS-ALL ["rmdir", "/s", "/q"])

Suspicious Rundll32 Activity conversion:
where(process.cmd_line ICONTAINS-ALL ["javascript:", ".RegisterXLL"] OR process.cmd_line ICONTAINS-ALL ["url.dll", "OpenURL"] OR process.cmd_line ICONTAINS-ALL ["url.dll", "OpenURLA"] OR process.cmd_line ICONTAINS-ALL ["url.dll", "FileProtocolHandler"] OR process.cmd_line ICONTAINS-ALL ["zipfldr.dll", "RouteTheCall"] OR process.cmd_line ICONTAINS-ALL ["shell32.dll", "Control_RunDLL"] OR process.cmd_line ICONTAINS-ALL ["shell32.dll", "ShellExec_RunDLL"] OR process.cmd_line ICONTAINS-ALL ["mshtml.dll", "PrintHTML"] OR process.cmd_line ICONTAINS-ALL ["advpack.dll", "LaunchINFSection"] OR process.cmd_line ICONTAINS-ALL ["advpack.dll", "RegisterOCX"] OR process.cmd_line ICONTAINS-ALL ["ieadvpack.dll", "LaunchINFSection"] OR process.cmd_line ICONTAINS-ALL ["ieadvpack.dll", "RegisterOCX"] OR process.cmd_line ICONTAINS-ALL ["ieframe.dll", "OpenURL"] OR process.cmd_line ICONTAINS-ALL ["shdocvw.dll", "OpenURL"] OR process.cmd_line ICONTAINS-ALL ["syssetup.dll", "SetupInfObjectInstallAction"] OR process.cmd_line ICONTAINS-ALL ["setupapi.dll", "InstallHinfSection"] OR process.cmd_line ICONTAINS-ALL ["pcwutl.dll", "LaunchApplication"] OR process.cmd_line ICONTAINS-ALL ["dfshim.dll", "ShOpenVerbApplication"])

Limitations and Constraints

This backend is in a preliminary stage, and does not support all Sigma rule types or InsightIDR event sources/logset types. Attempting to convert rule types other than the types listed above will result in an error.

Additionally, certain selection fields listed below are not supported within the following Sigma rule types:

Process start events

  • CurrentDirectory
  • IntegrityLevel
  • imphash
  • LogonId

DNS query events

  • ProcessId
  • QueryStatus
  • QueryResults

Web proxy events

  • c-uri-extension
  • c-uri-stem
  • c-useragent
  • cs-referrer
  • cs-version
  • sc-status

Finally, Sigma rules using selection conditions based on aggregate functions like count() are deprecated within pySigma and are not supported.

Note that sigma-cli contains swithces, --skip-unsupported and --fail-unsupported that allow the user to skip rules that cannot be supported by the backend.

Authorship and Maintenance

This backend was authored and is currently maintained by Micah Babinski with generous assistance from Thomas Patzke. Suggestions and collaboration are welcomed in any form.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pysigma_backend_insightidr-0.2.4.tar.gz (20.0 kB view details)

Uploaded Source

Built Distribution

pysigma_backend_insightidr-0.2.4-py3-none-any.whl (19.3 kB view details)

Uploaded Python 3

File details

Details for the file pysigma_backend_insightidr-0.2.4.tar.gz.

File metadata

File hashes

Hashes for pysigma_backend_insightidr-0.2.4.tar.gz
Algorithm Hash digest
SHA256 7ac24cbff4e9ffbdb94ac5d94ddc69fee8d2e3eb8e0d5db7b6509f16f346750a
MD5 b17d791759a65c107d251e1a537a4394
BLAKE2b-256 12f7382c1dc2f3d6b04cd0cf68919b24b45f62226a37151ac3ec4d572b0cceee

See more details on using hashes here.

File details

Details for the file pysigma_backend_insightidr-0.2.4-py3-none-any.whl.

File metadata

File hashes

Hashes for pysigma_backend_insightidr-0.2.4-py3-none-any.whl
Algorithm Hash digest
SHA256 2341165e08373437f02e37521b5ce2a4cd1a07747d6cb27f759c6493ff56c8b4
MD5 aec0eb2947c093583d8ef6d9faa72905
BLAKE2b-256 3b2864efcf4b1df7e572cb38194895557d28b342bc882376e43d21f328850606

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page