Fields names for Sigma rules (sofilter)

[Chrischevy80]

Version

2.4.3

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

64

Storage for /

315GB

Storage for /nsm

15TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm tuning some Playbook rules to keep only relevant alerts.

I've read the documentation on using sofilter and I have successfully configured other rules. To use the proper fields name, I usually refer to the original Sigma configuration and I use the same field names in the custom filter.

I need to filter the field named 'event_data.process.parent.command_line' (named like this in the alert dashboard) to make sure that the following value is ignored: 'sh -c /usr/bin/crontab -l 2>/dev/null'

For this particuliar case, the field I need is not present in the Sigma configuration and it seems like I can't find the correct field name for 'event_data.process.parent.command_line'

I've tried 'ParentCommandLine' but it doesn't work.

So my question is: How can I find the correct field name ? Is there a field mapping reference somewhere, or a general rule of thumb to convert the field names ?

Thank you

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[reyesj2]

This is due to the way we map values within the docker container. We're working on a new feature called 'Detections'. Once that goes live it should be easier to add your own mappings / override existing field mappings.

[Chrischevy80]

Great, thank you for the answer !