feat: Sigma detection processing via Zircolite#544
feat: Sigma detection processing via Zircolite#544kevoreilly merged 2 commits intoCAPESandbox:masterfrom
Conversation
Add sigma processing module that scans EVTX and Sysmon logs against Sigma rulesets using Zircolite. Includes JSON-based filter system for suppressing sandbox false positives, per-package rule suppression, configurable rulesets, and security hardening (zip slip protection, zip bomb limits, symlink rejection, output caps). New files: - modules/processing/sigma.py - main processing module - modules/signatures/all/sigma_events.py - behavioral signature - data/sigma/filters.json - default sandbox FP filters - systemd/cape-sigma-update.service/.timer - daily rule updates - docs/sigma-integration.md - install and configuration guide
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly expands CAPEv2's detection capabilities by integrating Sigma rules via Zircolite. It introduces new modules for processing and managing Sigma detections, along with a flexible filter system to reduce false positives. The inclusion of automatic rule updates and detailed documentation ensures ease of use and maintainability. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Enhanced evtx.py auxiliary module: - Collect 20+ additional Windows event log channels (PowerShell, Defender, BITS, Firewall, NTLM, AppLocker, WMI, Task Scheduler, etc.) - Enable command line logging (ProcessCreationIncludeCmdLine_Enabled) - Configure log sizes (100MB per channel) - Use audit policy GUIDs instead of English names (non-English support) - Quote channel names in wevtutil calls New event logs web UI: - Three-tab layout: Sigma Detections, Sysmon Events, EVTX Events - Sigma tab shows rule title, severity, ID, description, matched events - Sigma query shown on expand (not cluttering collapsed view) - Severity badge coloring (critical/high/medium/low/informational) - MITRE ATT&CK technique display per detection Systemd units for daily Sigma rule updates via Zircolite. Companion to CAPESandbox/community#544 which adds the sigma processing module and behavioral signature.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive Sigma detection processing capability via Zircolite, enhancing CAPEv2's ability to analyze EVTX and Sysmon logs for threats. The implementation includes robust features such as configurable rulesets, per-package rule suppression, and an advanced JSON-based filter system with regex matching and boolean logic. Security hardening measures like zip slip protection and zip bomb limits are commendable additions. The documentation is clear and thorough, guiding users through installation, configuration, and troubleshooting. Overall, this is a well-designed and significant feature addition.
systemd/cape-sigma-update.service
Outdated
| Group=cape | ||
| WorkingDirectory=/opt/zircolite | ||
| ExecStart=/etc/poetry/bin/poetry --directory /opt/CAPEv2/ run python zircolite.py --update-rules | ||
| ExecStartPost=/bin/bash -c 'for f in /opt/zircolite/rules/*.json; do dest="/opt/CAPEv2/data/sigma/$(basename "$f")"; [ -f "$dest" ] && cp "$f" "$dest"; done' |
There was a problem hiding this comment.
The ExecStartPost command for copying Sigma rules only copies a file if the destination file already exists ([ -f "$dest" ]). This logic might prevent newly added Sigma rule JSON files (that didn't exist in data/sigma previously) from being copied from the Zircolite rules directory to the CAPEv2 data directory. It's generally safer to copy all updated rules, regardless of whether a corresponding file already exists at the destination, to ensure all new rules are deployed.
ExecStartPost=/bin/bash -c 'for f in /opt/zircolite/rules/*.json; do dest="/opt/CAPEv2/data/sigma/$(basename "$f")"; cp "$f" "$dest"; done'
There was a problem hiding this comment.
Fixed in eec91df — removed the [ -f "$dest" ] guard so newly generated rulesets are also copied to data/sigma/.
Remove the [ -f "$dest" ] guard so newly generated rulesets from Zircolite are also deployed to data/sigma/.
2 participants
Summary
modules/processing/sigma.py- processing module that scans EVTX and Sysmon logs against Sigma rulesets using Zircolitemodules/signatures/all/sigma_events.py- behavioral signature that promotes sigma detections into the signatures view with MITRE ATT&CK TTP mappingdata/sigma/filters.json- JSON-based filter system for suppressing sandbox-caused false positives (per-package, per-event/detection scope, regex field matching with boolean logic)systemd/cape-sigma-update.serviceand.timer- daily automatic Sigma rule updates via Zircolitedocs/sigma-integration.md- installation, configuration, and troubleshooting guideFeatures
processing.conf[sigma_suppress_rules]config sectionmatch_logicexpressions, event vs detection scope, suppress and set_score actionsRequirements
/opt/zircolite/)