MAPPING MITRE,ID FROM ANOTHER FIELD IN ALERT

115 views
Skip to first unread message

Juan Romero

unread,
May 20, 2021, 4:44:49 AM5/20/21
to Wazuh mailing list
Hi guys:

I'm collecting sysmon logs with the Wazuh agent and the sysmon config file that I'm using already fills in a filed (ruleName) with the Mitre ATT&CK ID.
So, for example, one event from sysmon could include a field like the following:
win.eventdata.ruleName = T1027

I'd like to assign the MITRE ATT&CK ID used by Wazuh to that already assigned ID, and for that I'm creating rules like:

<rule id="xxxx" level="y">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.ruleName">T1027</field>
<description>T1027 - Obfuscated Files or Information</description>
<mitre>
    <id>$(win.eventdata.ruleName)</id>
</mitre>
<options>no_full_log</options>
</rule>

The problem is that the ID assigned is not the value of the field win.eventdata.ruleName, but "$(win.eventdata.ruleName)" instead.

Am I referencing the value wrongly? What would be the right way of achieving this mapping?

Thanks!

Juan.



carlos...@wazuh.com

unread,
May 20, 2021, 7:02:48 AM5/20/21
to Wazuh mailing list
Hi Juan,

I'm afraid the id inside the mitre tag is not intented to use with variables. It expects the raw MITRE ATT&CK ID, such as "T1027", as our documentation states here.

May I ask why are you trying to use that variable instead of using the "T1027" value? For that particular rule you are already ensuring the win.eventdata.ruleName value must be "T1027" by using the field tag.

In your case, you can easily just use "T1027" as the ID value.

I hope this helps. Let me know if you need further assistance.

Juan Romero

unread,
May 20, 2021, 4:07:41 PM5/20/21
to Wazuh mailing list
Hi Carlos:

Thanks for your answer and the info.

The idea for this mapping is getting Wazuh's mitre id automatically populated if the source (sysmon event in this case) already includes the enrichment. Using a "variable" in the mitre id assignment inside the rule would get this done.
I had included a static assignment in the example rule just for testing purposes.

Thanks!

carlos...@wazuh.com

unread,
May 21, 2021, 3:17:50 AM5/21/21
to Wazuh mailing list
Thank you for clarifying the purpose of your mapping. I think it is now a little clearer to me what you were trying to achieve.

However, I'm afraid wazuh rules do not support the usage of variables inside the assignment such as Mitre id. Only static assignments or variables previously defined by using the var tag inside the same file are allowed.

You will have to create static rules for your different Mitre ATT&CK IDs.

Sorry for the inconvenience. I hope this answer your question.

Regards.
Reply all
Reply to author
Forward
0 new messages