Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Updates - Migration to v2 Specification - First Batch #14

Merged
merged 17 commits into from
Aug 10, 2024
Merged

Multiple Updates - Migration to v2 Specification - First Batch #14

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
cf2f3e9
feat: Add SigmahqSysmonMissingEventidValidator
frack113 Jul 19, 2024
3d06cce
Poetry update
frack113 Aug 9, 2024
5cfda78
Remove SigmahqSigmacValidator
frack113 Aug 9, 2024
764a8ad
Rework SigmahqStatusValidator
frack113 Aug 9, 2024
41c88d2
Update Readme
frack113 Aug 9, 2024
a0ac155
Update typo
frack113 Aug 9, 2024
38d1141
Update typo from PR 13
frack113 Aug 9, 2024
b133f4e
Update typo from PR 13
frack113 Aug 9, 2024
d8d37c2
Add sigmahq_unknown_field
frack113 Aug 9, 2024
d6268da
more updates
nasbench Aug 9, 2024
68d6ad4
Update test_field.py
nasbench Aug 9, 2024
d04a3b0
Update test_field.py
nasbench Aug 9, 2024
80a4d58
updates
nasbench Aug 10, 2024
2184752
Update metadata.py
nasbench Aug 10, 2024
4102b3a
fix logic
nasbench Aug 10, 2024
52988dc
Update test_metadata.py
nasbench Aug 10, 2024
6b14fd1
Update README.md
nasbench Aug 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 40 additions & 40 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,52 +3,52 @@
![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/frack113/b27ee1cbe964fb1a299cc20c3403f8c8/raw/pySigma-validators-sigmaHQ.json)
![Status](https://img.shields.io/badge/Status-pre--release-orange)

# Purpose
# 🌟 Purpose

Create all validators specific to the requirements of the SigmaHQ rules repository

# Validators

| Name | Description|
| --- | ---|
| sigmahq_categorie_eventid | Checks if rule use Eventid with a windows category that |
| sigmahq_date_existence | Checks if rule has a data. |
| sigmahq_description_existence | Checks if rule has a description. |
| sigmahq_description_length | Checks if rule has a description. |
| sigmahq_falsepositives_banned_word | Checks if rule falsepositive start with a banned word. |
| sigmahq_falsepositives_capital | Checks if rule falsepositive start with a capital. |
| sigmahq_falsepositives_typo_word | Checks if rule falsepositive start with a common typo error. |
| sigmahq_field_duplicate_value | Check uniques value in field list. |
| sigmahq_field_user | Check a User field use a localized name. |
| sigmahq_field_with_space | Check field do not have a space. |
| sigmahq_fieldname_cast | Check field name have a cast error. |
| sigmahq_filename | Check rule filename match SigmaHQ standard. |
| sigmahq_filename_prefix | Check rule filename match SigmaHQ prefix standard. |
| sigmahq_invalid_all_modifier | Check All modifier used with a single value. |
| sigmahq_invalid_field_source | Check field Source use with Eventlog. |
| sigmahq_invalid_fieldname | Check field name do not exist in the logsource. |
| sigmahq_level_existence | Checks if rule has a level. |
| sigmahq_link_description | Checks if rule description use a link instead of references. |
| sigmahq_logsource_known | Checks if rule has known logsource. |
| sigmahq_noasterixofselection_condition | Check use '1/all of ' without asterix |
| sigmahq_ofselection_condition | Check use 'All/X of ' with only one selection |
| sigmahq_ofthem_condition | Check use ' of them' with only one selection |
| sigmahq_sigmac | Checks if rule use a selection name that break sigmac. |
| sigmahq_space_fieldname | Check field name have a space. |
| sigmahq_status_deprecated | Checks if rule has a status DEPRECATED. |
| sigmahq_status_existence | Checks if rule has a status. |
| sigmahq_status_unsupported | Checks if rule has a status UNSUPPORTED. |
| sigmahq_title_case | Checks if rule title use capitalization. |
| sigmahq_title_end | Checks if rule title end with a dot(.). |
| sigmahq_title_length | Checks if rule has a title too long. |
| sigmahq_title_start | Checks if rule title start with Detects. |


# Data
# 🏗️ Validators

| Name | Description| severity |
| --- | --- | --- |
| sigmahq_categori_providername | Checks if a rule uses a Provider_Name field with a windows | medium |
| sigmahq_categorie_eventid | Checks if a rule uses an EventID field with a windows | medium |
| sigmahq_date_existence | Checks if rule has a data field. | medium |
| sigmahq_description_existence | Checks if rule has a description field. | medium |
| sigmahq_description_length | Checks if a rule has a has an overly brief description. | medium |
| sigmahq_falsepositives_banned_word | Checks if rule falsepositive start with a banned word. | medium |
| sigmahq_falsepositives_capital | Checks if rule falsepositive start with a capital. | medium |
| sigmahq_falsepositives_typo_word | Checks if rule falsepositive start with a common typo error. | medium |
| sigmahq_field_duplicate_value | Check uniques value in field list. | high |
| sigmahq_field_user | Check a User field use a localized name. | high |
| sigmahq_field_with_space | Check field do not have a space. | high |
| sigmahq_fieldname_cast | Check field name have a cast error. | high |
| sigmahq_filename | Check rule filename match SigmaHQ standard. | medium |
| sigmahq_filename_prefix | Check rule filename match SigmaHQ prefix standard. | medium |
| sigmahq_invalid_all_modifier | Check All modifier used with a single value. | high |
| sigmahq_invalid_field_source | Check field Source use with Eventlog. | high |
| sigmahq_invalid_fieldname | Check field name do not exist in the logsource. | high |
| sigmahq_level_existence | Checks if rule has a level field. | medium |
| sigmahq_link_description | Checks if rule description use a link instead of references. | medium |
| sigmahq_logsource_unknown | Checks if a rule uses an unknown logsource. | high |
| sigmahq_noasterixofselection_condition | Check use '1/all of ' without asterix | medium |
| sigmahq_ofselection_condition | Check use 'All/X of ' with only one selection | low |
| sigmahq_ofthem_condition | Check use ' of them' with only one selection | low |
| sigmahq_space_fieldname | Check field name have a space. | high |
| sigmahq_status | Checks if rule has a status field with the value Deprecated or Unsupported. | medium |
| sigmahq_status_existence | Checks if a rule is missing the status field. | high |
| sigmahq_sysmon_missing_eventid | Checks if rule uses windows sysmon service without EventID. | high |
| sigmahq_title_case | Checks if a rule has a title with invalid casing. | medium |
| sigmahq_title_end | Checks if a rule has title that ends with a dot(.). | medium |
| sigmahq_title_length | Checks if a rule has an excessively long title. | medium |
| sigmahq_title_start | Checks if a rule title starts with the word 'Detect' or 'Detects'. | medium |
| sigmahq_unknown_field | Checks if a rule uses an unknown field. | medium |

# 🧬 Data

All the data value are in the config.py

# Maintainer
# 📜 Maintainer

This pipelines is currently maintained by:
* [François Hubaut](https://github.com/frack113)
Loading