thomaspatzke
commented
5 years ago Planned this, e.g. for generation of Sigma rules from MISP events.
Closed geekscrapy closed 2 years ago
thomaspatzke
commented
5 years ago Planned this, e.g. for generation of Sigma rules from MISP events.
geekscrapy
commented
5 years ago That's exactly the reason I asked 😁
Any info on the current dev would be appreciated, and perhaps I could assist.
I'd be looking to create very simple sigma rules for the basic attributes at first (md5, ip etc) but then to develop it to encompass objects and their relationships (as some field types only exist in objects).
thomaspatzke
commented
5 years ago You could possibly start with a mapping between MISP attributes and log sources as starting point for the development. I also already proposed some changes to MISP objects to be able to map common cases to these. So if you see rules that don't match well to any attribute types/objects, feel free to propose something. We can discuss it here or you can do this directly as pull request to the MISP objects repository.
I plan to start with some development within the next weeks, but feel free to initiate the coding part if you have the time. We should stay coordinated, I think for the first this issue here is sufficient for this purpose.
59e5aaf4
commented
4 years ago FYI, we did it, it's not complex to draft in Python (can't release it though). Just stuff a Python object with properties, and dump them with YAML. You might have some trouble reducing the rules verbosity in some cases, but it's not impossible to overcome. Good luck !
frack113
commented
2 years ago Sorry this post is closed automatically because it is not more active
Is there a way to create sigma rules programmatically (python lib?)? Say if you have a load of IOCs that you want to create a basic rules for?