Merge pull request #1942 from frack113/update_help

Update help message
2021-08-30 12:22:19 +02:00
parent 970dfa2f92 5f1143247b
commit 6daaab7bc3
5 changed files with 9 additions and 99 deletions
@@ -1,91 +0,0 @@
-logsources:
-  windows-application:
-    product: windows
-    service: application
-    conditions:
-      LogName: 'Application'
-  windows-security:
-    product: windows
-    service: security
-    conditions:
-      LogName: 'Security'
-  windows-system:
-    product: windows
-    service: system
-    conditions:
-      LogName: 'System'
-  windows-sysmon:
-    product: windows
-    service: sysmon
-    conditions:
-        LogName: 'Microsoft-Windows-Sysmon/Operational'
-  windows-powershell:
-    product: windows
-    service: powershell
-    conditions:
-        LogName: 'Microsoft-Windows-PowerShell/Operational'
-  windows-classicpowershell:
-    product: windows
-    service: powershell-classic
-    conditions:
-      LogName: 'Windows PowerShell'
-  windows-taskscheduler:
-    product: windows
-    service: taskscheduler
-    conditions:
-      LogName: 'Microsoft-Windows-TaskScheduler/Operational'
-  windows-wmi:
-    product: windows
-    service: wmi
-    conditions:
-      LogName: 'Microsoft-Windows-WMI-Activity/Operational'
-  windows-dns-server:
-    product: windows
-    service: dns-server
-    category: dns
-    conditions:
-      LogName: 'DNS Server'
-  windows-dns-server-audit:
-    product: windows
-    service: dns-server-audit
-    conditions:
-      LogName: 'Microsoft-Windows-DNS-Server/Audit'
-  windows-driver-framework:
-    product: windows
-    service: driver-framework
-    conditions:
-      LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
-  windows-ntlm:
-    product: windows
-    service: ntlm
-    conditions:
-      LogName: 'Microsoft-Windows-NTLM/Operational'
-  windows-applocker:
-    product: windows
-    service: applocker
-    conditions:
-      LogName:
-        - 'Microsoft-Windows-AppLocker/MSI and Script'
-        - 'Microsoft-Windows-AppLocker/EXE and DLL'
-        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
-        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
-  windows-msexchange-management:
-    product: windows
-    service: msexchange-management
-    conditions:
-      LogName: 'MSExchange Management'
-  windows-printservice-admin:
-    product: windows
-    service: printservice-admin
-    conditions:
-      LogName: 'Microsoft-Windows-PrintService/Admin'
-  windows-printservice-operational:
-    product: windows
-    service: printservice-operational
-    conditions:
-      LogName: 'Microsoft-Windows-PrintService/Operational'
-  windows-smbclient-security:
-    product: windows
-    service: smbclient-security
-    conditions:
-      LogName: 'Microsoft-Windows-SmbClient/Security'
@@ -23,7 +23,7 @@ from io import StringIO


 class OutliersBackend(ElasticsearchDSLBackend, MultiRuleOutputMixin):
-    """ee-outliers backend"""
+    """Converts Sigma rule into ee-outliers"""
    identifier = 'ee-outliers'
    active = True

@@ -387,7 +387,7 @@ class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, Elasticsea
            return super().generateSubexpressionNode(node)

 class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend):
-    """Converts Sigma rule into EQL."""
+    """Converts Sigma rule into Elasticsearch EQL query."""
    identifier = "es-eql"
    active = True

@@ -501,7 +501,7 @@ class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandli
        return fieldname

 class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend):
-    """ElasticSearch DSL backend"""
+    """Converts Sigma rule into Elasticsearch DSL query"""
    identifier = 'es-dsl'
    active = True
    options = RulenameCommentMixin.options + ElasticsearchWildcardHandlingMixin.options + (
@@ -1397,7 +1397,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
        # return result

 class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend):
-    """Elastalert backend"""
+    """Converts Sigma rule into ElastAlert DSL query"""
    identifier = 'elastalert-dsl'
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -1410,7 +1410,7 @@ class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend):
        return self.queries

 class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend):
-    """Elastalert backend"""
+    """Converts Sigma rule into ElastAlert QS query"""
    identifier = 'elastalert'
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -1656,12 +1656,14 @@ class ElasticSearchRuleBackend(object):


 class ElasticSearchRuleEqlBackend(ElasticSearchRuleBackend, ElasticsearchEQLBackend):
+    """Converts Sigma rule into Elastic SIEM EQL query"""
    default_rule_type = "eql"
    identifier = "es-rule-eql"
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

 class ElasticSearchRuleQsBackend(ElasticSearchRuleBackend, ElasticsearchQuerystringBackend):
+    """Converts Sigma rule into Elastic SIEM lucene query"""
    identifier = "es-rule"
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -102,9 +102,7 @@ yaml.add_representer(str, str_presenter)


 class LaceworkBackend(SingleTextQueryBackend):
-    """
-    Converts Sigma rule into Lacework Policy Platform
-    """
+    """Converts Sigma rule into Lacework Policy Platform"""
    identifier = "lacework"
    active = True
    # our approach to config will be such that we support both an
@@ -8,6 +8,7 @@ from .exceptions import NotSupportedError


 class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
+    """Converts Sigma rule into sysmon XML configuration"""
    identifier = "sysmon"
    active = True
    andToken = " AND "