sigmatools 0.19

Added

• New parameters for Elastic backends
• Various field mappings
• FireEye Helix backend
• Generic log source image_load
• Kibana NDJSON backend
• uberAgent ESA backend
• SumoLogic CSE backend

Changed

• Updated mdatp backend fields
• QRadar query generation optimized
• MDATP: case insensitive search

Fixed

• Fixing Qradar implementation for create valid AQL queries
• Nested conditions
• Various minor bug fixes

sigmatools 0.18.1

Note regarding version 0.18.1: release created for technical reasons (issues with extended README and PyPI), no real changes done to 0.18.0.

Added

• C# backend
• STIX backend
• Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
• More generic log sources
• Windows Defender log sources
• Generic DNS query log source
• AppLocker log source

Changed

• Improved backend and configuration descriptions
• Microsoft Defender ATP mapping updated
• Improved handling of wildcards in Elastic backends

Fixed

• Powershell backend: key name was incorrectly added into regular expression
• Grouping issue in Carbon Black backend
• Handling of default field mapping in case field is referenced multiple from a rule
• Code cleanup and various fixes
• Log source mappings in configurations
• Handling of conditional field mappings by Elastic backends

sigmatools 0.17.0

Added

• LOGIQ Backend (logiq)
• CarbonBlack backend (carbonblack) and field mappings
• Elasticsearch detection rule backend (es-rule)
• ee-outliers backend
• CrowdStrike backend (crowdstrike)
• Humio backend (humio)
• Aggregations in SQL backend
• SQLite backend (sqlite)
• AWS Cloudtrail ECS mappings
• Overrides
• Zeek configurations for various backends
• Case-insensitive matching for Elasticsearch
• ECS proxy mappings
• RuleName field mapping for Winlogbeat
• sigma2attack tool

Changed

• Improved usage of keyword fields for Elasticsearch-based backends
• Splunk XML backend rule titles from sigma rule instead of file name
• Moved backend option list to --help-backend
• Microsoft Defender ATP schema improvements

Fixed

• Splunx XML rule name is now set to rule title
• Backend list deduplicated
• Wrong escaping of wildcard at end of value when startswith modifier is used.
• Direct execution of tools on Windows systems by addition of script entry points

sigmatools 0.16.0

Added

• Proxy field names to ECS mapping (ecs-proxy) configuration
• False positives metadata to LimaCharlie backend
• Additional aggregation capabilitied for es-dsl backend.
• Azure log analytics rule backend (ala-rule)
• SQL backend
• Splunk Zeek sourcetype mapping config
• sigma2attack script
• Carbon Black backend and configuration
• ArcSight ESM backend
• Elasticsearch detection rule backend

Changed

• Kibana object id is now Sigma rule id if available. Else
  the old naming scheme is used.
• sigma2misp: replacement of deprecated method usage.
• Various configuration updates
• Extended ArcSight mapping

Fixed

• Fixed aggregation queries for Elastalert backend
• Fixed aggregation queries for es-dsl backend
• Backend and configuration lists are sorted.
• Escaping in ala backend

Sigma tool release 0.15.0

Added

• sigma-uuid tool for addition and check of Sigma rule identifiers
• Default configurations
• Restriction of compared rules in sigma-similarity
• Regular expression support in es-dsl backend
• LimaCharlie support for proxy rule category
• Source distribution for PyPI

Changed

• Type errors are now ignored with -I

Fixed

• Removed wrong mapping of CommandLine field mapping in THOR config

Sigma Release 0.14

Added

• sigma-similarity tool
• LimaCharlie backend
• Default configurations for some backends that are used if no configuration is passed
• Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
• Value modifiers:
  • startswith
  • endswith

Changed

• Removal of line breaks in elastalert output
• Searches not bound to fields are restricted to keyword fields in es-qs backend
• Graylog backend now based on es-qs backend

Fixed

• Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
  process creation log source configuration

Sigma tool release 0.13

Added

• Index mappings for Sumologic
• Malicious cmdlets in wdatp
• QRadar support for keyword searches
• QRadar mapping improvements
• QRadar field selection
• QRadar type regex modifier support
• Elasticsearch keyword field blacklisting with wildcards
• Added dateField configuration parameter in xpack-watcher backend
• Field mappings in configurations
• Field name mapping for conditional fields
• Value modifiers:
  • utf16
  • utf16le
  • wide
  • utf16be

Changed

• Improved --backend-config help text

Fixed

• Backend errors in ala
• Slash escaping within es-dsl wildcard queries
• QRadar backend config
• QRadar field name and value escaping and handling
• Elasticsearch wildcard detection pattern
• Aggregation on keyword field in es-dsl backend

Sigma tool release 0.12.1

Fixed

• Missing build dependency

Sigma tool release 0.12

Added

• Usage of Channel field in ELK Windows configuration
• Fields to mappings
• xpack-watcher actions index and webhook
• Config for Winlogbeat 7.x
• Value modifiers
  • contains
  • alt
  • base64
  • base64offset
  • re
• Regular expression support with value modifier re

Changed

• Warning/error messages
• Sumologic value cleaning
• Explicit OR for Elasticsearch query strings
• Listing of available configurations on missing configuration error

Fixed

• Conditions in es-dsl backend
• Sumologic handling of null values
• Ignore timeframe detection keyword in all/any of conditions