From b2f29afccb4a7e84a7e34b62e63bb4d60cdb7de0 Mon Sep 17 00:00:00 2001
From: Mei Liu <meiliu@fortinet.com>
Date: Mon, 14 Feb 2022 15:03:41 -0800
Subject: [PATCH] Example: -O: attackMapFile: It's used to set subFunction in
 XML rule. It's a map of subFunction and tags.attack in YML file. ruleIndex:
 It's used to set rule id in XML rule. The format of rule id is
 PH_Rule_{ruleType}_SIGMA_{ruleIndex} ruleType: It's used to set rule id in
 XML rule.

1. Generate rule for one YML file
    a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
    b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=/opt/phoenix/data-definition/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
   Output:
      <Rule group="PH_SYS_RULE_THREAT_HUNTING" id="PH_Rule_Windows_SIGMA_0"  phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
         <Name>Python Initiated Connection </Name>
         <IncidentTitle>Python Initiated Connection</IncidentTitle>
         <active>true</active>
         <Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
         <SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
         <CustomerScope groupByEachCustomer="true">
            <Include all="true"/>
           <Exclude/>
         </CustomerScope>
         <IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
           <ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
         </IncidentDef>
         <PatternClause window="300">
           <SubPattern displayName="Filter" name="Filter">
               <SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
               <GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
               <GroupEvtConstr> COUNT(*) &gt;= 1 </GroupEvtConstr>
           </SubPattern>
         </PatternClause>
         <TriggerEventDisplay>
           <AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
         </TriggerEventDisplay>
       </Rule>

2. Generate rules for YML files under rules/windows
   a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
   b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=/opt/phoenix/data-definition/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
   Generate rules for YML files under rules/windows

3. Find files that is modified after some date.
  a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
  b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
  Output:
     rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
     rules/windows/wmi_event/TestFile.yml, No date
---
 .../wmi_event/sysmon_wmi_susp_scripting.yml   |  2 +-
 tools/sigma/backends/fortisiem.py             |  3 +-
 tools/sigma/sigmac.py                         | 33 +++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
index cd3dcfc43..005ea8e98 100644
--- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
+++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
@@ -41,4 +41,4 @@ falsepositives:
 level: high
 tags:
     - attack.execution
-    - attack.t1059.005
\ No newline at end of file
+    - attack.t1059.005
diff --git a/tools/sigma/backends/fortisiem.py b/tools/sigma/backends/fortisiem.py
index cd3dd44fe..da8cb0882 100644
--- a/tools/sigma/backends/fortisiem.py
+++ b/tools/sigma/backends/fortisiem.py
@@ -743,8 +743,7 @@ class FortisemBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
 
         res,errMsg = self.generateEvtConstrForOneLogsource(sigmaparser);
         if errMsg is not None:
-            print(self.ymlFileName)
-            print(errMsg)
+            print("%s, %s" % (self.ymlFileName, errMsg))
             return None
 
         result.add(res)
diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py
index b27bc57bc..d1f1bc3aa 100755
--- a/tools/sigma/sigmac.py
+++ b/tools/sigma/sigmac.py
@@ -35,6 +35,8 @@ from sigma.backends.exceptions import BackendError, NotSupportedError, PartialMa
 from sigma.parser.modifiers import modifiers
 import codecs
 import copy
+import time
+import datetime
 
 sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
 
@@ -111,6 +113,7 @@ def set_argparser():
             """)
     argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
     argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
+    argparser.add_argument("--lists-files-after-date", "-L",help="List yml files  which is modified/created after the date (Example of the date: 2022/02/01).")
     argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.")
     argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')")
     argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). 
@@ -148,6 +151,32 @@ def list_modifiers(modifiers):
     for modifier_id, modifier in modifiers.items():
         print("{:>10} : {}".format(modifier_id, modifier.__doc__))
 
+def get_fileName_after_date(inputs, recurse, date):
+    #date: 2021/05/06
+    #modified: 2021/11/30
+    dateTime = time.mktime(datetime.datetime.strptime(date, "%Y/%m/%d").timetuple())
+    for sigmafile in get_inputs(inputs, recurse):
+        f = sigmafile.open(encoding='utf-8')
+        yamls = yaml.safe_load_all(f)
+        datestr = None
+        modifiedstr = None
+        for data in yamls:
+            modifiedstr = data.get("modified", None)
+            datestr = data.get("date", None)
+            if not modifiedstr and not datestr:
+                continue;
+
+        if not modifiedstr and not datestr:
+            print("%s, No date" % sigmafile)
+            continue
+
+        if not modifiedstr:
+            modifiedstr = datestr
+
+        modified = time.mktime(datetime.datetime.strptime(modifiedstr, "%Y/%m/%d").timetuple())
+        if modified > dateTime:
+            print("%s, Updated" % sigmafile)
+
 def main():
     argparser = set_argparser()
     cmdargs = argparser.parse_args()
@@ -175,6 +204,10 @@ def main():
         argparser.print_usage()
         sys.exit(0)
 
+    if cmdargs.lists_files_after_date is not None:
+        get_fileName_after_date(cmdargs.inputs, cmdargs.recurse, cmdargs.lists_files_after_date)
+        sys.exit(0)
+
     if cmdargs.target is None:
         print("No target selected, select one with -t/--target")
         argparser.print_usage()