3coresec / siegma Goto Github PK
View Code? Open in Web Editor NEWSIEGMA - Transform Sigma rules into SIEM consumables
Home Page: https://blog.3coresec.com/search/label/DaC
License: GNU Affero General Public License v3.0
SIEGMA - Transform Sigma rules into SIEM consumables
Home Page: https://blog.3coresec.com/search/label/DaC
License: GNU Affero General Public License v3.0
Currently, for every rule, only 1 output file is created that contains the last rule that was converted.
So only one rule is installed on the SIEM currently.
This logic needs to be updated so all rules from a directory get added to the same output file.
And in one single push, all rules get installed on SIEM.
It looks like there is an issue when detecting multiple documents in one file.
This is the file that leads into the following issue for me:
https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
in "sigma/rules/linux\auditd\lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", line 1, column 1
but found another document
in "sigma/rules/linux\auditd\lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", line 23, column 1 occurred in main of file siegma.py...
04/01/21T11:45:43Z:ERROR:Ending script with error code: 1```
Hi! Just stumbled upon your project, looks really cool.
I'm currently building a detection-as-code pipeline for QRadar SIEM, but using pySigma, since sigmac is deprecated.
Is there any plan to support pySigma in the future?
General idea: While there are many fields in a particular config that are set per environment a few can be dependent on a particular rule. For example, we might wish to associate a timeline_id
from Elastic SIEM to a particular rule or rule folder.
With the possibility of passing arguments for a specific configuration we can provide additional functionality that aids in automation while refraining from hard coding fields in the config.
Example:
siegma.py ARGUMENTS -f timeline_id=111,timeline_description=222
Just an idea. Feedback welcome.
Currently, risk score is set based on the risk level (low 25, medium 50, high 75 and critical 100) received from field "level" yml rule file.
Need to add a logic where risk_score in elastic output can be based on a custom field "score" in .yml file.
@DiogoBraz @0xtf , What do you think?
Hi,
I'm trying to convert rules to elastic in locally without connecting to Kibana, and always reports me same error.
curl: (3) URL using bad/illegal format or missing URL.
If I set the Kibana config it works, but always send a curl to check if the rule exists.
Can you enable a option to don't made a check to kibana server ? In testing mode don't upload automatically the rule, but it send the request to validate if exist the rule in kibana.
Thanks
Add testing logic so rule is not installed on SIEM upon testing.
Testing can be specified from the commandline.
The 'E' in the Greek alphabet is epsilon.
The 'S' is Sigma.
Everytime I look at the logo with a Σ for a lower case 'e' I die a little inside, and I'm not even Greek.
Any chance of fixing it?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.