Closed shino-337 closed 3 years ago
wagga40
commented
3 years ago This was a test ruleset, it is the same as "rules_windows_sysmon.json" available in the rules directory of the repository : here Thanks for pointing it out, I will update the Readme accordingly. You can also generate new rulesets with the genRules tools available in the tools directory.
shino-337
commented
3 years ago I used genrules.py to generate rules.json
python3 genRules.py --rulesdirectory=sigma/rules/windows/ --config=config/sysmon.yml --sigmac=sigma/tools/sigmac
And used zircolite with rules.json file, so when I try to view data.js of "PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx" with GUI, but the GUI just show only one event
wagga40
commented
3 years ago The mini-GUI only shows detected events, it is not meant to replace tools like Splunk or ELK. If you use it on the full EVTX-ATTACK-SAMPLES repository (by specifying a directory as argument and not a evtx file) the mini-GUI will display lot of detected events. I have not test yet but the samples you used, must trigger only one rules in sigma ruleset. By the way, thanks to you I’ve updated the rulesets to new ones yesterday 👍
I see the example have rules_medium_sysmon_performance_v3.json, so where I can find it