sigma_to_wazuh
sigma_to_wazuh copied to clipboard
theflakes
Convert Sigma rules to Wazuh rules
pls,help me ERROR: (1226): Error reading XML file 'etc/rules/sigmano18702.xml': XMLERR: String overflow. (line 18702).  
With Using the default Core sigma rule set there is an issue with the following rule when its translated: Original Sigma rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml What I noticed: - The sigma rule...
Hello bro, The script sigma_to_wazuh.py does not work. I tried using different machines and python versions. Here is the error: **[root@localhost sigma_to_wazuh]# python3 sigma_to_wazuh.py [!] ERROR loading rule id tracking...
Hey guys. At the risk of embarrassing myself now. I have loaded the rules and run the script. I tried to read the sigma.xml into my Wazuh test server, but...
See: https://github.com/SigmaHQ/sigma/blob/b4cb047ae720b37b11f8506de7965dc29d5920be/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml detection: selection1: TargetObject|contains: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: TargetObject|endswith: UserDefinedUrl filter_office: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common...
I think it would be better to use sysmon group matching instead windows if_sid. Example: We have [Sigma Rule category like **image_load**](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml), it corresponds to the event [sysmon EventID 7](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded)...
