Open adonm opened 7 months ago
basic extraction works - thoughts are have a few templates for different iocs and generate a sigma detection with sane defaults, then make easy to tweak metadata and generate queries from it.
Also would be nice to use something similar to https://github.com/3CORESec/SIEGMA/blob/master/rule_file_creator_scripts/ala_rule.py to enable generation of sentinel arm templates directly (this would be v handy for ad hoc maintenance of detection logic in https://learn.microsoft.com/en-us/azure/sentinel/ci-cd?tabs=github repository managed templates)
also should review Introducing SigmaHQ Rule Creation GUI https://blog.sigmahq.io/introducing-sigmahq-rule-creation-gui-ff68d70cda21
work out how to use something like https://msticpy.readthedocs.io/en/latest/data_analysis/IoCExtract.html to rip iocs out of any old text and make a basic sigma rule that could be basis of stix / other types of queries