pySigma-backend-splunk
pySigma-backend-splunk copied to clipboard
SigmaHQ
pySigma Splunk backend
Hi, I am trying to convert the following correlation rule : ``` title: Multiple failed logons id: a8418a5a-5fc4-46b5-b23b-6c73beb19d41 description: Detects multiple failed logins within a certain amount of time name:...
Request: Using the fields: key to define the values() from a |stats command in correlation searches
Currently the correlations search can only reveal the data that is included in a detection if it is part of the explicit logic of the detection or if it is...
I'd like to have this backend output a dynamic stats command based on the `fields` field. Take this example detection ``` title: Example Detection date: 2024/03/26 status: experimental author: burnsn1...
Hello When convert a rule with the `cidr` get an error ```bash sigma convert -t splunk -p splunk_windows .\rules\windows\network_connection\net_connection_win_script_wan.yml Parsing Sigma rules [####################################] 100% Error while conversion: ORing CIDR matching...
``` sigma convert --target 'splunk' --pipeline /home/jump/git/win_evt_pipeline.yml /home/jump/git/sigma/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml --skip-unsupported Parsing Sigma rules [####################################] 100% [default] dispatch.earliest_time = -30d dispatch.latest_time = now enableSched = 1 cron_schedule = */15 * * *...
Hi! I am currently using the `splunk_windows` pipeline and I am looking for a pipeline option to avoid the Splunk table output as the following: ``` ... | table ComputerName,User,SourceImage,TargetImage,CallTrace...
Hi, I think `.`s should be escaped in Splunk searches. I create a query: ``` sigmac -t splunk -c tools/config/splunk-windows.yml rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml ((((ParentCommandLine="*cmd*" ParentCommandLine="*/c*" CommandLine="*/../../*")) NOT (((CommandLine="*\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java*"))))) ``` and paste it...
It would be nice, if it is possible to use the |re modifier in a rules YAML - currently it is mot supported by the backend. I thought about how...
Take the following rule and example: ```yaml title: Suspicious DNS Query with B64 Encoded String id: 4153a907-2451-4e4f-a578-c52bb6881432 status: experimental description: Detects suspicious DNS queries using base64 encoding author: Florian Roth...
Hello, It seems there is a problem in tstat searches in terms of logical operator execution order. I am trying to convert in tstat search the following rule : ```...