diff --git a/tools/README.md b/tools/README.md index 798446ae2..d515fcc7d 100644 --- a/tools/README.md +++ b/tools/README.md @@ -8,3 +8,72 @@ command line tools: * Elasticsearch X-Pack Watcher * Logpoint queries * *merge_sigma*: Merge Sigma collections into simple Sigma rules. + +## Sigmac + +### Usage + + usage: sigmac [-h] [--recurse] [--filter FILTER] + [--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}] + [--target-list] [--config CONFIG] [--output OUTPUT] + [--backend-option BACKEND_OPTION] [--defer-abort] + [--ignore-not-implemented] [--verbose] [--debug] + [inputs [inputs ...]] + + Convert Sigma rules into SIEM signatures. + + positional arguments: + inputs Sigma input files + + optional arguments: + -h, --help show this help message and exit + --recurse, -r Recurse into subdirectories (not yet implemented) + --filter FILTER, -f FILTER + Define comma-separated filters that must match (AND- + linked) to rule to be processed. Valid filters: + level<=x, level>=x, level=x, status=y, logsource=z. x + is one of: low, medium, high, critical. y is one of: + experimental, testing, stable. z is a word appearing + in an arbitrary log source attribute. Multiple log + source specifications are AND linked. + --target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}, -t {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist} + Output target format + --target-list, -l List available output target formats + --config CONFIG, -c CONFIG + Configuration with field name and index mapping for + target environment (not yet implemented) + --output OUTPUT, -o OUTPUT + Output file or filename prefix if multiple files are + generated (not yet implemented) + --backend-option BACKEND_OPTION, -O BACKEND_OPTION + Options and switches that are passed to the backend + --defer-abort, -d Don't abort on parse or conversion errors, proceed + with next rule. The exit code from the last error is + returned + --ignore-not-implemented, -I + Only return error codes for parse errors and ignore + errors for rules with not implemented features + --verbose, -v Be verbose + --debug, -D Debugging output + + Backend options: + es-dsl + es : Host and port of Elasticsearch instance (default: http://localhost:9200) + output : Output format: import = JSON search request, curl = Shell script that do the search queries via curl (default: import) + es-qs + rulecomment: Prefix generated query with comment containing title (default: False) + graylog + rulecomment: Prefix generated query with comment containing title (default: False) + kibana + output : Output format: import = JSON file manually imported in Kibana, curl = Shell script that imports queries in Kibana via curl (jq is additionally required) (default: import) + es : Host and port of Elasticsearch instance (default: localhost:9200) + index : Kibana index (default: .kibana) + prefix : Title prefix of Sigma queries (default: Sigma: ) + xpack-watcher + output : Output format: curl = Shell script that imports queries in Watcher index with curl (default: curl) + es : Host and port of Elasticsearch instance (default: localhost:9200) + mail : Mail address for Watcher notification (only logging if not set) (default: None) + logpoint + rulecomment: Prefix generated query with comment containing title (default: False) + splunk + rulecomment: Prefix generated query with comment containing title (default: False)