Skip to main content

Tools for the Generic Signature Format for SIEM Systems

Project description

This package contains libraries for processing of [Sigma rules](https://github.com/Neo23x0/sigma) and the following
command line tools:

* *sigmac*: converter between Sigma rules and SIEM queries:
* Elasticsearch query strings
* Kibana JSON with searches
* Splunk SPL queries
* Elasticsearch X-Pack Watcher
* Logpoint queries
* *merge_sigma*: Merge Sigma collections into simple Sigma rules.

## Sigmac

### Usage

usage: sigmac [-h] [--recurse] [--filter FILTER]
[--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}]
[--target-list] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION] [--defer-abort]
[--ignore-not-implemented] [--verbose] [--debug]
[inputs [inputs ...]]

Convert Sigma rules into SIEM signatures.

positional arguments:
inputs Sigma input files

optional arguments:
-h, --help show this help message and exit
--recurse, -r Recurse into subdirectories (not yet implemented)
--filter FILTER, -f FILTER
Define comma-separated filters that must match (AND-
linked) to rule to be processed. Valid filters:
level<=x, level>=x, level=x, status=y, logsource=z. x
is one of: low, medium, high, critical. y is one of:
experimental, testing, stable. z is a word appearing
in an arbitrary log source attribute. Multiple log
source specifications are AND linked.
--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}, -t {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}
Output target format
--target-list, -l List available output target formats
--config CONFIG, -c CONFIG
Configuration with field name and index mapping for
target environment (not yet implemented)
--output OUTPUT, -o OUTPUT
Output file or filename prefix if multiple files are
generated (not yet implemented)
--backend-option BACKEND_OPTION, -O BACKEND_OPTION
Options and switches that are passed to the backend
--defer-abort, -d Don't abort on parse or conversion errors, proceed
with next rule. The exit code from the last error is
returned
--ignore-not-implemented, -I
Only return error codes for parse errors and ignore
errors for rules with not implemented features
--verbose, -v Be verbose
--debug, -D Debugging output

Backend options:
es-dsl
es : Host and port of Elasticsearch instance (default: http://localhost:9200)
output : Output format: import = JSON search request, curl = Shell script that do the search queries via curl (default: import)
es-qs
rulecomment: Prefix generated query with comment containing title (default: False)
graylog
rulecomment: Prefix generated query with comment containing title (default: False)
kibana
output : Output format: import = JSON file manually imported in Kibana, curl = Shell script that imports queries in Kibana via curl (jq is additionally required) (default: import)
es : Host and port of Elasticsearch instance (default: localhost:9200)
index : Kibana index (default: .kibana)
prefix : Title prefix of Sigma queries (default: Sigma: )
xpack-watcher
output : Output format: curl = Shell script that imports queries in Watcher index with curl (default: curl)
es : Host and port of Elasticsearch instance (default: localhost:9200)
mail : Mail address for Watcher notification (only logging if not set) (default: None)
logpoint
rulecomment: Prefix generated query with comment containing title (default: False)
splunk
rulecomment: Prefix generated query with comment containing title (default: False)


Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

sigmatools-0.9-py3-none-any.whl (80.5 kB view details)

Uploaded Python 3

File details

Details for the file sigmatools-0.9-py3-none-any.whl.

File metadata

  • Download URL: sigmatools-0.9-py3-none-any.whl
  • Upload date:
  • Size: 80.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.10.0 pkginfo/1.2.1 requests/2.18.4 setuptools/39.0.1 requests-toolbelt/0.8.0 tqdm/4.19.5 CPython/3.6.7

File hashes

Hashes for sigmatools-0.9-py3-none-any.whl
Algorithm Hash digest
SHA256 3bdbd2ee99c32f245e948d6b882219729ab379685dd7366e4d6149c390e08170
MD5 989ec4dce6138e33288425d4339fbffb
BLAKE2b-256 4c82663bfb2232826740d6c9f015cb5b3323279282d059b4a11c308e201ccd1a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page