evt2sigma

Log Entry to Sigma Rule Converter

What it does

It takes a log entry from a file and tries to create a Sigma rule. It is optimized for the XML format of Windows EVTX event logs but can be easily modified to support more log formats by adding a new regular expression for the respective log type.

Status

The current state is "alpha". It's more like a public POC so that others can learn and extend.

Usage

usage: evt2sigma.py [-h] [-f file] [-o out-file] [-fc field-count] [--debug]
                    [--trace] [-a] [-r] [-l] [-t] [-d] [-p] [-s] [-c]

Event 2 Sigma Converter

optional arguments:
  -h, --help       show this help message and exit
  -f file          Read the log entry from a file
  -o out-file      Write rule to an output file
  -fc field-count  use the top X fields
  --debug          Debug output
  --trace          Trace output

Fields:
  -a               Author name
  -r               Reference
  -l               Level
  -t               Title
  -d               Description
  -p               Product (e.g. windows, linux)
  -s               Service (e.g. security, sysmon)
  -c               Category (e.g. proxy)

Name	Latest commit message	Commit time
Failed to load latest commit information.
screenshots	First screenshot	May 26, 2018
tests	Initial release	May 26, 2018
.gitignore	Updated .gitignore	May 26, 2018
LICENSE	Initial commit	May 26, 2018
README.md	First README	May 26, 2018
evt2sigma.py
requirements.txt	Initial release	May 26, 2018

Neo23x0 / evt2sigma

README.md

evt2sigma

What it does

Status

Usage

Screenshot

Neo23x0 / evt2sigma

Join GitHub today

Clone with HTTPS

Downloading

Launching GitHub Desktop

Launching GitHub Desktop

Launching Xcode

Launching Visual Studio

README.md

evt2sigma

What it does

Status

Usage

Screenshot