Sigma2SplunkAlert config - P4T12ICK/Sigma2SplunkAlert GitHub Wiki

Sigma2SplunkAlert uses a configuration in yml syntax to provide Splunk Alerts configuration values. Sigma2SplunkAlert supports the generation of Splunk scheduled alerts.

Splunk Alert

app: [mandatory]
cron_schedule: [mandatory]
earliest_time: [mandatory]
latest_time: [mandatory]
schedule_window: [optional]
allow_skew: [optional]
search_transformations: [optional]
    - ...
alert_action: [mandatory] (at least one action)
    summary_index: [optional]
        name: [mandatory]
        enrich_tags: [optional]
        enrich_level: [optional]
    email: [optional]
        to: [mandatory]
        subject: [mandatory]
        message: [mandatory]
        result_link: [optional]
        view_link: [optional]
        include_search: [optional] 
        include_trigger: [optional]
        include_trigger_time: [optional]
        inline: [optional] 
        sendcsv: [optional]
        sendpdf: [optional]
        sendresults: [optional]
    alert_manager: [optional]
        title: [optional]
        auto_assign_owner: [optional]
        append_incident: [optional]
        auto_previous_resolve: [mandatory]
        auto_subsequent_resolve: [mandatory]
        auto_suppress_resolve: [mandatory]
        auto_ttl_resove: [mandatory]
        display_fields: [optional]
        urgency: [optional]
        impact: [optional]
        category: [optional]
        subcategory: [optional]
        tags: [optional]
        notification_scheme: [optional]
  • app: The Splunk alert dispatch app.
  • cron_schedule: The cron schedule for the alert.
  • earliest_time: The Splunk earliest time for the alert.
  • latest_time: The Splunk latest time for the alert.
  • schedule_window: When schedule_window is non-zero, it indicates to the scheduler that the search does not require a precise start time. See Splunk savedsearches.conf configuration for more information.
  • allow_skew: Lets the search scheduler randomly distribute scheduled searches more evenly over the scheduled time periods. See Splunk savedsearches.conf configuration for more information.
  • search_transformations: Allow to customize the Splunk output with a list of search transformations, which needs to be defined in DetectionRuleConverter.
  • alert_action: Contains either an email action or summary index action or both (as shown in example).
  • summary_index: Stores the triggered detection rules in a summary index (see next chapter for further info).
  • email: different options for email alert action (see next chapter for further info).

Example:

app: 'sigma_hunting_app'
cron_schedule: '*/10 * * * *'
earliest_time: '-10m'
latest_time: 'now'
schedule_window: auto
search_transformations:
    - add_host_field
    - add_transforming_command
    - add_whitelist
alert_action:
    summary_index:
        name: 'threat-hunting'
        enrich_tags: 1
        enrich_level: 1
    email:
        to: '[email protected]'
        subject: 'Splunk Alert: $name$'
        message: 'Splunk Alert $name$ triggered |List of interesting fields:  %fields% |title: %title% status: %status% |description: %description% |references: %references% |tags: %tags% |author: %author% |date: %date% |falsepositives: %falsepositives% |level: %level%'

Summary Index Action

app: 'sigma_hunting_app'
cron_schedule: '*/10 * * * *'
earliest_time: '-10m'
latest_time: 'now'
schedule_window: auto
search_transformations:
    - add_host_field
    - add_transforming_command
    - add_whitelist
alert_action:
    summary_index:
        name: 'threat-hunting'
        enrich_tags: 1
        enrich_level: 1

The triggered detection rules are stored in a summary index with the name defined in the field name. Enrich_tags enrich the summary index with information about the tags. Enrich_level enrich the summary index with information about the level.

Email Action

text

In the Email message, | is the character for a new line.

Token

Following token are supported:

  • %fields%: use the fields information of the Sigma file and generates a table in the Email body, which is filled with the values of the alert by using the Splunk tokens $result.fieldname$.
  • %mitre%: use the information of Mitre ATT&CK Technique ID and Mitre ATT&CK Tactic in the Email body.
  • %title%: use the Sigma title in the Email body.
  • %status%: use the Sigma status in the Email body.
  • %description%: use the Sigma description in the Email body.
  • %references%: use the Sigma references in the Email body.
  • %tags%: use the Sigma tags in the Email body.
  • %author%: use the Sigma author in the Email body.
  • %date%: use the Sigma date in the Email body.
  • %falsepositives%: use the Sigma falsepositives in the Email body.
  • %level%: use the Sigma level in the Email body.