3coresec / siegma Goto Github PK

Currently, for every rule, only 1 output file is created that contains the last rule that was converted.
So only one rule is installed on the SIEM currently.

This logic needs to be updated so all rules from a directory get added to the same output file.
And in one single push, all rules get installed on SIEM.

It looks like there is an issue when detecting multiple documents in one file.
This is the file that leads into the following issue for me:
https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml

  in "sigma/rules/linux\auditd\lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", line 1, column 1
but found another document
  in "sigma/rules/linux\auditd\lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", line 23, column 1 occurred in main of file siegma.py...
04/01/21T11:45:43Z:ERROR:Ending script with error code: 1```

Hi! Just stumbled upon your project, looks really cool.

I'm currently building a detection-as-code pipeline for QRadar SIEM, but using pySigma, since sigmac is deprecated.
Is there any plan to support pySigma in the future?

General idea: While there are many fields in a particular config that are set per environment a few can be dependent on a particular rule. For example, we might wish to associate a timeline_id from Elastic SIEM to a particular rule or rule folder.

With the possibility of passing arguments for a specific configuration we can provide additional functionality that aids in automation while refraining from hard coding fields in the config.

Example:

siegma.py ARGUMENTS -f timeline_id=111,timeline_description=222

Just an idea. Feedback welcome.

Currently, risk score is set based on the risk level (low 25, medium 50, high 75 and critical 100) received from field "level" yml rule file.

Need to add a logic where risk_score in elastic output can be based on a custom field "score" in .yml file.

@DiogoBraz @0xtf , What do you think?

Hi,
I'm trying to convert rules to elastic in locally without connecting to Kibana, and always reports me same error.
curl: (3) URL using bad/illegal format or missing URL.
If I set the Kibana config it works, but always send a curl to check if the rule exists.
Can you enable a option to don't made a check to kibana server ? In testing mode don't upload automatically the rule, but it send the request to validate if exist the rule in kibana.

Thanks

Add testing logic so rule is not installed on SIEM upon testing.

Testing can be specified from the commandline.

The 'E' in the Greek alphabet is epsilon.

The 'S' is Sigma.

Everytime I look at the logo with a Σ for a lower case 'e' I die a little inside, and I'm not even Greek.

Any chance of fixing it?