Added basic sigma test with arbitrary rules based on Shuffle File namespaces and sigmac

Author: frikky

analyze.py

@@ -21,7 +21,7 @@
         try:
             with open(filepath, "r") as tmp:
                 try:
-                    ret = yaml.load(tmp.read())
+                    ret = yaml.full_load(tmp.read())
                 except yaml.scanner.ScannerError as e:
                     print(f"Bad yaml in {filepath} (2): {e}")
                     continue
@@ -51,7 +51,7 @@
         try:
             with open(apifile, "r") as tmp:
                 try:
-                    apidata = yaml.load(tmp.read())
+                    apidata = yaml.full_load(tmp.read())
                 except yaml.scanner.ScannerError as e:
                     print(f"Bad yaml in {apifile} (2): {e}")
                     continue

unsupported/sigma/1.0.0/Dockerfile sigma/1.0.0/Dockerfileunsupported/sigma/1.0.0/Dockerfile renamed to sigma/1.0.0/Dockerfile

@@ -18,6 +18,9 @@ FROM base
 COPY --from=builder /install /usr/local
 COPY src /app
 
+# Fix python3.3 > issues 
+RUN sed -i 's/from collections import Iterable/from collections.abc import Iterable/g' /usr/local/lib/python3.10/site-packages/sigma/config/collection.py
+
 # Install any binary dependencies needed in our final image
 # RUN apk --no-cache add --update my_binary_dependency
 

unsupported/sigma/1.0.0/api.yaml sigma/1.0.0/api.yamlunsupported/sigma/1.0.0/api.yaml renamed to sigma/1.0.0/api.yaml

@@ -10,27 +10,69 @@ tags:
 categories:
   - Testing 
 actions:
-  - name: run_python_script
+  - name: get_searches 
     description: Runs a python script defined by YOU 
     parameters:
-      - name: json_data
-        description: The JSON to handle 
+      - name: engine 
+        description: The engine to translate to
         required: true
-        multiline: true
-        example: '{"data": "testing"}'
+        options:
+          - uberagent
+          - sumologic-cse
+          - netwitness-epl
+          - netwitness
+          - stix
+          - es-rule
+          - graylog
+          - sqlite
+          - sysmon
+          - csharp
+          - logpoint
+          - mdatp
+          - ala-rule
+          - humio
+          - crowdstrike
+          - sumologic-cse-rule
+          - elastalert
+          - limacharlie
+          - carbonblack
+          - ala
+          - arcsight
+          - sql
+          - logiq
+          - grep
+          - fireeye-helix
+          - fieldlist
+          - xpack-watcher
+          - splunkxml
+          - kibana
+          - powershell
+          - arcsight-esm
+          - kibana-ndjson
+          - qradar
+          - qualys
+          - es-qs
+          - elastalert-dsl
+          - splunk
+          - sumologic
+          - es-dsl
+          - ee-outliers
+        example: 'kibana'
         schema:
           type: string
-      - name: function_to_execute 
-        description: The selected python function to run
+      - name: backend
+        description: The backend to use. If blank, space or list, this will return a list of options
         required: true
-        multiline: true
-        example: '1'
-        options: 
-          - function_1 
-          - function_2 
+        multiline: false 
+        schema:
+          type: string
+      - name: shuffle_namespace
+        description: The Shuffle
+        required: true
+        multiline: false 
         schema:
           type: string
     returns:
       schema:
         type: string
-large_image: data:image/jpg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gKgSUNDX1BST0ZJTEUAAQEAAAKQbGNtcwQwAABtbnRyUkdCIFhZWiAH5AAFAAUADgA6ADFhY3NwQVBQTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLWxjbXMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtkZXNjAAABCAAAADhjcHJ0AAABQAAAAE53dHB0AAABkAAAABRjaGFkAAABpAAAACxyWFlaAAAB0AAAABRiWFlaAAAB5AAAABRnWFlaAAAB+AAAABRyVFJDAAACDAAAACBnVFJDAAACLAAAACBiVFJDAAACTAAAACBjaHJtAAACbAAAACRtbHVjAAAAAAAAAAEAAAAMZW5VUwAAABwAAAAcAHMAUgBHAEIAIABiAHUAaQBsAHQALQBpAG4AAG1sdWMAAAAAAAAAAQAAAAxlblVTAAAAMgAAABwATgBvACAAYwBvAHAAeQByAGkAZwBoAHQALAAgAHUAcwBlACAAZgByAGUAZQBsAHkAAAAAWFlaIAAAAAAAAPbWAAEAAAAA0y1zZjMyAAAAAAABDEoAAAXj///zKgAAB5sAAP2H///7ov///aMAAAPYAADAlFhZWiAAAAAAAABvlAAAOO4AAAOQWFlaIAAAAAAAACSdAAAPgwAAtr5YWVogAAAAAAAAYqUAALeQAAAY3nBhcmEAAAAAAAMAAAACZmYAAPKnAAANWQAAE9AAAApbcGFyYQAAAAAAAwAAAAJmZgAA8qcAAA1ZAAAT0AAACltwYXJhAAAAAAADAAAAAmZmAADypwAADVkAABPQAAAKW2Nocm0AAAAAAAMAAAAAo9cAAFR7AABMzQAAmZoAACZmAAAPXP/bAEMABQMEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcTFBoVEREYIRgaHR0fHx8TFyIkIh4kHB4fHv/bAEMBBQUFBwYHDggIDh4UERQeHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHv/AABEIAK4ArgMBIgACEQEDEQH/xAAcAAEAAQUBAQAAAAAAAAAAAAAABwEEBQYIAgP/xABDEAABAwMBBAUHCQcDBQAAAAABAAIDBAURBgcSITFBUWFxgRMiMpGhsdEUFyNCUlNikpQVJDNDVHLBFpPCJXOCovD/xAAcAQEAAgMBAQEAAAAAAAAAAAAABQYCBAcDAQj/xAA4EQABAwMABwYEBQMFAAAAAAABAAIDBAURBhIhMUFRoSJhcZHB4ROBsdEVFjJCUhQjMyRjovDx/9oADAMBAAIRAxEAPwDstERERERERERERERERERERERERERERERERERERERERERERERERERERERERFQuwtU1Rr2w2MuhdMaurbzgp8OIP4nch7+xekUL5nasYyVr1NXBSs+JM4NHetr3gm8MZUH3rafqCsJZQtgt8XRuN33/AJjw9i1SvvV3rzmsulZP2Pmdj1clNQ6PzvGXkDqqjVacUcZxC0v6D79F0tJV0sZw+oiaepzwFWOpp5P4c8b/AO14K5ZPHnx71VpLSC0lpHUcLZ/Ln+5091H/AJ+Of8H/AC9l1TvBMhc0W/UF8t7gaO7VsWPqiUlvqOQtusm1O80zmsulNDXx9L2jycns4H1Bak1gqGbWEO6KTpNN6GU4laWdR029FNSLXdL6wsd/aI6Op3KjHGnm82TwHT4LYd5Q0kb43arxgq2wVEVQwSRODgeIVURFgvZERERERERERERERERFbXOupbbRS1lbOyGCJu897jwH/wB1KtwrKegpJauqlbFDEwve93IAKAde6sq9TXAnLoqCJ30EH/J34vcpC3299Y/A2NG8qCvt8itUOTtedw9T3LK642h194fJSWt0lFQHgSDiWUdp+qOweK0VEV3p6aOmZqRjC49XXCor5TLO7J6DwCIiL3WkiIiIiIiIqtc5jg9ji1zTkEHBB6wVJGhNpM9K9lDqF7p4CcNq+b2f3faHbz71GyLWqqOKqZqyD7hSFuulTbpfiQOxzHA+K6lgqI54mSwvZJG8Ate05DgekFfZQTs01pJYKptBXyF1rld08fIOP1h+HrHipzikEjGvY4Oa4ZBHIjrVHrqJ9JJqu3cCux2W8w3SD4jNjhvHL25L2iItJTCIiIiIiIiKjuSqsJrm8Cxaaq7iCPKtbuQjrkdwb8fBZxsdI4MbvK8p5mQROlecADJ+SjPbHqd1dcDYaSX92pnZqCD6cn2e5vv7lHa9SPfI90kji57iXOceZJ5lI2PkkbGxrnPccNa0ZJPUAuhUlMylhDG8Fwm5V8txqnTP3ncOQ4BeU6cdakTSmzCvrmsqb3K6hhPEQswZSO3ob7SpKsWlrFZgPkFthbIB/FeN+Q/+R4+pR9VfIIThnaPdu81OW7Q+tqwHydhvfv8AL74UDW/Td/uADqOz1srTyd5Itb6zgLMQbOdWyc7fFF/3Khg9xKn7A6kwOpRD9IagnstAVoh0Fomj+49xPyHooI+bLVf3FH+pHwT5stV/cUf6kfBTuiw/H6ru8l7/AJItvN3n7KCPmy1X9xR/qR8E+bLVf3FH+pHwU7on4/Vd3kn5ItvN3n7KCPmy1X9xR/qR8E+bLVf9PR/qR8FO6s7tVNorZV1jjhsEL5DnsaSvov1WTgAeSxdoXbGNLiXYHf7LmSphfTVUtPIWl8Tyx26cjIODgqVti2p3TMOna2XL4ml1I49LBzZ4cx2Z6lEz3ukcZHnLnHed3nivvbKye3XCnr6V27PBIJGHtHR48lZa2kFVBqO38PFc9tFzdbawTM/TuI5hdRhFZWSvhulrpbhTnMVRGJG9mRy8OSvVz8gtOCu5Me17Q5u4oiIviyREREVHDIUS7eLkTPb7Qx3BrXVEg7T5rf8AkpbPJc/7WKk1WvK8ZJEW5C0dzQfeSpexxCSqBPAZ9PVVTTKpMNtLR+8gevotct1HU3CtioqOF008rt1jG9J+Hapy0Homj07AypnDai5ub58xGRH+FnV38yvhsu0k2yWsV1XH/wBSqWguz/KYeIYO3pPq6Fu7eS9rtdDO4xRns/X2Wroxo2ylYKmoGZDuH8ff6I0cFVUJA5laRr3XtJp97qGjYyruGOLM+ZF/cev8PuUPDBJO8MjGSrVW10FFEZZ3YaFvGQvhLV0kTt2SphY7qdIB/lc6XnVN/u7yay6VBYT/AAo3eTYPAf5WGd5xy7ie3ip+PR15Hbfg9w/8VKn09iDsQwkjvOOgBXUsNVTTOLYaiGQgZIa8HHqX2XMWn7rU2O7QXKjO6+J2XN6Ht6WnsIXS1BUR1dHDVQnMc0bZGHsIyFG3G3OonDbkFT9gv7Lux3Z1XN4Zzs58F9yQBkkAK1/aNB/W03+634q4eM8MKI9r2jaakiN/tlOyJm8BVxNbgAk8HgdHHgfArXo4GTyiN7sZ3Leu1ZNRU5niZr43jONnPcVKn7RoP62m/wB1vxWq7VbtSxaJrmQVUL5J92EBkgJw5wzy7MqB91v2W+pA1o5ADwVjh0fbHI15fnBzu91QqvTd9RA+IRY1gRnPP5KqIisKoimfYZcjU6fqLc92XUc2Wf2P4+8OUiKFNhdUYtU1NNnzZ6Unxa4Ee8qa1RLxF8Ordjjt8/ddp0VqTUWyMne3I8t3TCIiKMViREREVHeiVEen7EL1tYvFXUR79LQVbpHA8nPz5g9mfBS44ZGFjLHaY7bLcJWkGStq31DyO3AA8AFt01SYGv1d5GFFXG3itkh1v0sdrH5A46rJtGOaqio44C1FKrVdpepf9O2MugINdUEx04PHdOOL/Ae3CgGWR8sjpZXue95LnOcckk8yVtu1u6OuWsqiIOJhowIGDqI4uPrPsWoK8WejbBThx/U7afQLjOlN0dW1zmA9hmwep+Z6YRERSyrSBdFbOHuk0TaHP5/JWj1cFzqTgE9QXS2kKb5Jpi2UxGDHSRg9+6Mqu6REfCYO9XzQNp/qZXcMD6+yyqs7zRx3C2VNDMMxzxOjOe0YV4vLlVASDkLpr2h7S124rliWN0Ur4n+kxxae8HBXlXd5LXXitcz0TUyEfnKtF0thLmglfnqZobI5o4FERFkvNbfsecW68pcdMMo/9VPYUFbFoTJrdjxyippXHxwP8qdQMKmX8/6r5Bdb0JBFtOf5H0VURFCK4IiIiIiIiIvEzgxjnk4AGSe5e1Z3jP7LqyOfkH4/KV9AycLCR2q0lczV9Q6rrqiqecumlfIT3klfFUb6De4Kq6Y0AAAL88vcXOLjxRERfVir2w0Trle6KgYMmedjD3E8fZldORtDQGtAAAwO5Q1sPsrqq9zXiVn0NI0sjJ6ZHDo7m+9TOBhU6/1AknEY/b6/9C6voRRGGjdM7956DZ9cosdqWvbbLFXV7jgQQOeO/HD24WQJwo325XgQWins0Tx5Sqf5SUA8o28vW7HqKi6OAzztjHE9FY7tWCio5JjwGzxOwdVDpJJJcck8Se1ERdFXBScoiIiKUtgdCTUXO5OHANZA09vpH/CllaxsztDrNpKkgkbuzzAzyjqc7jjwGAtnXP7lOJ6l7xu+2xdysFGaO3xxu34yfE7UREWiplERERERERF4laHtc13EEYI7F7TCIRlcyaitk1nvdXbpmkGGUhp+03m0+Iwseugtc6NoNTRNke801bGMRztGeH2XDpHuUaVWy/U8UpbCKKoZ0PbNu58CFdaK8QSRgSOw4c1x+7aLVtPO4wML2Hdjb8iFpCvLLbKy8XKG30MXlJ5TgdTR0uPUAt0tWyq+TyD5fVUlHH07rjI7wAwPapO0ppm16cpvI0MWZH/xZ38Xyd56B2Dgsay9wxMxEdZ3RZ2nRGrqZAaluozjnefAfdXGlbNTWGzU9tpuIjGXvxxe8+k495WVQADkFRypz3ue4ucckrrMUTIWCNgwBsC+NbUQ0tPJUVEjY4Y2F73O5ADmVzlq+8yX/UFTcngtY87sLT9WMeiO/p7ytx2t6wbXPdYbbLvU8bv3qVp4SOH1B2A8+3uUbq22OgMTfjP3nd4Ll2mF7bVSCkhOWt3nmfb6oiIp9UlFtOzLTzr9qOMyx5oqUiWcnkcei3xPsBWv2qgqrncIaCiiMs8zt1rR7z1AdJXQ2jNP02nLNFQQ4fJ6c8uOMjzzPd0DsUPeK8U0Wo09p3Qc1adFrK6vqRK8f22bT3ngPv7rNNGF6RFSV2JEREREREREREREREREREREWHuGp9P0O8Kq80Mbm8C3yoJHgOK1K+7VLPTtcy1081fL0OcPJx+s8T6lsxUc8xwxhKjqq70VICZpQPnk+Q2qQKmaKCB800jI42DLnvdgNHWSok2g7RDVsktdgkc2F3my1Y4F46QzqHb6lp+ptU3nUMn7/U4gBy2ni82MeHSe05WEVkoLG2Ih8+08uHuue3zTB9U0w0mWt4nifDl9fBEReo2PkkEcbHPe44DWjJPcArCSAqQAScBeVeWe2V13r2UVvp3TzP6ByA6yegdq23S2zW83QsnuINtpTx88ZlcOxvR4+pS3p2wWyw0fya20wiB9N54veetx6VC116igBbF2ndFbbNolU1jhJUDUZ1PgOHiVi9A6QpNNUe87E1fKPpp8cB+FvU33ra0RU+WV8zy95ySuq0tLFSRCGEYaEREXmthERERERERERERERERERERYa8aYsV3ya+100rz/ADA3df8AmGCtUr9k9kmJNJW1tL2FwkHtGfapERbMNZPD+h5Cjqq0UNUczRAnnjb5jaonm2QSZ+hvrSPx03wcvUGyA/z77+Sm+LlKyLa/GKz+fQfZR35UtOc/C6n7qP7fspsEDg6qnrawjmHSBjT4NGfatstFhtNoZu223U1N1uYzzj3u5rKItSarnm/yPJUlS2qipDmGIA88bfPeqNGBhVRFrqQRERERERERER
+large_image: data:image/jpg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gKgSUNDX1BST0ZJTEUAAQEAAAKQbGNtcwQwAABtbnRyUkdCIFhZWiAH5AAFAAUADgA6ADFhY3NwQVBQTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLWxjbXMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtkZXNjAAABCAAAADhjcHJ0AAABQAAAAE53dHB0AAABkAAAABRjaGFkAAABpAAAACxyWFlaAAAB0AAAABRiWFlaAAAB5AAAABRnWFlaAAAB+AAAABRyVFJDAAACDAAAACBnVFJDAAACLAAAACBiVFJDAAACTAAAACBjaHJtAAACbAAAACRtbHVjAAAAAAAAAAEAAAAMZW5VUwAAABwAAAAcAHMAUgBHAEIAIABiAHUAaQBsAHQALQBpAG4AAG1sdWMAAAAAAAAAAQAAAAxlblVTAAAAMgAAABwATgBvACAAYwBvAHAAeQByAGkAZwBoAHQALAAgAHUAcwBlACAAZgByAGUAZQBsAHkAAAAAWFlaIAAAAAAAAPbWAAEAAAAA0y1zZjMyAAAAAAABDEoAAAXj///zKgAAB5sAAP2H///7ov///aMAAAPYAADAlFhZWiAAAAAAAABvlAAAOO4AAAOQWFlaIAAAAAAAACSdAAAPgwAAtr5YWVogAAAAAAAAYqUAALeQAAAY3nBhcmEAAAAAAAMAAAACZmYAAPKnAAANWQAAE9AAAApbcGFyYQAAAAAAAwAAAAJmZgAA8qcAAA1ZAAAT0AAACltwYXJhAAAAAAADAAAAAmZmAADypwAADVkAABPQAAAKW2Nocm0AAAAAAAMAAAAAo9cAAFR7AABMzQAAmZoAACZmAAAPXP/bAEMABQMEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcTFBoVEREYIRgaHR0fHx8TFyIkIh4kHB4fHv/bAEMBBQUFBwYHDggIDh4UERQeHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHv/AABEIAK4ArgMBIgACEQEDEQH/xAAcAAEAAQUBAQAAAAAAAAAAAAAABwEEBQYIAgP/xABDEAABAwMBBAUHCQcDBQAAAAABAAIDBAURBgcSITFBUWFxgRMiMpGhsdEUFyNCUlNikpQVJDNDVHLBFpPCJXOCovD/xAAcAQEAAgMBAQEAAAAAAAAAAAAABQYCBAcDAQj/xAA4EQABAwMABwYEBQMFAAAAAAABAAIDBAURBhIhMUFRoSJhcZHB4ROBsdEVFjJCUhQjMyRjovDx/9oADAMBAAIRAxEAPwDstERERERERERERERERERERERERERERERERERERERERERERERERERERERERFQuwtU1Rr2w2MuhdMaurbzgp8OIP4nch7+xekUL5nasYyVr1NXBSs+JM4NHetr3gm8MZUH3rafqCsJZQtgt8XRuN33/AJjw9i1SvvV3rzmsulZP2Pmdj1clNQ6PzvGXkDqqjVacUcZxC0v6D79F0tJV0sZw+oiaepzwFWOpp5P4c8b/AO14K5ZPHnx71VpLSC0lpHUcLZ/Ln+5091H/AJ+Of8H/AC9l1TvBMhc0W/UF8t7gaO7VsWPqiUlvqOQtusm1O80zmsulNDXx9L2jycns4H1Bak1gqGbWEO6KTpNN6GU4laWdR029FNSLXdL6wsd/aI6Op3KjHGnm82TwHT4LYd5Q0kb43arxgq2wVEVQwSRODgeIVURFgvZERERERERERERERERFbXOupbbRS1lbOyGCJu897jwH/wB1KtwrKegpJauqlbFDEwve93IAKAde6sq9TXAnLoqCJ30EH/J34vcpC3299Y/A2NG8qCvt8itUOTtedw9T3LK642h194fJSWt0lFQHgSDiWUdp+qOweK0VEV3p6aOmZqRjC49XXCor5TLO7J6DwCIiL3WkiIiIiIiIqtc5jg9ji1zTkEHBB6wVJGhNpM9K9lDqF7p4CcNq+b2f3faHbz71GyLWqqOKqZqyD7hSFuulTbpfiQOxzHA+K6lgqI54mSwvZJG8Ate05DgekFfZQTs01pJYKptBXyF1rld08fIOP1h+HrHipzikEjGvY4Oa4ZBHIjrVHrqJ9JJqu3cCux2W8w3SD4jNjhvHL25L2iItJTCIiIiIiIiKjuSqsJrm8Cxaaq7iCPKtbuQjrkdwb8fBZxsdI4MbvK8p5mQROlecADJ+SjPbHqd1dcDYaSX92pnZqCD6cn2e5vv7lHa9SPfI90kji57iXOceZJ5lI2PkkbGxrnPccNa0ZJPUAuhUlMylhDG8Fwm5V8txqnTP3ncOQ4BeU6cdakTSmzCvrmsqb3K6hhPEQswZSO3ob7SpKsWlrFZgPkFthbIB/FeN+Q/+R4+pR9VfIIThnaPdu81OW7Q+tqwHydhvfv8AL74UDW/Td/uADqOz1srTyd5Itb6zgLMQbOdWyc7fFF/3Khg9xKn7A6kwOpRD9IagnstAVoh0Fomj+49xPyHooI+bLVf3FH+pHwT5stV/cUf6kfBTuiw/H6ru8l7/AJItvN3n7KCPmy1X9xR/qR8E+bLVf3FH+pHwU7on4/Vd3kn5ItvN3n7KCPmy1X9xR/qR8E+bLVf9PR/qR8FO6s7tVNorZV1jjhsEL5DnsaSvov1WTgAeSxdoXbGNLiXYHf7LmSphfTVUtPIWl8Tyx26cjIODgqVti2p3TMOna2XL4ml1I49LBzZ4cx2Z6lEz3ukcZHnLnHed3nivvbKye3XCnr6V27PBIJGHtHR48lZa2kFVBqO38PFc9tFzdbawTM/TuI5hdRhFZWSvhulrpbhTnMVRGJG9mRy8OSvVz8gtOCu5Me17Q5u4oiIviyREREVHDIUS7eLkTPb7Qx3BrXVEg7T5rf8AkpbPJc/7WKk1WvK8ZJEW5C0dzQfeSpexxCSqBPAZ9PVVTTKpMNtLR+8gevotct1HU3CtioqOF008rt1jG9J+Hapy0Homj07AypnDai5ub58xGRH+FnV38yvhsu0k2yWsV1XH/wBSqWguz/KYeIYO3pPq6Fu7eS9rtdDO4xRns/X2Wroxo2ylYKmoGZDuH8ff6I0cFVUJA5laRr3XtJp97qGjYyruGOLM+ZF/cev8PuUPDBJO8MjGSrVW10FFEZZ3YaFvGQvhLV0kTt2SphY7qdIB/lc6XnVN/u7yay6VBYT/AAo3eTYPAf5WGd5xy7ie3ip+PR15Hbfg9w/8VKn09iDsQwkjvOOgBXUsNVTTOLYaiGQgZIa8HHqX2XMWn7rU2O7QXKjO6+J2XN6Ht6WnsIXS1BUR1dHDVQnMc0bZGHsIyFG3G3OonDbkFT9gv7Lux3Z1XN4Zzs58F9yQBkkAK1/aNB/W03+634q4eM8MKI9r2jaakiN/tlOyJm8BVxNbgAk8HgdHHgfArXo4GTyiN7sZ3Leu1ZNRU5niZr43jONnPcVKn7RoP62m/wB1vxWq7VbtSxaJrmQVUL5J92EBkgJw5wzy7MqB91v2W+pA1o5ADwVjh0fbHI15fnBzu91QqvTd9RA+IRY1gRnPP5KqIisKoimfYZcjU6fqLc92XUc2Wf2P4+8OUiKFNhdUYtU1NNnzZ6Unxa4Ee8qa1RLxF8Ordjjt8/ddp0VqTUWyMne3I8t3TCIiKMViREREVHeiVEen7EL1tYvFXUR79LQVbpHA8nPz5g9mfBS44ZGFjLHaY7bLcJWkGStq31DyO3AA8AFt01SYGv1d5GFFXG3itkh1v0sdrH5A46rJtGOaqio44C1FKrVdpepf9O2MugINdUEx04PHdOOL/Ae3CgGWR8sjpZXue95LnOcckk8yVtu1u6OuWsqiIOJhowIGDqI4uPrPsWoK8WejbBThx/U7afQLjOlN0dW1zmA9hmwep+Z6YRERSyrSBdFbOHuk0TaHP5/JWj1cFzqTgE9QXS2kKb5Jpi2UxGDHSRg9+6Mqu6REfCYO9XzQNp/qZXcMD6+yyqs7zRx3C2VNDMMxzxOjOe0YV4vLlVASDkLpr2h7S124rliWN0Ur4n+kxxae8HBXlXd5LXXitcz0TUyEfnKtF0thLmglfnqZobI5o4FERFkvNbfsecW68pcdMMo/9VPYUFbFoTJrdjxyippXHxwP8qdQMKmX8/6r5Bdb0JBFtOf5H0VURFCK4IiIiIiIiIvEzgxjnk4AGSe5e1Z3jP7LqyOfkH4/KV9AycLCR2q0lczV9Q6rrqiqecumlfIT3klfFUb6De4Kq6Y0AAAL88vcXOLjxRERfVir2w0Trle6KgYMmedjD3E8fZldORtDQGtAAAwO5Q1sPsrqq9zXiVn0NI0sjJ6ZHDo7m+9TOBhU6/1AknEY/b6/9C6voRRGGjdM7956DZ9cosdqWvbbLFXV7jgQQOeO/HD24WQJwo325XgQWins0Tx5Sqf5SUA8o28vW7HqKi6OAzztjHE9FY7tWCio5JjwGzxOwdVDpJJJcck8Se1ERdFXBScoiIiKUtgdCTUXO5OHANZA09vpH/CllaxsztDrNpKkgkbuzzAzyjqc7jjwGAtnXP7lOJ6l7xu+2xdysFGaO3xxu34yfE7UREWiplERERERERF4laHtc13EEYI7F7TCIRlcyaitk1nvdXbpmkGGUhp+03m0+Iwseugtc6NoNTRNke801bGMRztGeH2XDpHuUaVWy/U8UpbCKKoZ0PbNu58CFdaK8QSRgSOw4c1x+7aLVtPO4wML2Hdjb8iFpCvLLbKy8XKG30MXlJ5TgdTR0uPUAt0tWyq+TyD5fVUlHH07rjI7wAwPapO0ppm16cpvI0MWZH/xZ38Xyd56B2Dgsay9wxMxEdZ3RZ2nRGrqZAaluozjnefAfdXGlbNTWGzU9tpuIjGXvxxe8+k495WVQADkFRypz3ue4ucckrrMUTIWCNgwBsC+NbUQ0tPJUVEjY4Y2F73O5ADmVzlq+8yX/UFTcngtY87sLT9WMeiO/p7ytx2t6wbXPdYbbLvU8bv3qVp4SOH1B2A8+3uUbq22OgMTfjP3nd4Ll2mF7bVSCkhOWt3nmfb6oiIp9UlFtOzLTzr9qOMyx5oqUiWcnkcei3xPsBWv2qgqrncIaCiiMs8zt1rR7z1AdJXQ2jNP02nLNFQQ4fJ6c8uOMjzzPd0DsUPeK8U0Wo09p3Qc1adFrK6vqRK8f22bT3ngPv7rNNGF6RFSV2JEREREREREREREREREREREWHuGp9P0O8Kq80Mbm8C3yoJHgOK1K+7VLPTtcy1081fL0OcPJx+s8T6lsxUc8xwxhKjqq70VICZpQPnk+Q2qQKmaKCB800jI42DLnvdgNHWSok2g7RDVsktdgkc2F3my1Y4F46QzqHb6lp+ptU3nUMn7/U4gBy2ni82MeHSe05WEVkoLG2Ih8+08uHuue3zTB9U0w0mWt4nifDl9fBEReo2PkkEcbHPe44DWjJPcArCSAqQAScBeVeWe2V13r2UVvp3TzP6ByA6yegdq23S2zW83QsnuINtpTx88ZlcOxvR4+pS3p2wWyw0fya20wiB9N54veetx6VC116igBbF2ndFbbNolU1jhJUDUZ1PgOHiVi9A6QpNNUe87E1fKPpp8cB+FvU33ra0RU+WV8zy95ySuq0tLFSRCGEYaEREXmthERERERERERERERERERERYa8aYsV3ya+100rz/ADA3df8AmGCtUr9k9kmJNJW1tL2FwkHtGfapERbMNZPD+h5Cjqq0UNUczRAnnjb5jaonm2QSZ+hvrSPx03wcvUGyA/z77+Sm+LlKyLa/GKz+fQfZR35UtOc/C6n7qP7fspsEDg6qnrawjmHSBjT4NGfatstFhtNoZu223U1N1uYzzj3u5rKItSarnm/yPJUlS2qipDmGIA88bfPeqNGBhVRFrqQREREREREREREREREREREREREREREREREREREREREREREREREREREREREX/9k=

sigma/1.0.0/requirements.txt

@@ -0,0 +1,2 @@
+requests==2.25.1
+sigmatools==0.20

sigma/1.0.0/src/app.py

@@ -0,0 +1,96 @@
+import os
+import socket
+import asyncio
+import time
+import random
+import json
+import subprocess
+
+from walkoff_app_sdk.app_base import AppBase
+
+# Make file sample with namespace yara:
+## curl http://localhost:5001/api/v1/files/create -H "Authorization: Bearer 09627dcb-7e2a-4843-819b-417d268ff840" -d '{"filename": "HelloWorld.yml", "org_id": "11f67b76-6051-4425-b0d6-be23daac6d12", "workflow_id": "global", "namespace": "sigma"}'
+
+# 1. Generate the api.yaml based on downloaded files
+# 2. Add a way to choose the rule and the target platform for it
+# 3. Add the possibility of translating rules back and forth
+
+# 4. Make it so you can start with Mitre Att&ck techniques 
+# and automatically get the right rules set up with your tools :O
+class Sigma(AppBase):
+    __version__ = "1.0.0"
+    app_name = "sigma"  # this needs to match "name" in api.yaml
+
+    def __init__(self, redis, logger, console_logger=None):
+        """
+        Each app should have this __init__ to set up Redis and logging.
+        :param redis:
+        :param logger:
+        :param console_logger:
+        """
+        super().__init__(redis, logger, console_logger)
+
+    def get_searches(self, engine, backend, shuffle_namespace):
+        files = self.get_file_namespace(shuffle_namespace)
+        self.logger.info(f"Files: {files}")
+
+        # This part should be in the SDK
+        basedir = "rules"
+        os.mkdir(basedir)
+        for member in files.namelist():
+            filename = os.path.basename(member)
+            if not filename:
+                continue
+
+            self.logger.info("File: %s" % member)
+            source = files.open(member)
+            with open("%s/%s" % (basedir, source.name), "wb+") as tmp:
+                filedata = source.read()
+                self.logger.info("Filedata (%s): %s" % (source.name, filedata))
+                tmp.write(filedata)
+
+        self.logger.info(f"Dir: {os.listdir(basedir)}")
+
+        rule = shuffle_namespace
+        #filename = "file.yaml" 
+        #with open(filename, "w+") as tmp:
+        #    tmp.write(rule)
+    
+        code = "sigmac --target=%s" % engine
+        #if len(backend) > 0:
+        if backend:
+            if "list" in backend:
+                code += "--list"
+            else:
+                code += " -c %s" % backend
+    
+        code += " rules/*" 
+        self.logger.info("Code: ", code)
+        print(code)
+        print()
+        process = subprocess.Popen(
+            code,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            text=True,
+            shell=True,  # nosec
+        )
+        stdout = process.communicate()
+        item = ""
+        if len(stdout[0]) > 0:
+            print("Succesfully ran bash!")
+            item = stdout[0]
+        else:
+            print("FAILED to run bash: ", stdout[1])
+            item = stdout[1]
+    
+        try:
+            ret = item.decode("utf-8")
+            return ret
+        except Exception:
+            return item
+    
+        return item
+
+if __name__ == "__main__":
+    asyncio.run(Sigma.run(), debug=True)

sigma/1.0.0/src/file.yaml

@@ -0,0 +1,23 @@
+title: Google Cloud Storage Buckets Enumeration
+id: e2feb918-4e77-4608-9697-990a1aaf74c3
+description: Detects when storage bucket is enumerated in Google Cloud.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/08/14
+references:
+    - https://cloud.google.com/storage/docs/json_api/v1/buckets
+logsource:
+  product: gcp
+  service: gcp.audit
+detection:
+    selection:
+        gcp.audit.method_name: 
+            - storage.buckets.list
+            - storage.buckets.listChannels
+    condition: selection
+level: low
+tags:
+    - attack.discovery
+falsepositives:
+ - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.