security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4476 from @nasbench - re-organize cloud folder and other things

Browse Source 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
This commit is contained in:
Nasreddine Bencherchali
2023-10-12 13:32:24 +02:00
committed by GitHub
parent 61e8d427c1
commit 7364ce00b1
175 changed files with 1055 additions and 466 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/sigma-package-release.py
+58 -18
View File
@@ -25,32 +25,63 @@ RULES_DICT = {
"et": "rules-emerging-threats",
"threat-hunting": "rules-threat-hunting",
"th": "rules-threat-hunting",
"rules-threat-hunting": "rules-threat-hunting"
}
"rules-threat-hunting": "rules-threat-hunting",
}
RULES = [x for x in RULES_DICT.keys()]
def init_arguments(arguments: list) -> list:
parser = argparse.ArgumentParser(description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument('-o', '--outfile', help="Outputs the Sigma release package as ZIP archive", default="Sigma-standard.zip", required=True)
parser = argparse.ArgumentParser(
description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument(
"-o",
"--outfile",
help="Outputs the Sigma release package as ZIP archive",
default="Sigma-standard.zip",
required=True,
)
arg_status = parser.add_mutually_exclusive_group(required=True)
arg_status.add_argument('-s', '--statuses', nargs='*', choices=STATUS, help="Select status of rules")
arg_status.add_argument('-ms', '--min-status', nargs='?', choices=STATUS, help="Sets the minimum status of rules to select")
arg_status.add_argument(
"-s", "--statuses", nargs="*", choices=STATUS, help="Select status of rules"
)
arg_status.add_argument(
"-ms",
"--min-status",
nargs="?",
choices=STATUS,
help="Sets the minimum status of rules to select",
)
arg_level = parser.add_mutually_exclusive_group(required=True)
arg_level.add_argument('-l', '--levels', nargs='*', choices=LEVEL, help="Select level of rules")
arg_level.add_argument('-ml', '--min-level', nargs='?', choices=LEVEL, help="Sets the minimum level of rules to select")
parser.add_argument('-r', '--rule-types', choices=RULES, nargs='*', help="Select type of rules")
arg_level.add_argument(
"-l", "--levels", nargs="*", choices=LEVEL, help="Select level of rules"
)
arg_level.add_argument(
"-ml",
"--min-level",
nargs="?",
choices=LEVEL,
help="Sets the minimum level of rules to select",
)
parser.add_argument(
"-r", "--rule-types", choices=RULES, nargs="*", help="Select type of rules"
)
args = parser.parse_args(arguments)
if not args.outfile.endswith(".zip"):
args.outfile = args.outfile + ".zip"
if os.path.exists(args.outfile):
print("[E] '{}' already exists. Choose a different output file name.".format(args.outfile))
print(
"[E] '{}' already exists. Choose a different output file name.".format(
args.outfile
)
)
sys.exit(1)
if args.rule_types == None:
args.rule_types = ["generic"]
print("[I] -r/--rule-types not defined: Using \"generic\" by default")
print('[I] -r/--rule-types not defined: Using "generic" by default')
if args.min_level != None:
i = LEVEL.index(args.min_level)
@@ -62,19 +93,20 @@ def init_arguments(arguments: list) -> list:
return args
def select_rules(args: dict) -> list:
selected_rules = []
def yield_next_rule_file_path(rule_path: str) -> str:
for root, _, files in os.walk(rule_path):
for file in files:
if file.endswith('.yml'):
if file.endswith(".yml"):
yield os.path.join(root, file)
def get_rule_yaml(file_path: str) -> dict:
data = []
with open(file_path, encoding='utf-8') as f:
with open(file_path, encoding="utf-8") as f:
yaml_parts = yaml.safe_load_all(f)
for part in yaml_parts:
data.append(part)
@@ -85,22 +117,29 @@ def select_rules(args: dict) -> list:
for file in yield_next_rule_file_path(rule_path=rules_path):
rule_yaml = get_rule_yaml(file_path=file)
if len(rule_yaml) != 1:
print("[E] rule {} is a multi-document file and will be skipped".format(file))
print(
"[E] rule {} is a multi-document file and will be skipped".format(
file
)
)
continue
rule = rule_yaml[0]
if (rule["level"] in args.levels and
rule["status"] in args.statuses):
if rule["level"] in args.levels and rule["status"] in args.statuses:
selected_rules.append(file)
return selected_rules
def write_zip(outfile: str, selected_rules: list):
with zipfile.ZipFile(outfile, mode='a', compression=zipfile.ZIP_DEFLATED, compresslevel=9) as zip:
with zipfile.ZipFile(
outfile, mode="a", compression=zipfile.ZIP_DEFLATED, compresslevel=9
) as zip:
for rule_path in selected_rules:
zip.write(rule_path)
return
def main(arguments: list) -> int:
args = init_arguments(arguments)
@@ -111,5 +150,6 @@ def main(arguments: list) -> int:
write_zip(args.outfile, selected_rules)
print("[I] Written all rules to output ZIP file '{}'".format(args.outfile))
if __name__ == '__main__':
if __name__ == "__main__":
sys.exit(main(sys.argv[1:]))