valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 01:25:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

#192 for confluence

Browse Source
This commit is contained in:
sn0w0tter 2020-05-27 23:39:03 +02:00
parent 71551b9de0
commit 9e89eea0b0
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
scripts/detectionrule.py
View File

@ -227,10 +227,30 @@ class DetectionRule:
det_queries = {} det_queries = {}
for output in queries: for output in queries:
cmd = ATCconfig.get('sigmac_path') + \ if output == "powershell":
' --shoot-yourself-in-the-foot -t "' + \ cmd = ATCconfig.get('sigmac_path') + " -t " + output + \
output + '" --ignore-backend-errors "' + self.yaml_file + \ " --config " + ATCconfig.get('powershell_sigma_config') + \
'" 2> /dev/null' " --ignore-backend-errors " + self.yaml_file
elif output == "es-qs":
cmd = ATCconfig.get('sigmac_path') + " -t " + output + \
" --config " + ATCconfig.get('es-qs_sigma_config') + \
" --ignore-backend-errors " + self.yaml_file
elif output == "xpack-watcher":
cmd = ATCconfig.get('sigmac_path') + " -t " + output + \
" --config " + ATCconfig.get('xpack-watcher_sigma_config') + \
" --ignore-backend-errors " + self.yaml_file
elif output == "splunk":
cmd = ATCconfig.get('sigmac_path') + " -t " + output + \
" --config " + ATCconfig.get('splunk_sigma_config') + \
" --ignore-backend-errors " + self.yaml_file
elif output == "logpoint":
cmd = ATCconfig.get('sigmac_path') + " -t " + output + \
" --config " + ATCconfig.get('logpoint_sigma_config') + \
" --ignore-backend-errors " + self.yaml_file
else:
cmd = ATCconfig.get('sigmac_path') + ' --shoot-yourself-in-the-foot -t "' + \
output + '" --ignore-backend-errors "' + self.yaml_file + '"'
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
(query, err) = p.communicate() (query, err) = p.communicate()
# Wait for date to terminate. Get return returncode ## # Wait for date to terminate. Get return returncode ##