Sigma2SplunkAlert config - P4T12ICK/Sigma2SplunkAlert GitHub Wiki
Sigma2SplunkAlert uses a configuration in yml syntax to provide Splunk Alerts configuration values. Sigma2SplunkAlert supports the generation of Splunk scheduled alerts.
Splunk Alert
app: [mandatory]
cron_schedule: [mandatory]
earliest_time: [mandatory]
latest_time: [mandatory]
schedule_window: [optional]
allow_skew: [optional]
search_transformations: [optional]
- ...
alert_action: [mandatory] (at least one action)
summary_index: [optional]
name: [mandatory]
enrich_tags: [optional]
enrich_level: [optional]
email: [optional]
to: [mandatory]
subject: [mandatory]
message: [mandatory]
result_link: [optional]
view_link: [optional]
include_search: [optional]
include_trigger: [optional]
include_trigger_time: [optional]
inline: [optional]
sendcsv: [optional]
sendpdf: [optional]
sendresults: [optional]
alert_manager: [optional]
title: [optional]
auto_assign_owner: [optional]
append_incident: [optional]
auto_previous_resolve: [mandatory]
auto_subsequent_resolve: [mandatory]
auto_suppress_resolve: [mandatory]
auto_ttl_resove: [mandatory]
display_fields: [optional]
urgency: [optional]
impact: [optional]
category: [optional]
subcategory: [optional]
tags: [optional]
notification_scheme: [optional]
- app: The Splunk alert dispatch app.
- cron_schedule: The cron schedule for the alert.
- earliest_time: The Splunk earliest time for the alert.
- latest_time: The Splunk latest time for the alert.
- schedule_window: When schedule_window is non-zero, it indicates to the scheduler that the search does not require a precise start time. See Splunk savedsearches.conf configuration for more information.
- allow_skew: Lets the search scheduler randomly distribute scheduled searches more evenly over the scheduled time periods. See Splunk savedsearches.conf configuration for more information.
- search_transformations: Allow to customize the Splunk output with a list of search transformations, which needs to be defined in DetectionRuleConverter.
- alert_action: Contains either an email action or summary index action or both (as shown in example).
- summary_index: Stores the triggered detection rules in a summary index (see next chapter for further info).
- email: different options for email alert action (see next chapter for further info).
Example:
app: 'sigma_hunting_app'
cron_schedule: '*/10 * * * *'
earliest_time: '-10m'
latest_time: 'now'
schedule_window: auto
search_transformations:
- add_host_field
- add_transforming_command
- add_whitelist
alert_action:
summary_index:
name: 'threat-hunting'
enrich_tags: 1
enrich_level: 1
email:
to: '[email protected]'
subject: 'Splunk Alert: $name$'
message: 'Splunk Alert $name$ triggered |List of interesting fields: %fields% |title: %title% status: %status% |description: %description% |references: %references% |tags: %tags% |author: %author% |date: %date% |falsepositives: %falsepositives% |level: %level%'
Summary Index Action
app: 'sigma_hunting_app'
cron_schedule: '*/10 * * * *'
earliest_time: '-10m'
latest_time: 'now'
schedule_window: auto
search_transformations:
- add_host_field
- add_transforming_command
- add_whitelist
alert_action:
summary_index:
name: 'threat-hunting'
enrich_tags: 1
enrich_level: 1
The triggered detection rules are stored in a summary index with the name defined in the field name. Enrich_tags enrich the summary index with information about the tags. Enrich_level enrich the summary index with information about the level.
Email Action
In the Email message, | is the character for a new line.
Token
Following token are supported:
- %fields%: use the fields information of the Sigma file and generates a table in the Email body, which is filled with the values of the alert by using the Splunk tokens $result.fieldname$.
- %mitre%: use the information of Mitre ATT&CK Technique ID and Mitre ATT&CK Tactic in the Email body.
- %title%: use the Sigma title in the Email body.
- %status%: use the Sigma status in the Email body.
- %description%: use the Sigma description in the Email body.
- %references%: use the Sigma references in the Email body.
- %tags%: use the Sigma tags in the Email body.
- %author%: use the Sigma author in the Email body.
- %date%: use the Sigma date in the Email body.
- %falsepositives%: use the Sigma falsepositives in the Email body.
- %level%: use the Sigma level in the Email body.