diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml deleted file mode 100644 index a32dd3f82..000000000 --- a/tools/config/powershell-windows-all.yml +++ /dev/null @@ -1,91 +0,0 @@ -logsources: - windows-application: - product: windows - service: application - conditions: - LogName: 'Application' - windows-security: - product: windows - service: security - conditions: - LogName: 'Security' - windows-system: - product: windows - service: system - conditions: - LogName: 'System' - windows-sysmon: - product: windows - service: sysmon - conditions: - LogName: 'Microsoft-Windows-Sysmon/Operational' - windows-powershell: - product: windows - service: powershell - conditions: - LogName: 'Microsoft-Windows-PowerShell/Operational' - windows-classicpowershell: - product: windows - service: powershell-classic - conditions: - LogName: 'Windows PowerShell' - windows-taskscheduler: - product: windows - service: taskscheduler - conditions: - LogName: 'Microsoft-Windows-TaskScheduler/Operational' - windows-wmi: - product: windows - service: wmi - conditions: - LogName: 'Microsoft-Windows-WMI-Activity/Operational' - windows-dns-server: - product: windows - service: dns-server - category: dns - conditions: - LogName: 'DNS Server' - windows-dns-server-audit: - product: windows - service: dns-server-audit - conditions: - LogName: 'Microsoft-Windows-DNS-Server/Audit' - windows-driver-framework: - product: windows - service: driver-framework - conditions: - LogName: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' - windows-ntlm: - product: windows - service: ntlm - conditions: - LogName: 'Microsoft-Windows-NTLM/Operational' - windows-applocker: - product: windows - service: applocker - conditions: - LogName: - - 'Microsoft-Windows-AppLocker/MSI and Script' - - 'Microsoft-Windows-AppLocker/EXE and DLL' - - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - windows-msexchange-management: - product: windows - service: msexchange-management - conditions: - LogName: 'MSExchange Management' - windows-printservice-admin: - product: windows - service: printservice-admin - conditions: - LogName: 'Microsoft-Windows-PrintService/Admin' - windows-printservice-operational: - product: windows - service: printservice-operational - conditions: - LogName: 'Microsoft-Windows-PrintService/Operational' - windows-smbclient-security: - product: windows - service: smbclient-security - conditions: - LogName: 'Microsoft-Windows-SmbClient/Security' \ No newline at end of file diff --git a/tools/sigma/backends/ee-outliers.py b/tools/sigma/backends/ee-outliers.py index 4a912d11f..8904bdd77 100644 --- a/tools/sigma/backends/ee-outliers.py +++ b/tools/sigma/backends/ee-outliers.py @@ -23,7 +23,7 @@ from io import StringIO class OutliersBackend(ElasticsearchDSLBackend, MultiRuleOutputMixin): - """ee-outliers backend""" + """Converts Sigma rule into ee-outliers""" identifier = 'ee-outliers' active = True diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 766209932..480c56a16 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -387,7 +387,7 @@ class ElasticsearchQuerystringBackendLogRhythm(DeepFieldMappingMixin, Elasticsea return super().generateSubexpressionNode(node) class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): - """Converts Sigma rule into EQL.""" + """Converts Sigma rule into Elasticsearch EQL query.""" identifier = "es-eql" active = True @@ -501,7 +501,7 @@ class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandli return fieldname class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): - """ElasticSearch DSL backend""" + """Converts Sigma rule into Elasticsearch DSL query""" identifier = 'es-dsl' active = True options = RulenameCommentMixin.options + ElasticsearchWildcardHandlingMixin.options + ( @@ -1397,7 +1397,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): # return result class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): - """Elastalert backend""" + """Converts Sigma rule into ElastAlert DSL query""" identifier = 'elastalert-dsl' def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -1410,7 +1410,7 @@ class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend): return self.queries class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend): - """Elastalert backend""" + """Converts Sigma rule into ElastAlert QS query""" identifier = 'elastalert' def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) @@ -1656,12 +1656,14 @@ class ElasticSearchRuleBackend(object): class ElasticSearchRuleEqlBackend(ElasticSearchRuleBackend, ElasticsearchEQLBackend): + """Converts Sigma rule into Elastic SIEM EQL query""" default_rule_type = "eql" identifier = "es-rule-eql" def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) class ElasticSearchRuleQsBackend(ElasticSearchRuleBackend, ElasticsearchQuerystringBackend): + """Converts Sigma rule into Elastic SIEM lucene query""" identifier = "es-rule" def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index 2f567088f..d28c30533 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -102,9 +102,7 @@ yaml.add_representer(str, str_presenter) class LaceworkBackend(SingleTextQueryBackend): - """ - Converts Sigma rule into Lacework Policy Platform - """ + """Converts Sigma rule into Lacework Policy Platform""" identifier = "lacework" active = True # our approach to config will be such that we support both an diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 963021815..ce1524e61 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -8,6 +8,7 @@ from .exceptions import NotSupportedError class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): + """Converts Sigma rule into sysmon XML configuration""" identifier = "sysmon" active = True andToken = " AND "