See description at the Sigma Github repository
Since early 2020 Timesketch has Sigma support implemented. Sigma can be used as an analyser. The other option is to use Sigma via the API and the API client.
Timesketch deliberately does not provide a set of Sigma rules, as those would add complexity to maintain. To use the official community rules you can clone github.com/Neo23x0/sigma to /data/sigma. This directory will not be caught by git.
Warning: Currently it is not recommended to just clone the directory. See google#1532 for more info.
cd data
git clone https://github.com/Neo23x0/sigmaThe rules then will be under
timesketch/data/sigmaThe windows rules are stored in
timesketch/data/sigma/rules/windowsThe linux rules are stored in
timesketch/data/linux
timesketch/data/sigma/rules/linuxThere are multiple sigma related config variables in timesketch.conf.
# Sigma Settings
SIGMA_RULES_FOLDERS = ['/etc/timesketch/sigma/rules/']
SIGMA_CONFIG = '/etc/timesketch/sigma_config.yaml'
SIGMA_TAG_DELAY = 5
The SIGMA_RULES_FOLDERS points to the folder(s) where Sigma rules are stored. The folder is the local folder of the Timesketch server (celery worker and webserver). For a distributed system, mounting network shares is possible.
SIGMA_TAG_DELAYcan be used to throttle the Sigma analyzer. If Timesketch is running on a less powerful machine (or docker-dev) a sleep timer of 15 seconds will help avoid Elastic Search exceptions for to many requests to the ES backend in a to short timerange. For more powerfull Timesketch installations, this value can be set to 0.
In the config file
sigma_config.yamlThere is a section with mappings, most mappings where copied from HELK configuration. If you find a mapping missing, feel free to add and create a PR.
Some adjustments verified:
- s/EventID/event_identifier
- s/Source/source_name
You can run the Sigma analyzer providing sample data:
python3 test_tools/analyzer_run.py --test_file test_tools/test_events/sigma_events.jsonl timesketch/lib/analyzers/sigma_tagger.py RulesSigmaPluginIf you want to test that feature, get some evtx files from the following links and parse it via plaso
Deploying rules that can not be parsed by Sigma can cause problems on analyst side as well as Timesketch operator side. The analyst might not be able to see the logs and the errors might only occur when running the analyzer.
This is why a standalone tool can be used from:
test_tools/sigma_verify_rules.pyThis tool takes the following options:
usage: sigma_verify_rules.py [-h] [--config_file PATH_TO_TEST_FILE]
PATH_TO_RULES
sigma_verify_rules.py: error: the following arguments are required: PATH_TO_RULESAnd could be used like the following to verify your rules would work:
sigma_verify_rules.py --config_file ../data/sigma_config.yaml ../data/sigma/rulesIf any rules in that folder is causing problems it will be shown:
sigma_verify_rules.py --config_file ../data/sigma_config.yaml ../timesketch/data/sigma/rules
ERROR:root:reverse_shell.yaml Error generating rule in file ../timesketch/data/sigma/rules/linux/reverse_shell.yaml you should not use this rule in Timesketch: No condition found
ERROR:root:recon_commands.yaml Error generating rule in file ../timesketch/data/sigma/rules/data/linux/recon_commands.yaml you should not use this rule in Timesketch: No condition found
You should NOT import the following rules
../timesketch/data/sigma/rules/linux/reverse_shell.yaml
../timesketch/data/sigma/rules/linux/recon_commands.yamlIn the celery logs, while running the sigma analyzer, you will see something like that:
result: Applied 0 tags
* win_apt_carbonpaper_turla.yml: 0
...
* win_syskey_registry_access.yml: 0
Problematic rules:
XXXXThe XXX here is the "problem" and you should note those rules. Once you note and identified those rules, it is recommended to take the id and attempt a API call like the following:
from timesketch_api_client import config
ts = config.get_client()
rule = ts.get_sigma_rule("c0478ead-5336-46c2-bd5e-b4c84bc3a36e")
print(rule.es_query)Where the ID is the id of your problematic rule. This will hopefully give you more insight from the web server logs of what caused the problem. E.g. "Aggregations not implemented for this backend" It is then recommended to move those rules to a separate folder, maybe even creating a small shell script that does that for you once you pull upstream rules from the Sigma repository.
If you have doubt if a rule does work, take the uuid and run python code mentioned above.
Another option is to run the rule against the official sigma client with the Timesketch sigma mapping file.
For our example from above:
sigma/tools/sigma$ python3 sigmac.py -t es-qs --config ../../../sigma_config.yaml ../../rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
An unsupported feature is required for this Sigma rule (../../rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml): Aggregations not implemented for this backend
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigmaTo reduce load on the system it is recommended to not keep the problematic rules in the directory, as it will cause the exception every time the rules folders are parsed (a lot!).
The parser is made to ignore "deprecated" folders. So you could move the problematic rules to your rules folder in a subfolder /deprecated/.
If the rules do not contain any sensitive content, you could also open an issue in the timesketch project and or in the upstream sigma project and explain your issue (best case: provide your timesketch sigma config and the rule file so it can be verified).