Skip to main content

Tools for the Generic Signature Format for SIEM Systems

Project description

This package contains libraries for processing of [Sigma rules](https://github.com/Neo23x0/sigma) and the following
command line tools:

* *sigmac*: converter between Sigma rules and SIEM queries:
* Elasticsearch query strings
* Kibana JSON with searches
* Splunk SPL queries
* Elasticsearch X-Pack Watcher
* Logpoint queries
* *merge_sigma*: Merge Sigma collections into simple Sigma rules.

## Sigmac

### Usage

usage: sigmac [-h] [--recurse] [--filter FILTER]
[--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}]
[--target-list] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION] [--defer-abort]
[--ignore-not-implemented] [--verbose] [--debug]
[inputs [inputs ...]]

Convert Sigma rules into SIEM signatures.

positional arguments:
inputs Sigma input files

optional arguments:
-h, --help show this help message and exit
--recurse, -r Recurse into subdirectories (not yet implemented)
--filter FILTER, -f FILTER
Define comma-separated filters that must match (AND-
linked) to rule to be processed. Valid filters:
level<=x, level>=x, level=x, status=y, logsource=z. x
is one of: low, medium, high, critical. y is one of:
experimental, testing, stable. z is a word appearing
in an arbitrary log source attribute. Multiple log
source specifications are AND linked.
--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}, -t {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}
Output target format
--target-list, -l List available output target formats
--config CONFIG, -c CONFIG
Configuration with field name and index mapping for
target environment (not yet implemented)
--output OUTPUT, -o OUTPUT
Output file or filename prefix if multiple files are
generated (not yet implemented)
--backend-option BACKEND_OPTION, -O BACKEND_OPTION
Options and switches that are passed to the backend
--defer-abort, -d Don't abort on parse or conversion errors, proceed
with next rule. The exit code from the last error is
returned
--ignore-not-implemented, -I
Only return error codes for parse errors and ignore
errors for rules with not implemented features
--verbose, -v Be verbose
--debug, -D Debugging output

Backend options:
es-dsl
es : Host and port of Elasticsearch instance (default: http://localhost:9200)
output : Output format: import = JSON search request, curl = Shell script that do the search queries via curl (default: import)
es-qs
rulecomment: Prefix generated query with comment containing title (default: False)
graylog
rulecomment: Prefix generated query with comment containing title (default: False)
kibana
output : Output format: import = JSON file manually imported in Kibana, curl = Shell script that imports queries in Kibana via curl (jq is additionally required) (default: import)
es : Host and port of Elasticsearch instance (default: localhost:9200)
index : Kibana index (default: .kibana)
prefix : Title prefix of Sigma queries (default: Sigma: )
xpack-watcher
output : Output format: curl = Shell script that imports queries in Watcher index with curl (default: curl)
es : Host and port of Elasticsearch instance (default: localhost:9200)
mail : Mail address for Watcher notification (only logging if not set) (default: None)
logpoint
rulecomment: Prefix generated query with comment containing title (default: False)
splunk
rulecomment: Prefix generated query with comment containing title (default: False)


Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for sigmatools, version 0.6
Filename, size File type Python version Upload date Hashes
Filename, size sigmatools-0.6-py3-none-any.whl (41.2 kB) File type Wheel Python version py3 Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page