Logsource Cleanup

[Neo23x0]

Ben M. provided me statistics on the log sources used in our repo.
I'd really like to clean this up and create somewhat like an established base of sources that we've actually mapped in the config files of sigmac and all others - the outliers that are in the rule base but no config that would allow to apply them on event data.
Ben will provide me with more detailed statistics but this is what I've got so far:

logsource.service

5 AzureActivity  <---
12 aaa
8 application <---
1 applocker <---
47 auditd
2 auth <---
37 azure.activitylogs
2 azure.auditlogs
6 azure.signinlogs
1 clamav <---
30 cloudtrail
1 codeintegrity-operational
5 dce_rpc <---
3 dns <---
2 dns-server <---
1 driver-framework <---
14 gcp.audit <---
6 google_workspace.admin 
1 guacamole <---
3 http <---
1 kerberos <---
1 ldap_debug <---
1 microsoft-servicebus-client <---
1 modsecurity <---
8 msexchange-management
3 ntlm <---
1355 null
12 okta <---
2 [http://onelogin.events](https://t.co/IUDTjxKxsZ)
5 powershell
3 powershell-classic <---
1 printservice-admin
1 printservice-operational
1 rdp <---
139 security
7 smb_files <---
1 smbclient-security <---
2 sshd 
1 sudo <---
2 syslog <---
3 sysmon <---
38 system <---
1 taskscheduler <---
1 vsftpd <---
8 windefend <---
1 wmi <---
1 x509 <---

logsource.category

   1 Exchange <---
   1 ThreatDetection <---
  11 ThreatManagement <---
  12 accounting <---
  22 application <---
   1 authentication <---
   1 azure <---
   7 create_remote_thread
   2 create_stream_hash
  11 dns
  10 dns_query
   6 driver_load
   1 edr <---
   2 file_create
   5 file_delete
  78 file_event
   6 firewall <---
  36 image_load
  24 network_connection
 451 null
  13 pipe_created
  21 process_access
 710 process_creation
   1 process_tampering <---
  31 proxy
   1 ps_classic_provider_start
  10 ps_classic_start
  28 ps_module
 110 ps_script
   1 raw_access_thread
 121 registry_event
   1 sysmon_error <---
   1 sysmon_status <---
  47 webserver
   3 wmi_event

I have marked the elements that I'd like to look at with a <---.

[Neo23x0]

I've created a new branch to work on the log source cleanup and already fixed the first issues.
https://github.com/SigmaHQ/sigma/tree/log-source-cleanup

[Neo23x0]

E.g. I have to change the log source in these rules by @austinsonger @redsand because the category field is used in a wrong way. We use category for generic rules, like category: process_creation and I'd like to rename it to service in these rules.

[Neo23x0]

@thomaspatzke : how is this m365.yml used? I don't understand it.

[Neo23x0]

I'd also like to remove the upper case letters since we normally use service_name instead of ServiceName. We've never used upper case letters in the logsources before these rules showed up.

[frack113]

It's my fault, when the m365 cloud rules arrived I proposed to normalize them on the sysmon model. This file should have been remove long time ago.

[thomaspatzke]

Fully agree! We could also do some semantic housekeeping, e.g. the category registry_event could be split into categories for creation, deletion and value set instead of cluttering different events into one category. I suggest to keep the current categories of rule writers wake indeed to cover all events and add the specialized ones for more targeted detection rules.

Similar applies to pipe_created and wmi_event and possibly others.

[frack113]

If you want to keep a Logic with 'event' == cluttering, file_event will be the exception. If registry_event is Split can works on a PR for it. It is more an evolution than a cleanup.

[Neo23x0]

What do you think about changing product: antivirus to category: antivirus?

We already have category: proxy and I think it would be a better definition.

[frack113]

For me, it make sense , product is more the editor/os.
For a rule "mimikatz detection by av on windows client"

product: windows
category: antivirus

[Neo23x0]

I wouldn't limit it to windows. I'd also want my ClamAV running on a Linux fileserver to report me a "Mimikatz" in a backup of workstation or shared folder.

[frack113]

It was just for exemple. It not a rule I want write.