pySigma-backend-QRadar-AQL
| Name | pySigma-backend-QRadar-AQL JSON |
| Version |
0.3.1
JSON |
| download | |
| home_page | https://github.com/IBM/pySigma-backend-QRadar-AQL |
| Summary | pySigma QRadarAQL backend |
| upload_time | 2024-04-11 09:27:56 |
| maintainer | None |
| docs_url | None |
| author | IBM |
| requires_python | <4.0,>=3.8 |
| license | MIT |
| keywords | |
| VCS |  |
| bugtrack_url | |
| requirements | No requirements were recorded. |
| Travis-CI | No Travis. |
| coveralls test coverage | No coveralls. |
# `PySigma QRadar AQL`
This is the QRadar AQL backend for [pySigma](https://github.com/SigmaHQ/pySigma)
which parses and converts [Sigma](https://github.com/SigmaHQ/sigma) Rules into
QRadar queries in AQL. It consists of a backend and two pipelines as describes below.
The project is using [pySigma_QRadar_base](https://github.com/IBM/pySigma_QRadar_base)
submodule.
# Backend
- QRadarAQL: It provides the package `sigma.backends.QRadarAQL` with the `QRadarAQLBackend` class.
# Pipelines
Further, it contains the following processing pipelines in `sigma.pipelines.QRadarAQL`:
- QRadarAQL_fields_pipeline: Supports only the `Sigma fields` in the [Field Mapping](./README.md#field-mapping).
- QRadarAQL_payload_pipeline: Uses `UTF8(payload)` instead of fields unsupported by the [Field Mapping](./README.md#field-mapping). For unsupported fields, the following value types are not supported–
* Boolean
* Null
* CIDR
* Regular Expression
* Numeric Comparison
# Installation
## PyPI
```
pip install ibm-qradar-aql
```
## Sigma plugin
### Sigma CLI
1. install [sigma-cli](https://github.com/SigmaHQ/sigma-cli#Installation)
2. install with Sigma plugins:
```
sigma plugin install ibm-qradar-aql
```
### pySigma
```python
from sigma.plugins import SigmaPluginDirectory
plugins = SigmaPluginDirectory.default_plugin_directory()
plugins.get_plugin_by_id("ibm-qradar-aql").install()
```
## Usage
Convert Sigma rules to AQL by using `ibm-qradar-aql` as backend, and one of `qradar-aql-fields` and `qradar-aql-payload` as pipeline:
### Sigma CLI
```
sigma convert -t ibm-qradar-aql -p <qradar-aql-fields | qradar-aql-payload> <rule path> -o <output file name>
```
#### Input example:
*PLEASE NOTE: you should have `Sigma rules` in your project to use the
following
command*
```
sigma convert -t ibm-qradar-aql -p qradar-aql-payload rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml -o output_file.txt
```
#### Output example:
```
['SELECT * FROM events WHERE devicetype=12 AND LOWER("Target Process Path") LIKE \'%\\keepass.exe\'']
```
### pySigma
#### Input example:
```python
from sigma.collection import SigmaCollection
from sigma.backends.QRadarAQL import QRadarAQLBackend
from sigma.pipelines.QRadarAQL import QRadarAQL_fields_pipeline, QRadarAQL_payload_pipeline
pipeline = QRadarAQL_fields_pipeline # or QRadarAQL_payload_pipeline
rule = SigmaCollection.from_yaml("""
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\KeePass.exe'
condition: selection
""")
print(QRadarAQLBackend(pipeline()).convert(rule)[0])
```
#### Output example:
```
SELECT * FROM events WHERE devicetype=12 AND LOWER("Target Process Path") LIKE '%\keepass.exe'
```
# Develop
This project is using
[pySigma_QRadar_base](https://github.com/IBM/pySigma_QRadar_base) submodule.
After cloning the project, make sure to update the submodule from the `sigma` directory
by running:
```
git submodule update --init --recursive
```
# QRadar Content Packs
- [Properties Dictionary](https://exchange.xforce.ibmcloud.com/hub/extension/73f46b27280d30a4b8ec4685da391b1c) (required)
- [Windows Custom Properties](https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:MicrosoftWindowsCustomProperties) (recommended)
- [Linux Custom Properties](https://exchange.xforce.ibmcloud.com/hub/extension/427f5d543cb917916619e6abafc26404) (recommended)
other properties you may find in the [App Exchange](https://exchange.xforce.ibmcloud.com/hub)
# Mapping
## Field Mapping
| <u>Sigma field</u> | <u>QRadar AQL field</u> |
|:-------------------------|:--------------------------------------------------------------------------------------|
| AccessList | Rule Name |
| AccessMask | Access Mask |
| Accesses | Accesses |
| AppID | Application |
| AppId | Application |
| AppName | Application |
| AttributeLDAPDisplayName | Username, Account Name, Distinguished Name |
| AttributeValue | Attribute Old Value, Attribute New Value |
| c-useragent | User Agent |
| cs-user-agent | User Agent |
| cs-username | Username |
| CallTrace | Call Trace |
| CallerProcessName | Process Path |
| cipher | Ticket Encryption Type |
| CommandLine | Command |
| cs-method | Method |
| DestinationHostname | Destination Hostname |
| ErrorCode | Error Code |
| ExceptionCode | Error Code |
| EventID | Event ID |
| eventSource | devicetype |
| FailureCode | Error Code |
| FileName | Filename |
| Filename | Filename |
| GrantedAccess | Granted Access |
| Hashes | CONCAT(MD5=, MD5 Hash , SHA1=, SHA1 Hash , SHA256=, SHA256 Hash , IMPHASH=, IMP HASH) |
| HostApplication | Process Path |
| HostName | Hostname |
| Initiated | Initiated |
| Image | Process Path, Process Name |
| ImageName | Process Name |
| ImagePath | Process Path |
| Imphash | IMP Hash |
| IntegrityLevel | Integrity Level |
| InterfaceUuid | Source Interface UUID |
| LogonType | Logon Type |
| Message | Message |
| Name | File Path |
| ObjectName | Object Name |
| ObjectType | Object Type |
| OriginalFileName | Filename |
| ParentCommandLine | Parent Command |
| ParentImage | Parent Process Path |
| ParentProcessId | Parent Process ID |
| Path | File Path |
| path | File Path |
| Payload | UTF8(payload) |
| payload | UTF8(payload) |
| PipeName | Pipe Name |
| ProcessId | Process ID |
| ProcessName | Process Name |
| ProcessPath | Process Path |
| SamAccountName | SAM Account Name |
| Service | Service Name |
| ServiceFileName | Service Filename |
| ServiceName | Service Name |
| ShareName | Share Name |
| Signed | Signed |
| Status | Status |
| StartAddress | Start Address |
| TargetFilename | Filename |
| TargetImage | Target Process Path |
| TargetObject | Process Name, Target Process Name, Object Name |
| TargetUserName | Target Username |
| TaskName | Task Name |
| TicketEncryptionType | Ticket Encryption Type |
| UserName | Username |
| Username | Username |
| md5 | MD5 Hash |
| method | Method |
| NewTargetUserName | Target Username |
| sha1 | SHA1 Hash |
| sha256 | SHA256 Hash |
| SourceFilename | filename |
| SourceImage | Source Process Path |
| USER | Username |
| User | Username |
| userAgent | User Agent |
| user_agent | User Agent |
| eventName | QIDNAME(qid) |
| ImageLoaded | CONCAT(file directory, /, filename) |
| DestinationIp | destinationip |
| DestPort | destinationport |
| DestinationPort | destinationport |
| destination.port | destinationport |
| dst_ip | destinationip |
| dst_port | destinationport |
| SourcePort | sourceport |
| src_ip | sourceip |
| c-uri | URL |
| c-uri-extension | URL |
| c-uri-query | URL |
| cs-uri | URL |
| cs-uri-query | URL |
| cs-uri-stem | URL |
| properties.message | Message |
| ScriptBlockText | Message |
| uri | URL |
| a0 | Command |
| a1 | Command |
| a2 | Command |
| a3 | Command |
| a4 | Command |
| a5 | Command |
## Log-Source Mapping
### Sigma service mapping to QRadar AQL device type
| <u>Sigma service</u> | <u>QRadar AQL device type name</u> | <u>QRadar AQL device type id</u> |
|:-----------------------|:-------------------------------------------------------|:-----------------------------------|
| aaa | BridgewaterAAA | 143 |
| apache | Apache | 10 |
| auditd | LinuxServer | 11 |
| auth | WindowsAuthServer | 12 |
| clamav | LinuxServer | 11 |
| cloudtrail | AmazonAWSCloudTrail | 347 |
| cron | LinuxServer | 11 |
| exchange | MicrosoftExchange | 99 |
| gcp.audit | GoogleCloudAudit | 449 |
| iis | IIS | 13 |
| ldp | NetScreenIDP | 17 |
| lsa-server | ISA | 191 |
| microsoft365portal | Office365, Office365MessageTrace, Microsoft365Defender | 397, 452, 515 |
| okta | OktaIdentityManagement | 382 |
| powershell | WindowsAuthServer | 12 |
| rdp | LinuxServer, WindowsAuthServer | 11, 12 |
| smbclient-security | LinuxServer, WindowsAuthServer | 11, 12 |
| sshd | LinuxServer | 11 |
| sudo | LinuxServer | 11 |
| syslog | LinuxServer, WindowsAuthServer | 11, 12 |
| sysmon | WindowsAuthServer | 12 |
| taskscheduler | LinuxServer, WindowsAuthServer | 11, 12 |
| threat_detection | SAPEnterpriseThreatDetection | 424 |
| windefend | MicrosoftWindowsDefenderATP | 433 |
| wmi | WindowsAuthServer | 12 |
### Sigma product mapping to QRadar AQL device type
| <u>Sigma product</u> | <u>QRadar AQL device type name</u> | <u>QRadar AQL device type id</u> |
|:-----------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------|
| aws | AmazonAWSCloudTrail, AWSSecurityHub, AmazonAWSNetworkFirewall, AmazonAWSALBAccessLogs, AmazonAWSWAF, AmazonAWSKubernetes, AmazonAWSRoute53, AmazonCloudFront, AWSVerifiedAccess | 347, 440, 456, 460, 501, 502, 507, 516, 519 |
| MicrosoftAzure | MicrosoftAzure | 413 |
| cisco | Pix, IOS, VpnConcentrator, CSA, IDS, FWSM, ASA, CatOS, ACS, Cisco, NAC, Series12000, Series6500, Series7600, SeriesCRS, SeriesISR, IronPort, Aironet, Wism, ACE, CiscoWirelessNCS, Nexus, CiscoWLC, CiscoCallManager, CiscoISE, CiscoCWS, CiscoStealthwatch, CiscoUmbrella, CiscoMeraki, CiscoAMP, CiscoFirepowerThreatDefense, CiscoDuo | 6, 20, 23, 26, 30, 31, 41, 56, 90, 94, 95, 113, 114, 115, 116, 117, 179, 182, 183, 194, 248, 250, 273, 274, 316, 419, 429, 431, 435, 437, 448, 508 |
| gcp | GoogleGSuite, GoogleCloudAudit, GoogleCloudPlatformFirewall, GoogleCloudDNS | 442, 449, 455, 461 |
| huawei | SSeriesSwitch, ARSeriesRouter | 269, 283 |
| juniper | NetScreenFirewall, NetScreenIDP, JuniperSA, NetScreenNSM, InfranetController, JuniperRouter, JuniperSBR, JuniperDX, JuniperMSeries, JuniperMXSeries, JuniperTSeries, JuniperEXSeries, JuniperSRX, Avt, SRC, JuniperAltorVGW, SecurityBinaryLogCollector, JuniperMykonosWebSecurity, JuniperWirelessLAN, JuniperDDoSSecure | 5, 17, 36, 45, 59, 64, 83, 111, 118, 122, 123, 139, 150, 168, 192, 235, 264, 290, 320, 344 |
| linux | LinuxServer | 11 |
| m365 | Office365 | 397 |
| macos | AppleOSX | 102 |
| okta | OktaIdentityManagement | 382 |
| sql | MicrosoftSQL | 101 |
| windows | WindowsAuthServer | 12 |
# Mapping Contribution
Pull requests are welcome. After updating the Mapping, please run
[generate_readme.py](./generate_readme.py) for updating the mapping tables in
the README file.
### [Field Mapping](./sigma/mapping/fields.py):
#### field mapping from Sigma to AQL
- `field_mapping`: mapping for fields with exact mach from Sigma to AQL
- `host_field_mapping`: mapping for host fields- values with wildcards converts to CIDR
- `unstructured_field_mapping`: mapping for fields that their value is a substring of another field's value- equal sign ('=') will be replaced with 'LIKE' operator
- `unstructured_part_field_mapping`: mapping for fields that are part of another field- equal sign ('=') will be replaced with 'LIKE' operator, and the value transforms to the form '{field}%{value}'
### Log-Source Mapping:
#### mapping from Sigma log source to AQL device type id
- [aql_log_source_mapping](./sigma/mapping/logsources.py): AQL mapping from
device type name to device type id – *PLEASE DO NOT CHANGE THIS MAPPING*
- [aql_service_mapping](./sigma/mapping/services.py): mapping from Sigma
services to AQL device type id
- [aql_product_mapping](./sigma/mapping/products.py): mapping from Sigma products
to AQL device type id
# License
pySigma-backend-QRadar-AQL is licensed under the MIT [License](./LICENSE).
# Maintainers
* [Cyber Center of Excellence - IBM](https://github.com/noaakl/)
Raw data
{
"_id": null,
"home_page": "https://github.com/IBM/pySigma-backend-QRadar-AQL",
"name": "pySigma-backend-QRadar-AQL",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.8",
"maintainer_email": null,
"keywords": null,
"author": "IBM",
"author_email": "noaakless@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/68/46/1688a126a76fe88ed79d8c6f5c3bc26ecb58f9408d32c5acf76895d1c39d/pysigma_backend_qradar_aql-0.3.1.tar.gz",
"platform": null,
"description": "# `PySigma QRadar AQL`\nThis is the QRadar AQL backend for [pySigma](https://github.com/SigmaHQ/pySigma) \nwhich parses and converts [Sigma](https://github.com/SigmaHQ/sigma) Rules into \nQRadar queries in AQL. It consists of a backend and two pipelines as describes below.\nThe project is using [pySigma_QRadar_base](https://github.com/IBM/pySigma_QRadar_base)\nsubmodule.\n\n\n# Backend\n- QRadarAQL: It provides the package `sigma.backends.QRadarAQL` with the `QRadarAQLBackend` class.\n\n# Pipelines\nFurther, it contains the following processing pipelines in `sigma.pipelines.QRadarAQL`:\n- QRadarAQL_fields_pipeline: Supports only the `Sigma fields` in the [Field Mapping](./README.md#field-mapping).\n- QRadarAQL_payload_pipeline: Uses `UTF8(payload)` instead of fields unsupported by the [Field Mapping](./README.md#field-mapping). For unsupported fields, the following value types are not supported\u2013\n * Boolean\n * Null\n * CIDR\n * Regular Expression\n * Numeric Comparison\n\n# Installation\n\n## PyPI\n```\npip install ibm-qradar-aql\n```\n\n## Sigma plugin\n\n### Sigma CLI\n1. install [sigma-cli](https://github.com/SigmaHQ/sigma-cli#Installation)\n2. install with Sigma plugins:\n```\nsigma plugin install ibm-qradar-aql\n```\n\n### pySigma\n```python\nfrom sigma.plugins import SigmaPluginDirectory\n\nplugins = SigmaPluginDirectory.default_plugin_directory()\nplugins.get_plugin_by_id(\"ibm-qradar-aql\").install()\n```\n\n## Usage\nConvert Sigma rules to AQL by using `ibm-qradar-aql` as backend, and one of `qradar-aql-fields` and `qradar-aql-payload` as pipeline:\n\n### Sigma CLI\n```\nsigma convert -t ibm-qradar-aql -p <qradar-aql-fields | qradar-aql-payload> <rule path> -o <output file name>\n```\n\n#### Input example:\n*PLEASE NOTE: you should have `Sigma rules` in your project to use the \nfollowing \ncommand*\n```\nsigma convert -t ibm-qradar-aql -p qradar-aql-payload rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml -o output_file.txt\n```\n\n#### Output example:\n```\n['SELECT * FROM events WHERE devicetype=12 AND LOWER(\"Target Process Path\") LIKE \\'%\\\\keepass.exe\\'']\n```\n\n### pySigma\n#### Input example:\n\n```python\nfrom sigma.collection import SigmaCollection\nfrom sigma.backends.QRadarAQL import QRadarAQLBackend\nfrom sigma.pipelines.QRadarAQL import QRadarAQL_fields_pipeline, QRadarAQL_payload_pipeline\n\npipeline = QRadarAQL_fields_pipeline # or QRadarAQL_payload_pipeline\nrule = SigmaCollection.from_yaml(\"\"\"\n logsource:\n product: windows\n category: create_remote_thread\n detection:\n selection:\n TargetImage|endswith: '\\KeePass.exe'\n condition: selection\n\"\"\")\nprint(QRadarAQLBackend(pipeline()).convert(rule)[0])\n```\n\n#### Output example:\n```\nSELECT * FROM events WHERE devicetype=12 AND LOWER(\"Target Process Path\") LIKE '%\\keepass.exe'\n```\n\n# Develop\nThis project is using \n[pySigma_QRadar_base](https://github.com/IBM/pySigma_QRadar_base) submodule.\nAfter cloning the project, make sure to update the submodule from the `sigma` directory \nby running:\n```\ngit submodule update --init --recursive\n```\n\n# QRadar Content Packs\n- [Properties Dictionary](https://exchange.xforce.ibmcloud.com/hub/extension/73f46b27280d30a4b8ec4685da391b1c) (required)\n- [Windows Custom Properties](https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:MicrosoftWindowsCustomProperties) (recommended)\n- [Linux Custom Properties](https://exchange.xforce.ibmcloud.com/hub/extension/427f5d543cb917916619e6abafc26404) (recommended)\n\nother properties you may find in the [App Exchange](https://exchange.xforce.ibmcloud.com/hub)\n\n# Mapping\n\n## Field Mapping\n| <u>Sigma field</u> | <u>QRadar AQL field</u> |\n|:-------------------------|:--------------------------------------------------------------------------------------|\n| AccessList | Rule Name |\n| AccessMask | Access Mask |\n| Accesses | Accesses |\n| AppID | Application |\n| AppId | Application |\n| AppName | Application |\n| AttributeLDAPDisplayName | Username, Account Name, Distinguished Name |\n| AttributeValue | Attribute Old Value, Attribute New Value |\n| c-useragent | User Agent |\n| cs-user-agent | User Agent |\n| cs-username | Username |\n| CallTrace | Call Trace |\n| CallerProcessName | Process Path |\n| cipher | Ticket Encryption Type |\n| CommandLine | Command |\n| cs-method | Method |\n| DestinationHostname | Destination Hostname |\n| ErrorCode | Error Code |\n| ExceptionCode | Error Code |\n| EventID | Event ID |\n| eventSource | devicetype |\n| FailureCode | Error Code |\n| FileName | Filename |\n| Filename | Filename |\n| GrantedAccess | Granted Access |\n| Hashes | CONCAT(MD5=, MD5 Hash , SHA1=, SHA1 Hash , SHA256=, SHA256 Hash , IMPHASH=, IMP HASH) |\n| HostApplication | Process Path |\n| HostName | Hostname |\n| Initiated | Initiated |\n| Image | Process Path, Process Name |\n| ImageName | Process Name |\n| ImagePath | Process Path |\n| Imphash | IMP Hash |\n| IntegrityLevel | Integrity Level |\n| InterfaceUuid | Source Interface UUID |\n| LogonType | Logon Type |\n| Message | Message |\n| Name | File Path |\n| ObjectName | Object Name |\n| ObjectType | Object Type |\n| OriginalFileName | Filename |\n| ParentCommandLine | Parent Command |\n| ParentImage | Parent Process Path |\n| ParentProcessId | Parent Process ID |\n| Path | File Path |\n| path | File Path |\n| Payload | UTF8(payload) |\n| payload | UTF8(payload) |\n| PipeName | Pipe Name |\n| ProcessId | Process ID |\n| ProcessName | Process Name |\n| ProcessPath | Process Path |\n| SamAccountName | SAM Account Name |\n| Service | Service Name |\n| ServiceFileName | Service Filename |\n| ServiceName | Service Name |\n| ShareName | Share Name |\n| Signed | Signed |\n| Status | Status |\n| StartAddress | Start Address |\n| TargetFilename | Filename |\n| TargetImage | Target Process Path |\n| TargetObject | Process Name, Target Process Name, Object Name |\n| TargetUserName | Target Username |\n| TaskName | Task Name |\n| TicketEncryptionType | Ticket Encryption Type |\n| UserName | Username |\n| Username | Username |\n| md5 | MD5 Hash |\n| method | Method |\n| NewTargetUserName | Target Username |\n| sha1 | SHA1 Hash |\n| sha256 | SHA256 Hash |\n| SourceFilename | filename |\n| SourceImage | Source Process Path |\n| USER | Username |\n| User | Username |\n| userAgent | User Agent |\n| user_agent | User Agent |\n| eventName | QIDNAME(qid) |\n| ImageLoaded | CONCAT(file directory, /, filename) |\n| DestinationIp | destinationip |\n| DestPort | destinationport |\n| DestinationPort | destinationport |\n| destination.port | destinationport |\n| dst_ip | destinationip |\n| dst_port | destinationport |\n| SourcePort | sourceport |\n| src_ip | sourceip |\n| c-uri | URL |\n| c-uri-extension | URL |\n| c-uri-query | URL |\n| cs-uri | URL |\n| cs-uri-query | URL |\n| cs-uri-stem | URL |\n| properties.message | Message |\n| ScriptBlockText | Message |\n| uri | URL |\n| a0 | Command |\n| a1 | Command |\n| a2 | Command |\n| a3 | Command |\n| a4 | Command |\n| a5 | Command |\n\n## Log-Source Mapping\n\n### Sigma service mapping to QRadar AQL device type\n| <u>Sigma service</u> | <u>QRadar AQL device type name</u> | <u>QRadar AQL device type id</u> |\n|:-----------------------|:-------------------------------------------------------|:-----------------------------------|\n| aaa | BridgewaterAAA | 143 |\n| apache | Apache | 10 |\n| auditd | LinuxServer | 11 |\n| auth | WindowsAuthServer | 12 |\n| clamav | LinuxServer | 11 |\n| cloudtrail | AmazonAWSCloudTrail | 347 |\n| cron | LinuxServer | 11 |\n| exchange | MicrosoftExchange | 99 |\n| gcp.audit | GoogleCloudAudit | 449 |\n| iis | IIS | 13 |\n| ldp | NetScreenIDP | 17 |\n| lsa-server | ISA | 191 |\n| microsoft365portal | Office365, Office365MessageTrace, Microsoft365Defender | 397, 452, 515 |\n| okta | OktaIdentityManagement | 382 |\n| powershell | WindowsAuthServer | 12 |\n| rdp | LinuxServer, WindowsAuthServer | 11, 12 |\n| smbclient-security | LinuxServer, WindowsAuthServer | 11, 12 |\n| sshd | LinuxServer | 11 |\n| sudo | LinuxServer | 11 |\n| syslog | LinuxServer, WindowsAuthServer | 11, 12 |\n| sysmon | WindowsAuthServer | 12 |\n| taskscheduler | LinuxServer, WindowsAuthServer | 11, 12 |\n| threat_detection | SAPEnterpriseThreatDetection | 424 |\n| windefend | MicrosoftWindowsDefenderATP | 433 |\n| wmi | WindowsAuthServer | 12 |\n\n### Sigma product mapping to QRadar AQL device type\n| <u>Sigma product</u> | <u>QRadar AQL device type name</u> | <u>QRadar AQL device type id</u> |\n|:-----------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------|\n| aws | AmazonAWSCloudTrail, AWSSecurityHub, AmazonAWSNetworkFirewall, AmazonAWSALBAccessLogs, AmazonAWSWAF, AmazonAWSKubernetes, AmazonAWSRoute53, AmazonCloudFront, AWSVerifiedAccess | 347, 440, 456, 460, 501, 502, 507, 516, 519 |\n| MicrosoftAzure | MicrosoftAzure | 413 |\n| cisco | Pix, IOS, VpnConcentrator, CSA, IDS, FWSM, ASA, CatOS, ACS, Cisco, NAC, Series12000, Series6500, Series7600, SeriesCRS, SeriesISR, IronPort, Aironet, Wism, ACE, CiscoWirelessNCS, Nexus, CiscoWLC, CiscoCallManager, CiscoISE, CiscoCWS, CiscoStealthwatch, CiscoUmbrella, CiscoMeraki, CiscoAMP, CiscoFirepowerThreatDefense, CiscoDuo | 6, 20, 23, 26, 30, 31, 41, 56, 90, 94, 95, 113, 114, 115, 116, 117, 179, 182, 183, 194, 248, 250, 273, 274, 316, 419, 429, 431, 435, 437, 448, 508 |\n| gcp | GoogleGSuite, GoogleCloudAudit, GoogleCloudPlatformFirewall, GoogleCloudDNS | 442, 449, 455, 461 |\n| huawei | SSeriesSwitch, ARSeriesRouter | 269, 283 |\n| juniper | NetScreenFirewall, NetScreenIDP, JuniperSA, NetScreenNSM, InfranetController, JuniperRouter, JuniperSBR, JuniperDX, JuniperMSeries, JuniperMXSeries, JuniperTSeries, JuniperEXSeries, JuniperSRX, Avt, SRC, JuniperAltorVGW, SecurityBinaryLogCollector, JuniperMykonosWebSecurity, JuniperWirelessLAN, JuniperDDoSSecure | 5, 17, 36, 45, 59, 64, 83, 111, 118, 122, 123, 139, 150, 168, 192, 235, 264, 290, 320, 344 |\n| linux | LinuxServer | 11 |\n| m365 | Office365 | 397 |\n| macos | AppleOSX | 102 |\n| okta | OktaIdentityManagement | 382 |\n| sql | MicrosoftSQL | 101 |\n| windows | WindowsAuthServer | 12 |\n\n# Mapping Contribution\nPull requests are welcome. After updating the Mapping, please run \n[generate_readme.py](./generate_readme.py) for updating the mapping tables in \nthe README file.\n\n### [Field Mapping](./sigma/mapping/fields.py):\n#### field mapping from Sigma to AQL\n- `field_mapping`: mapping for fields with exact mach from Sigma to AQL\n- `host_field_mapping`: mapping for host fields- values with wildcards converts to CIDR\n- `unstructured_field_mapping`: mapping for fields that their value is a substring of another field's value- equal sign ('=') will be replaced with 'LIKE' operator\n- `unstructured_part_field_mapping`: mapping for fields that are part of another field- equal sign ('=') will be replaced with 'LIKE' operator, and the value transforms to the form '{field}%{value}' \n\n### Log-Source Mapping:\n#### mapping from Sigma log source to AQL device type id\n- [aql_log_source_mapping](./sigma/mapping/logsources.py): AQL mapping from \n device type name to device type id \u2013 *PLEASE DO NOT CHANGE THIS MAPPING*\n- [aql_service_mapping](./sigma/mapping/services.py): mapping from Sigma \n services to AQL device type id\n- [aql_product_mapping](./sigma/mapping/products.py): mapping from Sigma products \n to AQL device type id\n\n# License\npySigma-backend-QRadar-AQL is licensed under the MIT [License](./LICENSE).\n\n# Maintainers\n* [Cyber Center of Excellence - IBM](https://github.com/noaakl/)\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "pySigma QRadarAQL backend",
"version": "0.3.1",
"project_urls": {
"Homepage": "https://github.com/IBM/pySigma-backend-QRadar-AQL",
"Repository": "https://github.com/IBM/pySigma-backend-QRadar-AQL"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "55e2212ce4b8495b8a76097aca263c439d3a946196c25e54b570b9560132123b",
"md5": "8f3138dee72e0c48d98be948823d2dc7",
"sha256": "6a8f597543b761b8edc9be021b71c288eecb40cbde61bf1ef7a7ed3fee4f8aa1"
},
"downloads": -1,
"filename": "pysigma_backend_qradar_aql-0.3.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "8f3138dee72e0c48d98be948823d2dc7",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.8",
"size": 40646,
"upload_time": "2024-04-11T09:27:51",
"upload_time_iso_8601": "2024-04-11T09:27:51.347864Z",
"url": "https://files.pythonhosted.org/packages/55/e2/212ce4b8495b8a76097aca263c439d3a946196c25e54b570b9560132123b/pysigma_backend_qradar_aql-0.3.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "68461688a126a76fe88ed79d8c6f5c3bc26ecb58f9408d32c5acf76895d1c39d",
"md5": "9c0e5095e9a6bd8927b2fe46c0cb9026",
"sha256": "6338ed06a989670fdbdbe42414957159cefc46586939ee56914f073b4f61b9b3"
},
"downloads": -1,
"filename": "pysigma_backend_qradar_aql-0.3.1.tar.gz",
"has_sig": false,
"md5_digest": "9c0e5095e9a6bd8927b2fe46c0cb9026",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.8",
"size": 40092,
"upload_time": "2024-04-11T09:27:56",
"upload_time_iso_8601": "2024-04-11T09:27:56.517630Z",
"url": "https://files.pythonhosted.org/packages/68/46/1688a126a76fe88ed79d8c6f5c3bc26ecb58f9408d32c5acf76895d1c39d/pysigma_backend_qradar_aql-0.3.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-11 09:27:56",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "IBM",
"github_project": "pySigma-backend-QRadar-AQL",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "pysigma-backend-qradar-aql"
}
