Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Timesketch to have sketch-specific Sigma rules #3004

Open
sedoy107 opened this issue Dec 6, 2023 · 1 comment
Open

Allow Timesketch to have sketch-specific Sigma rules #3004

sedoy107 opened this issue Dec 6, 2023 · 1 comment

Comments

@sedoy107
Copy link

sedoy107 commented Dec 6, 2023

Is your feature request related to a problem? Please describe.
My problem is that the Sigma rules are global for each of the sketches. In my case I have multiple unrelated timelines. I have a set of generic Sigma rules that I run on each of the timelines. Then I create Sigma rules that take into account the sketch specifics. The problem is that there is no way for me to restrict particular rules only for certain timelines. All the rules are globally available. This clogs the list of rules in the UI and makes it hard to work with sketches.

Describe the solution you'd like
Having global and sketch-specific sigma rules would be a solution to my problem. The user should be able to enter the sketch and view/create sketch-specific rules. The Sigma Analyzer should take into account this sketch-to-rule(s) relationship and run sketch-specific rules on the correct sketch.

Describe alternatives you've considered
Currently I've patched the UI to filter the list of Sigma rules based on the sketch name. This gives the desired cosmetic effect but it is a rather simplistic workaround for the sake of demo. The rules are still global.

Additional context
Here's the patch that will make the UI filter the rules:

diff --git a/timesketch/frontend-ng/src/store.js b/timesketch/frontend-ng/src/store.js
index 56aaa72c..bc6b8652 100644
--- a/timesketch/frontend-ng/src/store.js
+++ b/timesketch/frontend-ng/src/store.js
@@ -85,8 +85,11 @@ export default new Vuex.Store({
       Vue.set(state, 'currentSearchNode', payload)
     },
     SET_SIGMA_LIST(state, payload) {
-      Vue.set(state, 'sigmaRuleList', payload['objects'])
-      Vue.set(state, 'sigmaRuleList_count', payload['meta']['rules_count'])
+      let split_char = '_'
+      let prefix = state.sketch.name.split(split_char)[0]
+      let filtered_rules = payload['objects'].filter(rule => rule.title.startsWith(split_char + prefix) || !rule.title.startsWith(split_char))
+      Vue.set(state, 'sigmaRuleList', filtered_rules)
+      Vue.set(state, 'sigmaRuleList_count', filtered_rules.length)
     },
     SET_ACTIVE_USER(state, payload) {
       ApiClient.getLoggedInUser().then((response) => {
@jaegeral
Copy link
Collaborator

jaegeral commented Dec 8, 2023

Hi thank you for the idea. I see where you are coming from, I would say the quickest way for this is to use saved searches instead, those are sketch specific.

Sigma and the usage of Sigma rules in Timesketch and the corresponding analyzer are designed to be tool wide, so changing that would require a not trivial amount of thoughts.
What you can also do, that might not be as elegant, you can use the API in combination with Colab, store your Sigma rules outside of Timesketch, and then query your external system, e.g. Yeti, get the Sigma rule, parse it with the TS API to get the TS Search query and run it over the sketch you are interested in.

Hope that helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaegeral @sedoy107