Sigma organization by Mitre ATTA&CK

[dan21san]

The idea is to organize the Sigma rules provided by repo SigmaHQ in folders by the Mitre ATT&CK tactics and techniques. The PR would integrate a simple python module.

[alexkornitzer]

Hi @dan21san,

Thank you for the PR, just a couple of questions so I can try an wrap my head around the need for this. Why would this sit in Chainsaw? Is it to make it easy to apply a subset of Sigma rules (i.e. run persistence rules only)? If so then I think it would be better to expand the hunt command to accept something like a pre-filter. If it really is just organisation then this PR should probably be filed against the Sigma repo and not here.

[dan21san]

Hi @alexkornitzer ,

The idea was born following the use of Chainsaw, and the possibility of being able to use sigma rules organized in the original folders. So I thought it would be interesting to be able to use the tool with sigma rules already organized by tactic (for example). But yes, you're right, I'll try to open a PR for Sigma as I think it could be useful to the community to be able to have the rules already divided by Mitre matrix.

[alexkornitzer]

Would you like to be able to pre-filter by tactic in hunt? So you can point chainsaw at the sigma rules folder and then do something like --prefilter 'mitre: TA0043'.

[dan21san]

Honestly, I have never written anything in Rust :) . I think I'll open the PR to SIGMA as you also suggested, but I think it could also be an interesting feature in Chainsaw hunt. I might study the code and implement it.

[alexkornitzer]

Okay, well let me know if you need any assistance. I'll go ahead and close this PR out, hope you don't mind.