Thomas Patzke

icon indicating a website link http://patzke.org icon indicating an email [email protected]

icon company Code published here is private and not affiliated with my employer. icon location Germany icon location Loves to build InfoSec-related tools.

Results 10 issues of Thomas Patzke

Map EVTX samples to Sigma rules

2 comment

Someone should map publicly available EVTX samples to Sigma rules. This would enable us to automatically test the correctness of generated queries. Known security-related EVTX repositories: * https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES * https://github.com/Cyb3rWard0g/mordor...

help wanted
qa
good first issue

Processing pipelines are recreated for each rule conversion

At [this location](https://github.com/SigmaHQ/pySigma/blob/80902f2db11bdd57f2ee7d48c483c24d5cdbcd90/sigma/conversion/base.py#L147) the final conversion processing pipeline is created for each rule conversion. This is currently necessary because a processing pipeline also maintains a state and its recreation is...

optimization

Implementing NOT operation as `!=`

### Discussed in https://github.com/SigmaHQ/pySigma/discussions/80 Originally posted by **barvhaim** December 6, 2022 Hello, I am migrating the STIX backend to pySigma, in order to translate rules includes `not x`, we don't...

enhancement

Reference to other rules in the condition of a detection

1 comment

### Discussed in https://github.com/SigmaHQ/sigma-specification/discussions/6 Idea: add a correlation type that allows to inject/include detections from one rule to another and use them from there. This would be quite useful for...

enhancement

Link documentation

Add links to documentation (that sometimes has to be created, e.g. for correlations parameters) and possible other helpful resources (SigmaHQ blog, other blogs) as comment into template.

EventIDs typed as string causing matching errors

1 comment

Good morning, there is a similar issue regarding the field mapping of keyword fields which contain numerical data (e.g. event.code) using the `ESQL` backend: Searching for ```yaml detection: condition: selection...

wait-for-pysigma-v1

Conditions added by processing pipelines are deferred with OR-ed regex

2 comment

## Problem Regular expressions logically linked with OR are deferred ## Reproduction Processing pipeline: ``` name: Example Sigma Pipeline Config priority: 100 transformations: - id: prefix_source_and_index type: add_condition conditions: index:...

bug

Processing pipelines on Keyword-based detections ?

1 comment

## Idea Extend the existing field name mapping to map null values to a field name. Question: is this possible in YAML? If not: dedicated transformation. ### Discussed in https://github.com/SigmaHQ/pySigma/discussions/339...

enhancement

Add Condition Transformation not applied if condition is empty

This is required if all query terms are moved into deferred query parts, eg Splunk regular expressions.

Trailing backslashes escape wildcards added by modifiers

5 comment

From the [community Discord](https://discord.com/channels/1176230866515669072/1176231661285945364/1448064743112839440): When converting a Sigma rule to the EQL using the elastic backend and the `ecs_windows` pipeline, strings ending with a backslash immediately followed by a wildcard...