Adding Sigma Filters to sigma alerts

[oneCrazyAdmin]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

256

Storage for /

250G

Storage for /nsm

750G

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Pretty excited about the Sigma rules. But I am struggling a bit with the custom filters for the alerts.

I am trying to tune the sigma.alter "Active Directory Replication from Non Machine Account".
The domain controller sync is tripping the rule. According to the Detection source, any SubjectUserName with a "$" at the end should not trigger.

In any case, I add the name of the domain controllers as a custom filter in this format.

sofilter:
SubjectUserName:
- "EGON$"
- "WINSTON$"
- "RAY$"
- "VENKMAN$"

I test the custom filter per the docs and it converts to EQL as follows

any where winlog.channel:"Security" and (winlog.channel:"Security" and (((winlog.event_data.AccessMask:"0x100" and event.code:"4662" and (winlog.event_data.Properties like~ ("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "89e95b76-444d-4c62-991a-0facbeda640c"))) and (not (user.name like~ ("$", "MSOL_")))) and (not (user.name like~ ("EGON$", "WINSTON$", "RAY$", "VENKMAN$")))))

Am I doing something wrong or is it translating the sigma to eql weirdly?

Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

When you test this EQL query in Kibana, does it work as expected?

Also - take a look at one of the events that is triggering it - do the fields match up - I'm specifically thinking of these:
winlog.event_data.AccessMask
winlog.event_data.Properties

[oneCrazyAdmin]

It doesn't appear to be excluding names with the $ at the end. I will do some more checking. I was just wondering if there was a cross-walk between EQL and ECS.

[defensivedepth]

Can you post a santized example log that is triggering it? There are a couple different issues that could be at play.

[chergett]

I had to modify my syntax to look like the following. I think this is now working for me to filter out users for the same alert.

sofilter:
  - winlog.event_data.SubjectUserName: _svc365

If I just use "SubjectUserName" it doesn't work correctly. In my case, I should get zero results when I test in Kibana and so far it looks like it's finally filtering out correctly.