@@ -21,32 +21,32 @@ test-sigmac:
2121 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvd -t es-qs rules/ > /dev/null
2222 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
2323 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
24- coverage run -a --include=$(COVSCOPE ) tools/sigmac -O rulecomment -rvdI -c tools/config/elk- winlogbeat.yml -t es-qs rules/ > /dev/null
25- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t kibana -c tools/config/elk- winlogbeat.yml rules/ > /dev/null
24+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -O rulecomment -rvdI -c tools/config/winlogbeat.yml -t es-qs rules/ > /dev/null
25+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t kibana -c tools/config/winlogbeat.yml rules/ > /dev/null
2626 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t graylog rules/ > /dev/null
27- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/elk- winlogbeat.yml rules/ > /dev/null
28- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t elastalert -c tools/config/elk- winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
29- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/elk- winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
27+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/winlogbeat.yml rules/ > /dev/null
28+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
29+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
3030 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk rules/ > /dev/null
31- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml rules/ > /dev/null
32- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows-all-index .yml rules/ > /dev/null
33- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows-all .yml rules/ > /dev/null
31+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
32+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
33+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
3434 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
3535 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t ala rules/ > /dev/null
3636 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
37- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t es-dsl -c tools/config/elk- winlogbeat.yml rules/ > /dev/null
38- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all .yml -Ocsv rules/ > /dev/null
37+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
38+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
3939 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
4040 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
4141 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
4242 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
4343 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
44- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml -f ' level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' > /dev/null
45- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml -f ' level>=high,level<=critical,status=xstable,logsource=windows' > /dev/null
46- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml -f ' level>=high,level<=xcritical,status=stable,logsource=windows' > /dev/null
47- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml -f ' level=critical' > /dev/null
48- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml -f ' level=xcritical' > /dev/null
49- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all- index.yml -f ' foo=bar' > /dev/null
44+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f ' level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' > /dev/null
45+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f ' level>=high,level<=critical,status=xstable,logsource=windows' > /dev/null
46+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f ' level>=high,level<=xcritical,status=stable,logsource=windows' > /dev/null
47+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f ' level=critical' > /dev/null
48+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f ' level=xcritical' > /dev/null
49+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f ' foo=bar' > /dev/null
5050 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
5151 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c sysmon -c elk-windows -t es-qs rules/ > /dev/null
5252 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c sysmon -c elk-windows -t splunk rules/ > /dev/null
@@ -58,29 +58,29 @@ test-sigmac:
5858 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
5959 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
6060 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
61- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/elk -defaultindex.yml -t xpack-watcher rules/ > /dev/null
62- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml - t splunk rules/ > /dev/null
63- coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all .yml -t splunk rules/ > /dev/null
61+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/filebeat -defaultindex.yml -t xpack-watcher rules/ > /dev/null
62+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/splunk-windows-t splunk rules/ > /dev/null
63+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
6464 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t grep rules/ > /dev/null
6565 coverage run -a --include=$(COVSCOPE ) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
66- coverage run -a --include=$(COVSCOPE ) tools/sigmac -t xpack-watcher -c tools/config/elk- winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
66+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
6767 coverage run -a --include=$(COVSCOPE ) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
68- coverage run -a --include=$(COVSCOPE ) tools/sigmac -t xpack-watcher -c tools/config/elk- winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
69- coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml -o $(TMPOUT ) - < tests/collection_repeat.yml > /dev/null
70- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t xpack-watcher -c tools/config/elk- winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
71- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/not_existing.yml > /dev/null
72- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/invalid_yaml.yml > /dev/null
73- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
74- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
75- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
76- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
77- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
78- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
79- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/elk- winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
68+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
69+ coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT ) - < tests/collection_repeat.yml > /dev/null
70+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
71+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
72+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
73+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
74+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
75+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
76+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
77+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
78+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
79+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
8080 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
8181 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
8282 ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
83- ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rv -c tools/config/elk -defaultindex.yml -t kibana rules/ > /dev/null
83+ ! coverage run -a --include=$(COVSCOPE ) tools/sigmac -rv -c tools/config/filebeat -defaultindex.yml -t kibana rules/ > /dev/null
8484
8585test-merge :
8686 tests/test-merge.sh
0 commit comments