Closed shino-337 closed 3 years ago
This was a test ruleset, it is the same as "rules_windows_sysmon.json" available in the rules directory of the repository : here Thanks for pointing it out, I will update the Readme accordingly. You can also generate new rulesets with the genRules tools available in the tools directory.
I used genrules.py to generate rules.json python3 genRules.py --rulesdirectory=sigma/rules/windows/ --config=config/sysmon.yml --sigmac=sigma/tools/sigmac And used zircolite with rules.json file, so when I try to view data.js of "PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx" with GUI, but the GUI just show only one event
The mini-GUI only shows detected events, it is not meant to replace tools like Splunk or ELK. If you use it on the full EVTX-ATTACK-SAMPLES repository (by specifying a directory as argument and not a evtx file) the mini-GUI will display lot of detected events. I have not test yet but the samples you used, must trigger only one rules in sigma ruleset. By the way, thanks to you I’ve updated the rulesets to new ones yesterday 👍
I see the example have rules_medium_sysmon_performance_v3.json, so where I can find it