Replies: 2 comments 1 reply
-
|
Even though there's only one way the repo itself can be organized I think it's good to have flexibility when there is no cost to it. If you can create a PR with the script we can review it. It probably makes sense to create a "misc" or "tools" folder for that purpose. (Tools should not contain tooling around Sigma, but in this case it is very specific to the rules repo). Even though I personally wouldn't make use of it because I am used to the structure of the repo, I can imagine it being helpful to others. |
Beta Was this translation helpful? Give feedback.
-
|
Yes I will create the PR, and I think that a new folder "misc" or "tools" could be the perfect location. |
Beta Was this translation helpful? Give feedback.
-
|
This discussion lead to the creation of #4625 - Closing this as complete and finishing the review over there. |
Beta Was this translation helpful? Give feedback.
-
Hi there!
Now the Generic Detection Rules are organized by so or macro categories, and then all the sub categories ... I think that could be usefull to have the rules organized also by tactics and techniques according to Mitre ATT&CK framework.
I think it is useful for both SIEM development and Incident Respond activities... I mean for example Chainsaw which gives the possibility to use this Sigma repo to detect anomalies.
I write a simple python script that organise the rules in folder by tactics and techniques.
So for example we will have a tree like this
the MITRE folder
then tactics and techniques subfolders
What do you think ?
If it is of interest, we can integrate the script into the repo and the users will be able to organise the rules by Mitre framework.
Beta Was this translation helpful? Give feedback.
All reactions