Sigma Rule ID Included in Results

wagga40 / Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

671 stars 91 forks source link

Sigma Rule ID Included in Results #31

Closed teddy-ROxPin closed 2 years ago

teddy-ROxPin commented 2 years ago

Currently, when I run Zircolite using the 'exportForSplunk' template each event that is generated contains the Sigma rule title and description, along with the information from the relevant evtx entry. Would you please consider adding the Sigma rule id to each event as well? Having that unique id would be helpful with some automation efforts.

wagga40 commented 2 years ago

Hi, No problem, I’ve just tested it, I will update the template and add a field in the code.

teddy-ROxPin commented 2 years ago

Thank you!

wagga40 commented 2 years ago

Sorry for the delay I was not at home. The last commit contains the change and I've added a new template here.