Sigmatools 0.21

Note
Original Release Date: Apr 9, 2022
Original Release Author: @thomaspatzke

Added

• Azure Sentinel backend
• OpenSearch Monitor backend
• Hawk backend
• Datadog backend
• FortiSIEM backend
• Lacework agent data support
• Athena SQL backend
• Regex support in SQLite backend
• Additional field mappings

Changed

• Log source refactoring

Fixed

• Mapping fixes
• Various bugfixes
• Disabled problematic optimization

sigmatools 0.20

Note
Original Release Date: Aug 14, 2021
Original Release Author: @thomaspatzke

Added

• Devo backend
• Fields selection added to SQL backend
• Linux/MacOS support for MDATP backend
• Output results as generic YAML/JSON
• Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
• ALA AWS Cloudtrail and Azure mappings
• Logrhytm backend
• Splunk Data Models backend
• Further log sources used in open source Sigma ruleset
• CarbonBlack EDR backend
• Elastic EQL backend
• Additional conversion selection filters
• Filter negation
• Specifiy table in SQL backend
• Generic registry event log source
• Chronicle backend

Changed

• Elastic Watcher backend populates name attribute instead of title.
• One item list optimization.
• Updated Winlogbeat mapping
• Generic mapping for Powershell backend

Fixed

• Elastalert multi output file
• Fixed duplicate output in ElastAlert backend
• Escaping in Graylog backend
• es-rule ndjson output
• Various fixes of known bugs

sigmatools 0.19.1

Note
Original Release Date: Feb 28, 2021
Original Release Author: @thomaspatzke

Changed

• Added LGPL license to distribution

sigmatools 0.19

Note
Original Release Date: Feb 28, 2021
Original Release Author: @thomaspatzke

Added

• New parameters for Elastic backends
• Various field mappings
• FireEye Helix backend
• Generic log source image_load
• Kibana NDJSON backend
• uberAgent ESA backend
• SumoLogic CSE backend

Changed

• Updated mdatp backend fields
• QRadar query generation optimized
• MDATP: case insensitive search

Fixed

• Fixing Qradar implementation for create valid AQL queries
• Nested conditions
• Various minor bug fixes

sigmatools 0.18.1

Note
Original Release Date: Aug 26, 2020
Original Release Author: @thomaspatzke

Warning
Version 0.18.0 that is referenced below could not be retrieved any more at the time of the migration. The specific commit hash of version 0.18.0 is therefore lost.

Note regarding version 0.18.1: release created for technical reasons (issues with extended README and PyPI), no real changes done to 0.18.0.

Added

• C# backend
• STIX backend
• Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
• More generic log sources
• Windows Defender log sources
• Generic DNS query log source
• AppLocker log source

Changed

• Improved backend and configuration descriptions
• Microsoft Defender ATP mapping updated
• Improved handling of wildcards in Elastic backends

Fixed

• Powershell backend: key name was incorrectly added into regular expression
• Grouping issue in Carbon Black backend
• Handling of default field mapping in case field is referenced multiple from a rule
• Code cleanup and various fixes
• Log source mappings in configurations
• Handling of conditional field mappings by Elastic backends

sigmatools 0.17.0

Note
Original Release Date: Jun 13, 2020
Original Release Author: @thomaspatzke

Added

• LOGIQ Backend (logiq)
• CarbonBlack backend (carbonblack) and field mappings
• Elasticsearch detection rule backend (es-rule)
• ee-outliers backend
• CrowdStrike backend (crowdstrike)
• Humio backend (humio)
• Aggregations in SQL backend
• SQLite backend (sqlite)
• AWS Cloudtrail ECS mappings
• Overrides
• Zeek configurations for various backends
• Case-insensitive matching for Elasticsearch
• ECS proxy mappings
• RuleName field mapping for Winlogbeat
• sigma2attack tool

Changed

• Improved usage of keyword fields for Elasticsearch-based backends
• Splunk XML backend rule titles from sigma rule instead of file name
• Moved backend option list to --help-backend
• Microsoft Defender ATP schema improvements

Fixed

• Splunx XML rule name is now set to rule title
• Backend list deduplicated
• Wrong escaping of wildcard at end of value when startswith modifier is used.
• Direct execution of tools on Windows systems by addition of script entry points

sigmatools 0.16.0

Note
Original Release Date: Feb 25, 2020
Original Release Author: @thomaspatzke

Added

• Proxy field names to ECS mapping (ecs-proxy) configuration
• False positives metadata to LimaCharlie backend
• Additional aggregation capabilitied for es-dsl backend.
• Azure log analytics rule backend (ala-rule)
• SQL backend
• Splunk Zeek sourcetype mapping config
• sigma2attack script
• Carbon Black backend and configuration
• ArcSight ESM backend
• Elasticsearch detection rule backend

Changed

• Kibana object id is now Sigma rule id if available. Else
  the old naming scheme is used.
• sigma2misp: replacement of deprecated method usage.
• Various configuration updates
• Extended ArcSight mapping

Fixed

• Fixed aggregation queries for Elastalert backend
• Fixed aggregation queries for es-dsl backend
• Backend and configuration lists are sorted.
• Escaping in ala backend

Sigma tool release 0.15.0

Note
Original Release Date: Dec 6, 2019
Original Release Author: @thomaspatzke

Added

• sigma-uuid tool for addition and check of Sigma rule identifiers
• Default configurations
• Restriction of compared rules in sigma-similarity
• Regular expression support in es-dsl backend
• LimaCharlie support for proxy rule category
• Source distribution for PyPI

Changed

• Type errors are now ignored with -I

Fixed

• Removed wrong mapping of CommandLine field mapping in THOR config

Sigma Release 0.14

Note
Original Release Date: Nov 29, 2019
Original Release Author: @Neo23x0

Added

• sigma-similarity tool
• LimaCharlie backend
• Default configurations for some backends that are used if no configuration is passed
• Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
• Value modifiers:
  • startswith
  • endswith

Changed

• Removal of line breaks in elastalert output
• Searches not bound to fields are restricted to keyword fields in es-qs backend
• Graylog backend now based on es-qs backend

Fixed

• Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
  process creation log source configuration

Sigma tool release 0.13

Note
Original Release Date: Nov 30, 2019
Original Release Author: @thomaspatzke

Added

• Index mappings for Sumologic
• Malicious cmdlets in wdatp
• QRadar support for keyword searches
• QRadar mapping improvements
• QRadar field selection
• QRadar type regex modifier support
• Elasticsearch keyword field blacklisting with wildcards
• Added dateField configuration parameter in xpack-watcher backend
• Field mappings in configurations
• Field name mapping for conditional fields
• Value modifiers:
  • utf16
  • utf16le
  • wide
  • utf16be

Changed

• Improved --backend-config help text

Fixed

• Backend errors in ala
• Slash escaping within es-dsl wildcard queries
• QRadar backend config
• QRadar field name and value escaping and handling
• Elasticsearch wildcard detection pattern
• Aggregation on keyword field in es-dsl backend