Invalid format for Sigma rules

[joshnck]

I'm working on parsing your Sigma feed into rules that we convert internally into Splunk queries and there are two primary formatting problems with the sigma rules here:

1.) They do not include a UUID 2.) The date format should be yyyy/mm/dd instead of yyyy-mm-dd

[wietze]

Hey @joshnck , thanks for raising this.

I will look at including a UUID of sorts.

Regarding the date format - if this is a huge problem I can of course change it, however, the current date field is compliant with the YAML standard as it follows ISO-8601. Ideally your parser would use standard YAML date/datetime parsers in order to obtain the correct date, rather than relying on a strict string-based format. Hope that makes sense

[joshnck]

I took a slightly different approach and just modified the date field as I parsed your feed - (https://github.com/joshnck/Sigma_Rules/blob/main/scripts/get-hijacklibs-sigma-rules.ps1) .

Thanks for the feedback though - I'll look into modifying the actual PySigma parser that we have implemented.

[wietze]

Great, let me know how you get on - 1b2eee243739d4e0718f499cf93545dba1e552b0 introduced ID fields for all Sigma entries on HijackLibs, so if you can make parsing the date field work, this issue can be closed.

[joshnck]

Thanks for the update!