update sysmon events

README.md

@@ -4,7 +4,7 @@
 
 # pySigma Sysmon Processing Pipeline
 
-This is the Sysmon processing pipeline for pySigma. It provides the package `sigma.pipeline.sysmon` with the `sysmon_pipeline` function that returns a ProcessingPipeline object.
+This is the [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) processing pipeline for pySigma. It provides the package `sigma.pipeline.sysmon` with the `sysmon_pipeline` function that returns a ProcessingPipeline object.
 
 Currently the pipeline adds support for the following event types (Sigma logsource category to EventID mapping):
 
@@ -28,10 +28,14 @@ Currently the pipeline adds support for the following event types (Sigma logsour
 * pipe_created: 17,18
 * wmi_event: 19,20,21
 * dns_query: 22
-* file_delete: 23,26
+* file_delete: 23
 * clipboard_capture: 24
 * process_tampering: 25
 * sysmon_error: 255
+* file_delete_detected: 26
+* file_block_executable: 27
+* file_block_shredding: 28
+* file_executable_detected: 29
 
 This backend is currently maintained by:
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysigma-pipeline-sysmon"
-version = "1.0.4"
+version = "1.0.5"
 description = "pySigma Sysmon processing pipelines"
 readme = "README.md"
 authors = ["Thomas Patzke <[email protected]>"]

sigma/pipelines/sysmon/sysmon.py

@@ -11,8 +11,8 @@
         "process_creation": 1,
         "file_change": 2,
         "network_connection": 3,
-        "process_termination": 5,
         "sysmon_status": [4, 16],
+        "process_termination": 5,
         "driver_load": 6,
         "image_load": 7,
         "create_remote_thread": 8,
@@ -28,9 +28,13 @@
         "pipe_created": [17, 18],
         "wmi_event": [19, 20, 21],
         "dns_query": 22,
-        "file_delete": [23, 26],
+        "file_delete": 23,
         "clipboard_capture": 24,
         "process_tampering": 25,
+        "file_delete_detected": 26,
+        "file_block_executable": 27,
+        "file_block_shredding": 28,
+        "file_executable_detected": 29,
         "sysmon_error": 255,
     }
 )

tests/test_processing_pipelines_sysmon.py

@@ -415,6 +415,74 @@ def sysmon_file_delete_sigma_rule():
     )
 
 
+@pytest.fixture
+def sysmon_file_delete_detected_rule():
+    return SigmaCollection.from_yaml(
+        """
+        title: Sysmon File Delete Detected Test
+        status: test
+        logsource:
+            category: file_delete_detected
+            product: windows
+        detection:
+            sel:
+                TargetFilename: a file name is here
+            condition: sel
+    """
+    )
+
+
+@pytest.fixture
+def sysmon_file_block_executable_rule():
+    return SigmaCollection.from_yaml(
+        """
+        title: Sysmon File Block Executable Test
+        status: test
+        logsource:
+            category: file_block_executable
+            product: windows
+        detection:
+            sel:
+                TargetFilename: a file name is here
+            condition: sel
+    """
+    )
+
+
+@pytest.fixture
+def sysmon_file_block_shredding_rule():
+    return SigmaCollection.from_yaml(
+        """
+        title: Sysmon File Block Shredding Test
+        status: test
+        logsource:
+            category: file_block_shredding
+            product: windows
+        detection:
+            sel:
+                TargetFilename: a file name is here
+            condition: sel
+    """
+    )
+
+
+@pytest.fixture
+def sysmon_file_executable_detected_rule():
+    return SigmaCollection.from_yaml(
+        """
+        title: Sysmon File Executable Detected Test
+        status: test
+        logsource:
+            category: file_executable_detected
+            product: windows
+        detection:
+            sel:
+                TargetFilename: a file name is here
+            condition: sel
+    """
+    )
+
+
 def test_sysmon_process_creation(process_creation_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
     assert backend.convert(process_creation_sigma_rule) == [
@@ -579,5 +647,33 @@ def test_sysmon_wmi_event(sysmon_wmi_event_sigma_rule):
 def test_sysmon_file_delete(sysmon_file_delete_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
     assert backend.convert(sysmon_file_delete_sigma_rule) == [
-        '(EventID in (23, 26)) and TargetFilename="a file name is here"'
+        'EventID=23 and TargetFilename="a file name is here"'
+    ]
+
+
+def test_sysmon_file_delete_detected(sysmon_file_delete_detected_rule):
+    backend = TextQueryTestBackend(sysmon_pipeline())
+    assert backend.convert(sysmon_file_delete_detected_rule) == [
+        'EventID=26 and TargetFilename="a file name is here"'
+    ]
+
+
+def test_sysmon_file_block_executable(sysmon_file_block_executable_rule):
+    backend = TextQueryTestBackend(sysmon_pipeline())
+    assert backend.convert(sysmon_file_block_executable_rule) == [
+        'EventID=27 and TargetFilename="a file name is here"'
+    ]
+
+
+def test_sysmon_file_block_shredding(sysmon_file_block_shredding_rule):
+    backend = TextQueryTestBackend(sysmon_pipeline())
+    assert backend.convert(sysmon_file_block_shredding_rule) == [
+        'EventID=28 and TargetFilename="a file name is here"'
+    ]
+
+
+def test_sysmon_file_executable_detected(sysmon_file_executable_detected_rule):
+    backend = TextQueryTestBackend(sysmon_pipeline())
+    assert backend.convert(sysmon_file_executable_detected_rule) == [
+        'EventID=29 and TargetFilename="a file name is here"'
     ]