Log Entry to Sigma Rule Converter
It takes a log entry from a file and tries to create a Sigma rule. It is optimized for the XML format of Windows EVTX event logs but can be easily modified to support more log formats by adding a new regular expression for the respective log type.
The current state is "alpha". It's more like a public POC so that others can learn and extend.
usage: evt2sigma.py [-h] [-f file] [-o out-file] [-fc field-count] [--debug]
[--trace] [-a] [-r] [-l] [-t] [-d] [-p] [-s] [-c]
Event 2 Sigma Converter
optional arguments:
-h, --help show this help message and exit
-f file Read the log entry from a file
-o out-file Write rule to an output file
-fc field-count use the top X fields
--debug Debug output
--trace Trace output
Fields:
-a Author name
-r Reference
-l Level
-t Title
-d Description
-p Product (e.g. windows, linux)
-s Service (e.g. security, sysmon)
-c Category (e.g. proxy)
