rsigma 0.17.0

CLI for parsing, validating, linting and evaluating Sigma detection rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

{
  "version": "1",
  "provenance": "Curated by rsigma from the MITRE ATT&CK data sources/components catalog and the SigmaHQ logsource taxonomy. Enterprise ATT&CK only. The data_component -> technique edges are a representative, hand-maintained subset, not the full ATT&CK STIX relationship set; override with --mapping for a complete or site-specific table.",
  "logsources": [
    {"category": "process_creation", "data_source": "Process", "data_component": "Process Creation", "products": ["Windows", "Linux", "macOS"]},
    {"category": "create_remote_thread", "data_source": "Process", "data_component": "Process Modification", "products": ["Windows"]},
    {"category": "process_access", "data_source": "Process", "data_component": "Process Access", "products": ["Windows"]},
    {"category": "image_load", "data_source": "Module", "data_component": "Module Load", "products": ["Windows"]},
    {"category": "network_connection", "data_source": "Network Traffic", "data_component": "Network Connection Creation", "products": ["Windows", "Linux", "macOS"]},
    {"category": "dns_query", "data_source": "Network Traffic", "data_component": "Network Connection Creation", "products": ["Windows"]},
    {"category": "firewall", "data_source": "Network Traffic", "data_component": "Network Traffic Flow", "products": ["Linux"]},
    {"category": "file_event", "data_source": "File", "data_component": "File Creation", "products": ["Windows", "Linux", "macOS"]},
    {"category": "file_change", "data_source": "File", "data_component": "File Modification", "products": ["Windows"]},
    {"category": "file_delete", "data_source": "File", "data_component": "File Deletion", "products": ["Windows"]},
    {"category": "file_rename", "data_source": "File", "data_component": "File Modification", "products": ["Windows"]},
    {"category": "registry_event", "data_source": "Windows Registry", "data_component": "Windows Registry Key Modification", "products": ["Windows"]},
    {"category": "registry_set", "data_source": "Windows Registry", "data_component": "Windows Registry Key Modification", "products": ["Windows"]},
    {"category": "registry_add", "data_source": "Windows Registry", "data_component": "Windows Registry Key Creation", "products": ["Windows"]},
    {"category": "registry_delete", "data_source": "Windows Registry", "data_component": "Windows Registry Key Deletion", "products": ["Windows"]},
    {"category": "ps_script", "data_source": "Script", "data_component": "Script Execution", "products": ["Windows"]},
    {"category": "ps_module", "data_source": "Script", "data_component": "Script Execution", "products": ["Windows"]},
    {"category": "pipe_created", "data_source": "Named Pipe", "data_component": "Named Pipe Metadata", "products": ["Windows"]},
    {"category": "authentication", "data_source": "Logon Session", "data_component": "Logon Session Creation", "products": ["Windows", "Linux"]}
  ],
  "fields": [
    {"field": "Image", "data_component": "Process Creation"},
    {"field": "ParentImage", "data_component": "Process Creation"},
    {"field": "CommandLine", "data_component": "Process Creation"},
    {"field": "ParentCommandLine", "data_component": "Process Creation"},
    {"field": "OriginalFileName", "data_component": "Process Creation"},
    {"field": "CurrentDirectory", "data_component": "Process Creation"},
    {"field": "IntegrityLevel", "data_component": "Process Creation"},
    {"field": "ParentProcessId", "data_component": "Process Creation"},
    {"field": "ProcessId", "data_component": "Process Creation"},
    {"field": "TargetImage", "data_component": "Process Access"},
    {"field": "GrantedAccess", "data_component": "Process Access"},
    {"field": "StartModule", "data_component": "Process Modification"},
    {"field": "ImageLoaded", "data_component": "Module Load"},
    {"field": "Signature", "data_component": "Module Load"},
    {"field": "Signed", "data_component": "Module Load"},
    {"field": "DestinationIp", "data_component": "Network Connection Creation"},
    {"field": "DestinationPort", "data_component": "Network Connection Creation"},
    {"field": "DestinationHostname", "data_component": "Network Connection Creation"},
    {"field": "SourceIp", "data_component": "Network Connection Creation"},
    {"field": "SourcePort", "data_component": "Network Connection Creation"},
    {"field": "Protocol", "data_component": "Network Connection Creation"},
    {"field": "QueryName", "data_component": "Network Connection Creation"},
    {"field": "QueryResults", "data_component": "Network Connection Creation"},
    {"field": "TargetFilename", "data_component": "File Creation"},
    {"field": "Filename", "data_component": "File Creation"},
    {"field": "TargetObject", "data_component": "Windows Registry Key Modification"},
    {"field": "Details", "data_component": "Windows Registry Key Modification"},
    {"field": "ScriptBlockText", "data_component": "Script Execution"},
    {"field": "PipeName", "data_component": "Named Pipe Metadata"},
    {"field": "LogonType", "data_component": "Logon Session Creation"},
    {"field": "TargetUserName", "data_component": "Logon Session Creation"},
    {"field": "SubjectUserName", "data_component": "Logon Session Creation"}
  ],
  "data_components": [
    {"name": "Process Creation", "data_source": "Process", "techniques": ["T1059", "T1059.001", "T1059.003", "T1059.004", "T1106", "T1204", "T1543", "T1036"]},
    {"name": "Process Access", "data_source": "Process", "techniques": ["T1055", "T1003", "T1003.001"]},
    {"name": "Process Modification", "data_source": "Process", "techniques": ["T1055", "T1055.001", "T1055.002"]},
    {"name": "Module Load", "data_source": "Module", "techniques": ["T1129", "T1574", "T1574.002"]},
    {"name": "Network Connection Creation", "data_source": "Network Traffic", "techniques": ["T1071", "T1071.001", "T1095", "T1571", "T1041", "T1090"]},
    {"name": "Network Traffic Flow", "data_source": "Network Traffic", "techniques": ["T1071", "T1571", "T1572"]},
    {"name": "File Creation", "data_source": "File", "techniques": ["T1105", "T1027", "T1486", "T1564"]},
    {"name": "File Modification", "data_source": "File", "techniques": ["T1565", "T1070"]},
    {"name": "File Deletion", "data_source": "File", "techniques": ["T1070.004", "T1485"]},
    {"name": "Windows Registry Key Modification", "data_source": "Windows Registry", "techniques": ["T1112", "T1547", "T1546", "T1037"]},
    {"name": "Windows Registry Key Creation", "data_source": "Windows Registry", "techniques": ["T1547.001", "T1112"]},
    {"name": "Windows Registry Key Deletion", "data_source": "Windows Registry", "techniques": ["T1070", "T1112"]},
    {"name": "Script Execution", "data_source": "Script", "techniques": ["T1059", "T1059.001", "T1059.005"]},
    {"name": "Named Pipe Metadata", "data_source": "Named Pipe", "techniques": ["T1559", "T1572"]},
    {"name": "Logon Session Creation", "data_source": "Logon Session", "techniques": ["T1078", "T1021", "T1133"]}
  ]
}