rsigma 0.18.0

CLI for parsing, validating, linting and evaluating Sigma detection rules
{
  "summary": {
    "corpus_files": 2,
    "events_processed": 4,
    "rules_loaded": 3,
    "expectations_total": 2,
    "expectations_passed": 1,
    "expectations_failed": 1,
    "unexpected_rules": 1,
    "unexpected_fires": 1,
    "unexpected_policy": "fail",
    "duration_ms": 0
  },
  "expectations": [
    {
      "rule": "11111111-1111-1111-1111-111111111111",
      "rule_key": "11111111-1111-1111-1111-111111111111",
      "bound": ">= 1",
      "actual": 2,
      "pass": true
    },
    {
      "rule": "22222222-2222-2222-2222-222222222222",
      "rule_key": "22222222-2222-2222-2222-222222222222",
      "bound": "exactly 0",
      "actual": 1,
      "pass": false
    }
  ],
  "rules": [
    {
      "rule_id": "11111111-1111-1111-1111-111111111111",
      "rule_title": "Whoami Execution",
      "level": "low",
      "logsource": {
        "category": "process_creation",
        "product": "windows"
      },
      "fires": 2,
      "by_file": {
        "a.ndjson": 1,
        "b.ndjson": 1
      }
    },
    {
      "rule_id": "22222222-2222-2222-2222-222222222222",
      "rule_title": "Netstat Execution",
      "level": "informational",
      "logsource": {
        "category": "process_creation",
        "product": "windows"
      },
      "fires": 1,
      "by_file": {
        "a.ndjson": 1
      }
    },
    {
      "rule_id": "33333333-3333-3333-3333-333333333333",
      "rule_title": "Ping Execution",
      "level": "informational",
      "logsource": {
        "category": "process_creation",
        "product": "windows"
      },
      "fires": 1,
      "by_file": {
        "a.ndjson": 1
      }
    }
  ],
  "unexpected": [
    {
      "rule_key": "33333333-3333-3333-3333-333333333333",
      "rule_title": "Ping Execution",
      "level": "informational",
      "logsource": {
        "category": "process_creation",
        "product": "windows"
      },
      "fires": 1
    }
  ],
  "by_logsource": [
    {
      "logsource": "windows/process_creation",
      "unexpected_fires": 1,
      "rules": [
        "33333333-3333-3333-3333-333333333333"
      ]
    }
  ]
}