Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add sigma authoring capability #1

Open
adonm opened this issue Mar 18, 2024 · 2 comments
Open

add sigma authoring capability #1

adonm opened this issue Mar 18, 2024 · 2 comments
Assignees
@adonm

Comments

@adonm
Copy link
Owner

adonm commented Mar 18, 2024

work out how to use something like https://msticpy.readthedocs.io/en/latest/data_analysis/IoCExtract.html to rip iocs out of any old text and make a basic sigma rule that could be basis of stix / other types of queries
@adonm adonm self-assigned this Mar 18, 2024
@adonm
Copy link
Owner Author

adonm commented Mar 22, 2024
edited
Loading

basic extraction works - thoughts are have a few templates for different iocs and generate a sigma detection with sane defaults, then make easy to tweak metadata and generate queries from it.

Also would be nice to use something similar to https://github.com/3CORESec/SIEGMA/blob/master/rule_file_creator_scripts/ala_rule.py to enable generation of sentinel arm templates directly (this would be v handy for ad hoc maintenance of detection logic in https://learn.microsoft.com/en-us/azure/sentinel/ci-cd?tabs=github repository managed templates)

@adonm
Copy link
Owner Author

adonm commented Mar 22, 2024

also should review Introducing SigmaHQ Rule Creation GUI https://blog.sigmahq.io/introducing-sigmahq-rule-creation-gui-ff68d70cda21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adonm adonm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adonm