Sigmac Usage
This commit is contained in:
Florian Roth
@@ -8,3 +8,72 @@ command line tools:
|
||||
* Elasticsearch X-Pack Watcher
|
||||
* Logpoint queries
|
||||
* *merge_sigma*: Merge Sigma collections into simple Sigma rules.
|
||||
|
||||
## Sigmac
|
||||
|
||||
### Usage
|
||||
|
||||
usage: sigmac [-h] [--recurse] [--filter FILTER]
|
||||
[--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}]
|
||||
[--target-list] [--config CONFIG] [--output OUTPUT]
|
||||
[--backend-option BACKEND_OPTION] [--defer-abort]
|
||||
[--ignore-not-implemented] [--verbose] [--debug]
|
||||
[inputs [inputs ...]]
|
||||
|
||||
Convert Sigma rules into SIEM signatures.
|
||||
|
||||
positional arguments:
|
||||
inputs Sigma input files
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
--recurse, -r Recurse into subdirectories (not yet implemented)
|
||||
--filter FILTER, -f FILTER
|
||||
Define comma-separated filters that must match (AND-
|
||||
linked) to rule to be processed. Valid filters:
|
||||
level<=x, level>=x, level=x, status=y, logsource=z. x
|
||||
is one of: low, medium, high, critical. y is one of:
|
||||
experimental, testing, stable. z is a word appearing
|
||||
in an arbitrary log source attribute. Multiple log
|
||||
source specifications are AND linked.
|
||||
--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}, -t {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}
|
||||
Output target format
|
||||
--target-list, -l List available output target formats
|
||||
--config CONFIG, -c CONFIG
|
||||
Configuration with field name and index mapping for
|
||||
target environment (not yet implemented)
|
||||
--output OUTPUT, -o OUTPUT
|
||||
Output file or filename prefix if multiple files are
|
||||
generated (not yet implemented)
|
||||
--backend-option BACKEND_OPTION, -O BACKEND_OPTION
|
||||
Options and switches that are passed to the backend
|
||||
--defer-abort, -d Don't abort on parse or conversion errors, proceed
|
||||
with next rule. The exit code from the last error is
|
||||
returned
|
||||
--ignore-not-implemented, -I
|
||||
Only return error codes for parse errors and ignore
|
||||
errors for rules with not implemented features
|
||||
--verbose, -v Be verbose
|
||||
--debug, -D Debugging output
|
||||
|
||||
Backend options:
|
||||
es-dsl
|
||||
es : Host and port of Elasticsearch instance (default: http://localhost:9200)
|
||||
output : Output format: import = JSON search request, curl = Shell script that do the search queries via curl (default: import)
|
||||
es-qs
|
||||
rulecomment: Prefix generated query with comment containing title (default: False)
|
||||
graylog
|
||||
rulecomment: Prefix generated query with comment containing title (default: False)
|
||||
kibana
|
||||
output : Output format: import = JSON file manually imported in Kibana, curl = Shell script that imports queries in Kibana via curl (jq is additionally required) (default: import)
|
||||
es : Host and port of Elasticsearch instance (default: localhost:9200)
|
||||
index : Kibana index (default: .kibana)
|
||||
prefix : Title prefix of Sigma queries (default: Sigma: )
|
||||
xpack-watcher
|
||||
output : Output format: curl = Shell script that imports queries in Watcher index with curl (default: curl)
|
||||
es : Host and port of Elasticsearch instance (default: localhost:9200)
|
||||
mail : Mail address for Watcher notification (only logging if not set) (default: None)
|
||||
logpoint
|
||||
rulecomment: Prefix generated query with comment containing title (default: False)
|
||||
splunk
|
||||
rulecomment: Prefix generated query with comment containing title (default: False)
|
||||
|
||||
Reference in New Issue
Block a user