├── .gitattributes
├── local
    ├── app.conf
    └── data
    │   └── ui
    │       └── nav
    │           └── default.xml
├── ss1.jpg
├── ss2.jpg
├── default
    ├── savedsearches.conf
    └── app.conf
├── README.md
└── Update_SavedSearches_From_Sigma_YML.ps1


/.gitattributes:
--------------------------------------------------------------------------------
1 | *.txt text eol=crlf
2 | *.conf text eol=crlf
3 | 
4 | 


--------------------------------------------------------------------------------
/local/app.conf:
--------------------------------------------------------------------------------
1 | 
2 | [ui]
3 | 
4 | [launcher]
5 | version = 1.0.0
6 | 


--------------------------------------------------------------------------------
/ss1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dstaulcu/TA-Sigma-Searches/HEAD/ss1.jpg


--------------------------------------------------------------------------------
/ss2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dstaulcu/TA-Sigma-Searches/HEAD/ss2.jpg


--------------------------------------------------------------------------------
/default/savedsearches.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dstaulcu/TA-Sigma-Searches/HEAD/default/savedsearches.conf


--------------------------------------------------------------------------------
/local/data/ui/nav/default.xml:
--------------------------------------------------------------------------------
1 | <nav search_view="search" color="#65A637">
2 |   <view name="reports" />
3 | </nav>
4 | 


--------------------------------------------------------------------------------
/default/app.conf:
--------------------------------------------------------------------------------
 1 | # Splunk app configuration file
 2 | 
 3 | [install]
 4 | is_configured = 0
 5 | 
 6 | [ui]
 7 | is_visible = 1
 8 | label = Sigma Searches
 9 | 
10 | [launcher]
11 | author = David Staulcup
12 | description = Splunk searches converted from sigma rules.  https://github.com/Neo23x0/sigma
13 | version = 1.0
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # TA-Sigma-Searches
 2 | 
 3 | A splunk app containing reports derived from converted sigma rules [https://github.com/Neo23x0/sigma]
 4 | 
 5 | ![alt tag](https://github.com/dstaulcu/TA-Sigma-Searches/blob/master/ss1.jpg)
 6 | 
 7 | ![alt tag](https://github.com/dstaulcu/TA-Sigma-Searches/blob/master/ss2.jpg)
 8 | 
 9 | Update_SavedSearches_From_Sigma_YML.ps1 - updates savedsearches.conf based from specified sigma rulesets
10 | 


--------------------------------------------------------------------------------
/Update_SavedSearches_From_Sigma_YML.ps1:
--------------------------------------------------------------------------------
  1 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
  2 | 
  3 | function Get-Web-Download($url,$DownloadFolder)
  4 | {
  5 | 
  6 |     # obtain download location
  7 |     $download_filename = $url.Split("/")[-1]
  8 |     $download_path = "$DownloadFolder\$download_filename"
  9 | 
 10 |     # remove any previously downloaded fies
 11 |     if (test-path $download_path) {
 12 |         Remove-Item -Path $download_path -Force
 13 |     }
 14 | 
 15 |     # download the file
 16 |     write-host "Downloading $url" 
 17 |     $client = new-object System.Net.WebClient 
 18 |     $client.DownloadFile($url, $download_path) 
 19 | 
 20 |     # return the path to file
 21 |     return $download_path
 22 | }
 23 | 
 24 | function Expand-ZIPFile($file, $destination)
 25 | {
 26 |     $shell = new-object -com shell.application
 27 |     $zip = $shell.NameSpace($file)
 28 |     foreach($item in $zip.items())
 29 |     {
 30 |         $shell.Namespace($destination).copyhere($item)
 31 |     }
 32 | }
 33 | 
 34 | # remove previous downloads
 35 | if (test-path "$env:temp\master.zip") { Remove-Item "$env:temp\master.zip" -Force }
 36 | if (test-path "$env:temp\sigma-master") { Remove-Item "$env:temp\sigma-master" -Force -Recurse }
 37 | New-Item -ItemType Directory -Path "$env:temp\sigma-master"
 38 | Get-Web-Download -url "https://github.com/Neo23x0/sigma/archive/master.zip" -DownloadFolder "$env:temp"
 39 | Expand-ZIPFile -file "$env:temp\master.zip" -destination "$env:temp\sigma-master"
 40 | 
 41 | import-module powershell-yaml
 42 | # https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
 43 | # install-package powershell-yaml
 44 | # https://github.com/cloudbase/powershell-yaml
 45 | 
 46 | $RulePath = "$env:temp\sigma-master\sigma-master\rules\*.yml"
 47 | $SavedSearchesPath = "C:\Development\TA-Sigma-Searches\default\savedsearches.conf"
 48 | $RuleSet = Get-ChildItem $RulePath -Filter "*.yml"  -Recurse
 49 | 
 50 | $PythonPath = "C:\Python36-32\python.exe"
 51 | $SigmacPath = "C:\Development\sigma-master\tools\sigmac.py"
 52 | $RulePath = "C:\Development\sigma-master\rules\windows\sysmon"
 53 | $env:PATHEXT += ";.py"
 54 | 
 55 | if (test-path $SavedSearchesPath) { remove-item $SavedSearchesPath -Force }
 56 | 
 57 | $SPL_critical = Out-Null
 58 | $SPL_high = Out-Null
 59 | $SPL_medium = Out-Null
 60 | $SPL_low = Out-Null
 61 | 
 62 | foreach ($Rule in $RuleSet)
 63 | {
 64 | 
 65 |     $SPL= & $PythonPath $SigmacPath -t splunk $($Rule.FullName)
 66 |     if (!($SPL))
 67 |     {
 68 |         continue
 69 |     }
 70 | 
 71 |     $RuleData = Get-Content $($Rule.FullName) -Raw
 72 | 
 73 |     $obj = ConvertFrom-Yaml $RuleData
 74 | 
 75 |     $product = $($obj.logsource.product)
 76 |     $service = $($obj.logsource.service)
 77 |     if (!($product)) { $product = "unknown" }
 78 |     if (!($service)) { $service = "unknown" }
 79 |     $prefix = "$product`:$service"
 80 | 
 81 |     $level = $($obj.level)
 82 |     if (!($level)) { $level = "unknown" }
 83 | 
 84 |     switch -Wildcard ($prefix)
 85 |     {
 86 |         windows:sysmon          {$SourceType="*WinEventLog:Microsoft-Windows-Sysmon/Operational"}
 87 |         windows:security        {$SourceType="*WinEventLog:Security"}
 88 |         windows:powershell      {$SourceType="*Microsoft-Windows-PowerShell/Operational"}
 89 |         windows:system          {$SourceType="*WinEventLog:System"}
 90 |         windows:application     {$SourceType="*WinEventLog:Application"}
 91 |         windows:taskscheduler   {$SourceType="*WinEventLog:Microsoft-Windows-TaskScheduler/Operational"}        
 92 |         default                 {$SourceType="*"}
 93 |     }
 94 | 
 95 |     $SPL = $SPL.Replace("EventID","EventCode")
 96 |     $SPL = "sourcetype=`"$SourceType`" $SPL"
 97 | 
 98 |     # append the critical multisearch
 99 |     if ($level -eq "critical") 
100 |     {
101 |         if (!($SPL_critical))
102 |         {
103 |             $SPL_critical = "($SPL)"
104 |         }
105 |         else
106 |         {
107 |             $SPL_critical = "$SPL_critical OR ($SPL)"
108 |         }
109 |     }
110 | 
111 |     # append the high multisearch
112 |     if ($level -eq "high") 
113 |     {
114 |         if (!($SPL_high))
115 |         {
116 |             $SPL_high = "($SPL)"
117 |         }
118 |         else
119 |         {
120 |             $SPL_high = "$SPL_high OR ($SPL)"
121 |         }
122 |     }
123 | 
124 | 
125 |     # append the medium multisearch
126 |     if ($level -eq "medium") 
127 |     {
128 |         if (!($SPL_medium))
129 |         {
130 |             $SPL_medium = "($SPL)"
131 |         }
132 |         else
133 |         {
134 |             $SPL_medium = "$SPL_medium OR ($SPL)"
135 |         }
136 |     }
137 | 
138 |     # append the medium multisearch
139 |     if ($level -eq "low") 
140 |     {
141 |         if (!($SPL_low))
142 |         {
143 |             $SPL_low = "($SPL)"
144 |         }
145 |         else
146 |         {
147 |             $SPL_low = "$SPL_low OR ($SPL)"
148 |         }
149 |     }
150 | 
151 |     $description = "$($obj.description). Author: $($obj.author)  Status: $($obj.status) Level: $($obj.level) FalsePositives: $($obj.falsepositives)"
152 | 
153 |     $section = @("
154 | [$level`:$prefix - $($obj.title)]
155 | search = $SPL
156 | dispatch.earliest_time = -24h@h
157 | description = $description")
158 | 
159 |     write-host $section
160 |     $section | Out-File $SavedSearchesPath -Append
161 | }
162 | 
163 | $section = @("
164 | [All Critical Severity Signatures]
165 | search = $SPL_critical
166 | dispatch.earliest_time = -24h@h
167 | description = combined search of critical severity signatures")
168 | write-host $section
169 | $section | Out-File $SavedSearchesPath -Append
170 | 
171 | $section = @("
172 | [All High Severity Signatures]
173 | search = $SPL_high
174 | dispatch.earliest_time = -24h@h
175 | description = combined search of high severity signatures")
176 | write-host $section
177 | $section | Out-File $SavedSearchesPath -Append
178 | 
179 | $section = @("
180 | [All Medium Severity Signatures]
181 | search = $SPL_medium
182 | dispatch.earliest_time = -24h@h
183 | description = combined search of medium severity signatures")
184 | write-host $section
185 | $section | Out-File $SavedSearchesPath -Append
186 | 
187 | $section = @("
188 | [All Low Severity Signatures]
189 | search = $SPL_low
190 | dispatch.earliest_time = -24h@h
191 | description = combined search of low severity signatures")
192 | write-host $section
193 | $section | Out-File $SavedSearchesPath -Append
194 | 
195 | Set-Location "C:\Development\TA-Sigma-Searches"
196 | & git add C:\Development\TA-Sigma-Searches\default\savedsearches.conf
197 | $shortdate = (Get-Date).ToString("yyyy.MM.dd.hh.mm.ss")
198 | $comment = "update v$shortdate"
199 | & git commit -m "$comment"
200 | & git push origin master
201 | 


--------------------------------------------------------------------------------