theflakes

Took a quick look, found an unfinished sigma rule from their repo was breaking things. Added a catch to ignore broken rules. Please note though that this script may never...

Also see: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml Problem is with lists and negation being converted correctly to Wazuh AND negation logic.

Also: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml

Need to add check for detection token to see if it is a list (OR logic) or dictionary (AND logic). OR Logic: See: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml ``` { "selection_reg1": { "TargetObject|contains": [...

Verify and fix: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml

Unfortunately, I won't be able to get back to this project any time soon. But, there's issues with Wazuh and the number of rules and how we create dependencies between...

NIce work. You can test rules on the command line with /var/osssec/bin/wazuh-logtest. There's the legacy rule testing tool in the same directory called ossec-logtest. I think both will tell you...

Only if someone else takes on the work. The tool, for me, is for operational triage of live prod systems. Thanks

I'm reopening this. The registry crate this uses does allow for raw access of registry hives. Not sure if I'll ever get to it, but opening it and maybe I...