Add Sigma Support for S1 PQ and Cortex

redcanaryco / surveyor

A cross-platform baselining, threat hunting, and attack surface analysis tool for security teams.

MIT License

173 stars 61 forks source link

Add Sigma Support for S1 PQ and Cortex #141

Closed rc-csmith closed 1 year ago

rc-csmith commented 1 year ago

Changes

Add Sigma support for S1 PQ and Cortex products
Update unit tests as necessary
Add option to provide common.sigma_translation a list of YML-formatted strings or a list of files
- Code does not support a mix of strings and files names so will throw and error and not do any processing

TreWilkinsRC commented 1 year ago

Looks good! Tested with the following rule.


status: test
description: Detects PowerShell Use
author: 'Test'
date: 2023/07/28
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|contains:
            - 'powershell.exe'
    condition: selection