sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Map EVTX samples to Sigma rules

Open thomaspatzke opened this issue 6 years ago • 2 comments

Someone should map publicly available EVTX samples to Sigma rules. This would enable us to automatically test the correctness of generated queries.

Known security-related EVTX repositories:

  • https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
  • https://github.com/Cyb3rWard0g/mordor

Feel free to extend the list.

Mapping should be:

Sigma rule -> Repository/EVTX ( -> expected matched event)

Comment here if you want to support!

thomaspatzke avatar May 12 '19 09:05 thomaspatzke

Hi i don't understand what do you mean, how evtx samples should be map on a sigma rule ? in the references section of a sigma rule ?

StevenD33 avatar May 26 '21 17:05 StevenD33

I think that's a good idea, something like this:

reference:
  - https://<rule url>#<event-id in evtx>

thomaspatzke avatar Jun 08 '21 21:06 thomaspatzke

As this is a fairly old issue, would this be prime for closing?

It seems that the GitHub Actions pipeline within the project specify steps for testing evtx_baseline in .github/workflows/sigma-test.yml within the check-baseline-win* jobs.

Referencing needs for EventIDs can go into the rule documentation and anything extra (like examples) can be made into wiki documents.

signus avatar May 02 '23 21:05 signus

I'd like to think about this. Could be a useful resource for new SIEM implementation.

TheEis4Extra avatar May 17 '23 02:05 TheEis4Extra

Closing this as there are future plans to integrate testing in other ways.

nasbench avatar May 18 '23 22:05 nasbench