Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic Filter Support in V2 #133

Open
jamesc-grafana opened this issue Jul 10, 2024 · 4 comments
Open

Generic Filter Support in V2 #133

jamesc-grafana opened this issue Jul 10, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@jamesc-grafana
Copy link

Currently in the V2 specification for Sigma Meta Filters, there is a requirement to specify rule names or IDs to which the filter will apply as per the example below:

---
title: Test
id: a6a829ba-c27a-4e3b-9244-28a2cd7d994a
name: test_rule
status: test
logsource:
    category: test_category
    product: test_product
detection:
    sel:
        fieldA: valueA
    condition: sel
---
title: Filter Test
id: 8a876a7d-e281-46d7-9ccc-fcbbd822737b
status: test
logsource:
    category: test_category
    product: test_product
filter:
    rules:
        - test_rule
    selection:
        fieldB: valueB
    condition: not selection

Being able to scope filters to specific rules is really useful for some use cases, but at Grafana and presumably in other SecOps teams, we'd like to be able to apply filters as a more generic transform. A real world example, is that we want to be able to exclude one of our machine-identities from triggering AWS rules, because it will trigger all of them. Rather than specifying each rule individually, I'd like to be able to write a filter more like the below and then apply it at convert time:

---
title: Filter out machine identity
id: 94b03457-03bb-4f10-9a34-eda129608bdd
status: test
logsource:
    category: cloud
    product: aws
filter:
    rules:
        - logsource:
              product: aws
    selection:
        userIdentity.arn: arn:aws:iam::ACCOUNT:/user/machine-identity
    condition: not selection

I think this will extend the usage of filters and make it easier to create exclusions for rules that are in a similar category.
@nasbench
Copy link
Member

cc @thomaspatzke

@nasbench nasbench added the enhancement New feature or request label Jul 24, 2024
@thomaspatzke
Copy link
Member

Yes, there's already the idea to allow the specification of processing pipeline conditions in filter rules.

@jamesc-grafana
Copy link
Author

Hey, thanks for the response, I believe internally we were hoping to achieve this without having to add in processing pipelines as well. The idea being that we wanted to be able to create filter rules for some exclusions that would apply across all rules in a category. We can also achieve this with pipelines, but we were thinking it would be nice to be able to do this with filter rules too as another route for adding conditions to a rule.

@thomaspatzke
Copy link
Member

That's the intention here to integrate it to the filters. That are just the conditions from the processing pipelines that works be reused here because they are already there and do exactly what is needed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thomaspatzke @nasbench @jamesc-grafana