I have sigma2stix data in arangodb as I describe here:
I want to see if any rules match a CVE, and know Sigma Rules are tagged with CVEs.
Take for example this rule:
Has the CVE tag cve.2024.1212
How can I filter the sigma2stix data in arangodb to return rules based on CVE id?
This search will give you what you want:
FOR doc IN sigma_rules_vertex_collection
FILTER doc.external_references != null AND IS_ARRAY(doc.external_references)
FILTER "CVE-2021-21551" IN (FOR ref IN doc.external_references RETURN ref.external_id)
FILTER doc._is_latest == true
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
[
{
"created": "2021-05-05T00:00:00.000Z",
"created_by_ref": "identity--860f4c0f-8c26-5889-b39d-ce94368bc416",
"description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551. The following false positives can result from this detection; Legitimate BIOS driver updates (should be rare)",
"external_references": [
{
"source_name": "sigma-rule",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml",
"external_id": "rule"
},
{
"source_name": "sigma-rule",
"description": "21b23707-60d6-41bb-96e3-0f0481b0fed9",
"external_id": "id"
},
{
"source_name": "sigma-rule",
"description": "high",
"external_id": "level"
},
{
"source_name": "sigma-rule",
"description": "experimental",
"external_id": "status"
},
{
"source_name": "sigma-rule",
"description": "Florian Roth (Nextron Systems)",
"external_id": "author"
},
{
"source_name": "ATTACK",
"description": "tactic",
"external_id": "privilege_escalation"
},
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21551",
"external_id": "CVE-2021-21551"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543",
"external_id": "T1543"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1068",
"external_id": "T1068"
},
{
"source_name": "sigma-rule",
"description": "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/",
"external_id": "reference"
}
],
"id": "indicator--990b4b4a-4f4c-5e01-aaf5-e994a8881a83",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2022-12-30T00:00:00.000Z",
"name": "Vulnerable Dell BIOS Update Driver Load",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--860f4c0f-8c26-5889-b39d-ce94368bc416"
],
"pattern": "{'title': 'Vulnerable Dell BIOS Update Driver Load', 'id': '21b23707-60d6-41bb-96e3-0f0481b0fed9', 'status': 'experimental', 'description': 'Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551', 'references': ['https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/'], 'author': 'Florian Roth (Nextron Systems)', 'date': '2021/05/05', 'modified': '2022/12/30', 'tags': ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543', 'attack.t1068'], 'logsource': {'category': 'driver_load', 'product': 'windows'}, 'detection': {'selection_image': {'ImageLoaded|contains': '\\\\DBUtil_2_3.Sys'}, 'selection_sysmon': {'Hashes|contains': ['SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5', 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1', 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD', 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25', 'MD5=C996D7971C49252C582171D9380360F2', 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244']}, 'selection_hash': [{'sha256': ['0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1']}, {'sha1': ['c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25']}, {'md5': ['c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244']}], 'condition': '1 of selection*'}, 'falsepositives': ['Legitimate BIOS driver updates (should be rare)'], 'level': 'high'}",
"pattern_type": "sigma",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2021-05-05T00:00:00Z"
},
{
"created": "2022-11-10T00:00:00.000Z",
"created_by_ref": "identity--860f4c0f-8c26-5889-b39d-ce94368bc416",
"description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges. The following false positives can result from this detection; Legitimate driver loads (old driver that didn't receive an update)",
"external_references": [
{
"source_name": "sigma-rule",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml",
"external_id": "rule"
},
{
"source_name": "sigma-rule",
"description": "ac683a42-877b-4ff8-91ac-69e94b0f70b4",
"external_id": "id"
},
{
"source_name": "sigma-rule",
"description": "high",
"external_id": "level"
},
{
"source_name": "sigma-rule",
"description": "experimental",
"external_id": "status"
},
{
"source_name": "sigma-rule",
"description": "Florian Roth (Nextron Systems)",
"external_id": "author"
},
{
"source_name": "ATTACK",
"description": "tactic",
"external_id": "privilege_escalation"
},
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21551",
"external_id": "CVE-2021-21551"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543",
"external_id": "T1543"
},
{
"source_name": "sigma-rule",
"description": "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities",
"external_id": "reference"
},
{
"source_name": "sigma-rule",
"description": "https://github.com/alfarom256/CVE-2022-3699/",
"external_id": "reference"
}
],
"id": "indicator--f66786bb-a6fd-50e6-a403-965b2abb31fa",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2022-12-30T00:00:00.000Z",
"name": "Vulnerable Lenovo Driver Load",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--860f4c0f-8c26-5889-b39d-ce94368bc416"
],
"pattern": "{'title': 'Vulnerable Lenovo Driver Load', 'id': 'ac683a42-877b-4ff8-91ac-69e94b0f70b4', 'status': 'experimental', 'description': 'Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges', 'references': ['https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities', 'https://github.com/alfarom256/CVE-2022-3699/'], 'author': 'Florian Roth (Nextron Systems)', 'date': '2022/11/10', 'modified': '2022/12/30', 'tags': ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543'], 'logsource': {'category': 'driver_load', 'product': 'windows'}, 'detection': {'selection_sysmon': {'Hashes|contains': ['SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE', 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F', 'MD5=B941C8364308990EE4CC6EADF7214E0F']}, 'selection_hash': [{'sha256': 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'}, {'sha1': 'b89a8eef5aeae806af5ba212a8068845cafdab6f'}, {'md5': 'b941c8364308990ee4cc6eadf7214e0f'}], 'condition': '1 of selection*'}, 'falsepositives': [\"Legitimate driver loads (old driver that didn't receive an update)\"], 'level': 'high'}",
"pattern_type": "sigma",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2022-11-10T00:00:00Z"
},
{
"created": "2022-11-16T00:00:00.000Z",
"created_by_ref": "identity--860f4c0f-8c26-5889-b39d-ce94368bc416",
"description": "Detects driver load of the Process Hacker tool. The following false positives can result from this detection; Legitimate use of process hacker or system informer by developers or system administrators",
"external_references": [
{
"source_name": "sigma-rule",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml",
"external_id": "rule"
},
{
"source_name": "sigma-rule",
"description": "67add051-9ee7-4ad3-93ba-42935615ae8d",
"external_id": "id"
},
{
"source_name": "sigma-rule",
"description": "high",
"external_id": "level"
},
{
"source_name": "sigma-rule",
"description": "test",
"external_id": "status"
},
{
"source_name": "sigma-rule",
"description": "Florian Roth (Nextron Systems)",
"external_id": "author"
},
{
"source_name": "ATTACK",
"description": "tactic",
"external_id": "privilege_escalation"
},
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21551",
"external_id": "CVE-2021-21551"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543",
"external_id": "T1543"
},
{
"source_name": "sigma-rule",
"description": "https://processhacker.sourceforge.io/",
"external_id": "reference"
}
],
"id": "indicator--5b37c0bf-d41c-57a9-8efc-d8e866a7cb5c",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2023-05-08T00:00:00.000Z",
"name": "PUA - Process Hacker Driver Load",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--860f4c0f-8c26-5889-b39d-ce94368bc416"
],
"pattern": "{'title': 'PUA - Process Hacker Driver Load', 'id': '67add051-9ee7-4ad3-93ba-42935615ae8d', 'related': [{'id': '10cb6535-b31d-4512-9962-513dcbc42cc1', 'type': 'similar'}], 'status': 'test', 'description': 'Detects driver load of the Process Hacker tool', 'references': ['https://processhacker.sourceforge.io/'], 'author': 'Florian Roth (Nextron Systems)', 'date': '2022/11/16', 'modified': '2023/05/08', 'tags': ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543'], 'logsource': {'category': 'driver_load', 'product': 'windows'}, 'detection': {'selection_image': {'ImageLoaded|endswith': '\\\\kprocesshacker.sys'}, 'selection_processhack_sysmon': {'Hashes|contains': ['IMPHASH=821D74031D3F625BCBD0DF08B70F1E77', 'IMPHASH=F86759BB4DE4320918615DC06E998A39', 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18', 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0']}, 'selection_processhack_hashes': {'Imphash': ['821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0']}, 'condition': '1 of selection_*'}, 'falsepositives': ['Legitimate use of process hacker or system informer by developers or system administrators'], 'level': 'high'}",
"pattern_type": "sigma",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2022-11-16T00:00:00Z"
}
]