./rules
subfolder./rules
sub directory for an overview on the rule basepython sigmac --help
in folder ./tools
to get a help on the rule convertersigmac
like ./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml
python sigmac -t splunk -r ../rules/proxy/
./tools/config
folder and the wiki if you need custom field or log source mappings in your environmentmerge_sigma.py
whichmerges multiple YAML documents of a Sigma rule collection into simple Sigma rules.-I
) in rule conversion for the selected backend (-t splunk
)-c ~/my-elk-winlogbeat.yml
) during conversion, which can contain you custom field and source mappingsprocess_creation
rules (-r rules/windows/process_creation
) that instructs sigmac to create queries for a Sysmon log source (-c tools/config/generic/sysmon.yml
) and the ElasticSearch target backend (-t es-qs
)process_creation
rule (./rules/windows/process_creation/win_susp_outlook.yml
) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (-c tools/config/generic/windows-audit.yml
) and a Splunk target backend (-t splunk
)sigmac --target-list
or sigmac -l
.make
and packaging), further dependencies are required and can be installed with:--url
, --key
) can be put without the prefixing dashes --
into a fileand included with @filename
as parameter on the command line.contrib
contains scripts that were contributed by the community:sigma2elastalert.py
i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tooluses sigmac and expects it in its path.tools/
) is licensed under the GNU Lesser General Public License.rules/
directory is released under the GNU General Public License../rules
subfolder./rules
sub directory for an overview on the rule basepython sigmac --help
in folder ./tools
to get a help on the rule convertersigmac
like ./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml
python sigmac -t splunk -r ../rules/proxy/
./tools/config
folder and the wiki if you need custom field or log source mappings in your environmentmerge_sigma.py
whichmerges multiple YAML documents of a Sigma rule collection into simple Sigma rules.-I
) in rule conversion for the selected backend (-t splunk
)-c ~/my-elk-winlogbeat.yml
) during conversion, which can contain you custom field and source mappingsprocess_creation
rules (-r rules/windows/process_creation
) that instructs sigmac to create queries for a Sysmon log source (-c tools/config/generic/sysmon.yml
) and the ElasticSearch target backend (-t es-qs
)process_creation
rule (./rules/windows/process_creation/win_susp_outlook.yml
) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (-c tools/config/generic/windows-audit.yml
) and a Splunk target backend (-t splunk
)sigmac --target-list
or sigmac -l
.make
and packaging), further dependencies are required and can be installed with:--url
, --key
) can be put without the prefixing dashes --
into a fileand included with @filename
as parameter on the command line.contrib
contains scripts that were contributed by the community:sigma2elastalert.py
i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tooluses sigmac and expects it in its path.tools/
) is licensed under the GNU Lesser General Public License.rules/
directory is released under the GNU General Public License.