sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Sigma tactics organizer

Open dan21san opened this issue 2 years ago • 2 comments

Summary of the Pull Request

As discuss here https://github.com/SigmaHQ/sigma/discussions/4624 this PR add in the tools folder a simple script to organize the Sigma rules into the Mitre ATT&CK framework.

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

dan21san avatar Dec 12 '23 15:12 dan21san

I'd like to add the possibility to have multiple input folders for Sigma rules. The repo is structured so that we use multiple folders (rules, rules-emerging-threats, rules-threat-hunting). By default we shouldn't add all of these but the script should be able to handle multiple input directories.

Other than that it looks good to me so far. I would test it a bit locally first before merging, though. Haven't done that yet.

phantinuss avatar Mar 15 '24 08:03 phantinuss

@phantinuss yes your suggestion is very interesting :) For now, I have only considered the "main" folder rule, but I think it is easily fixable.

dan21san avatar Mar 15 '24 14:03 dan21san