Merge pull request #76 from wagga40/gui-bug

Correct a bug in MiniGUI

README.md

@@ -32,7 +32,7 @@ Help is available with `zircolite.py -h`. If your EVTX files have the extension
 
 ```shell
 # python3 zircolite.py --evtx <EVTX FOLDER or EVTX FILE> --ruleset <SIGMA RULESET> [--ruleset <OTHER RULESET>]
-python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.json
+python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon_pysigma.json
 ```
 
 The SYSMON ruleset employed is a default one, intended for analyzing logs from endpoints with SYSMON installed.
@@ -42,7 +42,7 @@ The SYSMON ruleset employed is a default one, intended for analyzing logs from e
 ```shell
 python3 zircolite.py --events auditd.log --ruleset rules/rules_linux.json --auditd
 python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysmon4linux
-python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon.json --jsononly
+python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon_pysigma.json --jsononly
 ```
 
 :information_source: If you want to try the tool you can test with [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) (EVTX Files).

docs/Advanced.md

@@ -27,7 +27,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
 	```shell
 	find <CASE_DIRECTORY> -maxdepth 1 -mindepth 1 -type d | \
 		parallel --bar python3 zircolite.py --evtx {} \
-		--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
+		--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
 	```
 
 	One downside of this mode is that if you have less computer evidences than CPU Cores, they all will not be used.
@@ -39,7 +39,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
 	```shell
 	find <CASE_DIRECTORY> -type f -name "*.| \
 		parallel -j -1 --progress python3 zircolite.py --evtx {} \
-		--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
+		--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
 	```
 
 	In this example the `-j -1` is for using all cores but one. You can adjust the number of used cores with this arguments.
@@ -70,20 +70,20 @@ To speed up the detection process, you may want to use Zircolite on files matchi
 - Only use EVTX files that contains "sysmon" in their names
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		--select sysmon
 	```
 - Exclude "Microsoft-Windows-SystemDataArchiver%4Diagnostic.evtx" 
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		--avoid systemdataarchiver
 	```
 
 - Only use EVTX files with "operational" in their names but exclude "defender" related logs
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--select operational --avoid defender
 	```
 
@@ -92,7 +92,7 @@ For example, the **Sysmon** ruleset available in the `rules` directory only use
 So if you use the sysmon ruleset with the following rules, it should speed up `Zircolite`execution : 
 
 ```shell
-python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--select sysmon --select security.evtx --select system.evtx \
 	--select application.evtx --select Windows-NTLM --select DNS \
 	--select powershell --select defender --select applocker \
@@ -113,14 +113,14 @@ Examples :
 - Select all events between the 2021-06-02 22:40:00 and 2021-06-02 23:00:00 : 
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		-A 2021-06-02T22:40:00 -B 2021-06-02T23:00:00
 	```
 
 - Select all events after the 2021-06-01 12:00:00 : 
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		-A 2021-06-01T12:00:00
 	```
 
@@ -132,7 +132,7 @@ The filter will apply on the rule title. To avoid unexpected side-effect **compa
 
 ```shell
 python3 zircolite.py --evtx logs/ \
-	--ruleset rules/rules_windows_sysmon.json \
+	--ruleset rules/rules_windows_sysmon_pysigma.json \
 	-R MSHTA
 ```
 
@@ -160,7 +160,7 @@ If you forward your events to a central collector you can disable local logging
 If you have multiple endpoints to scan, it is useful to send the detected events to a central collector. As of v1.2, Zircolite can forward detected events to an HTTP server :
 
 ```shell
-python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--remote "http://address:port/uri"
 ```
 An **example** server called is available in the [tools](https://github.com/wagga40/Zircolite/tree/master/tools/zircolite_server/) directory.
@@ -173,7 +173,7 @@ As of v1.3.5, Zircolite can forward detections to a Splunk instance with Splunk
 2. Get your token and you are ready to go : 
 
 ```shell
-python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
 	[--index myindex]
 ```
@@ -187,7 +187,7 @@ Since Splunk HEC default to the first associated index, `--index` is optional bu
 As of version 2.8.0, Zircolite can forward events to an ELK stack using the ES client.
 
 ```shell
-python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--remote "https://x.x.x.x:8088" --index "zircolite-whatever" \
 	--eslogin "yourlogin" --espass "yourpass"
 ```
@@ -214,7 +214,7 @@ Zircolite provides a templating system based on Jinja 2. It allows you to change
 - `--templateOutput <output_filename>`
 
 ```shell
-python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 --template templates/exportForSplunk.tmpl --templateOutput exportForSplunk.json
 ```
 
@@ -237,7 +237,7 @@ You need to generate a `data.js` file with the `exportForZircoGui.tmpl` template
 
 ```shell
 python3 zircolite.py --evtx sample.evtx 
-	--ruleset rules/rules_windows_sysmon.json \
+	--ruleset rules/rules_windows_sysmon_pysigma.json \
 	--template templates/exportForZircoGui.tmpl --templateOutput data.js
 7z x gui/zircogui.zip
 mv data.js zircogui/

docs/Usage.md

@@ -86,10 +86,10 @@ Multiple rulesets can be specified, results can be per-ruleset or combined (with
 
 ```shell
 # Example with a Zircolite ruleset and a Sigma rule. Results will be displayed per-ruleset
-python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
     --ruleset schtasks.yml 
 # Example with a Zircolite ruleset and a Sigma rule. Results will be displayed combined 
-python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
     --ruleset schtasks.yml --combine-rulesets 
 ```
 
@@ -107,7 +107,7 @@ If your evtx files have the extension ".evtx" :
 ```shell
 python3 zircolite.py --evtx <EVTX_FOLDER/EVTX_FILE> \
     --ruleset <Converted Sigma ruleset (JSON)/Directory with Sigma rules (YAML)/>
-python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json
+python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon_pysigma.json
 ```
 
 ### XML logs
@@ -140,7 +140,7 @@ And it produces something like this (1 event per line):
 ```shell
 python3 zircolite.py --events <LOGS_FOLDER_OR_LOG_FILE>  --ruleset <RULESET> --xml
 python3 zircolite.py --events  Microsoft-Windows-SysmonOperational.xml \
-    --ruleset rules/rules_windows_sysmon_full.json --xml
+    --ruleset rules/rules_windows_sysmon_pysigma.json --xml
 ```
 
 ### EVTXtract logs
@@ -552,7 +552,7 @@ docker build . -t <Image name>
 docker container run --tty \
     --volume <Logs folder>:/case
     wagga40/zircolite:latest \
-    --ruleset rules/rules_windows_sysmon.json \
+    --ruleset rules/rules_windows_sysmon_pysigma.json \
     --events /case \
     --outfile /case/detected_events.json
 ```
@@ -575,7 +575,7 @@ docker run --rm --tty \
     -v <EVTX folder>:/case/input:ro \
     -v <Results folder>:/case/output \
     wagga40/zircolite:latest \
-    --ruleset rules/rules_windows_sysmon.json \
+    --ruleset rules/rules_windows_sysmon_pysigma.json \
     --events /case/input \
     -o /case/output/detected_events.json
 ```
@@ -587,6 +587,6 @@ You can use the Docker image available on [Docker Hub](https://hub.docker.com/r/
 ```shell
 docker container run --tty \
     --volume <EVTX folder>:/case docker.io/wagga40/zircolite:lastest \
-    --ruleset rules/rules_windows_sysmon.json \
+    --ruleset rules/rules_windows_sysmon_pysigma.json \
     --evtx /case --outfile /case/detected_events.json
 ```