add sorting by rulename

Author: Infinit3i

data/sysmon_events.py

@@ -1,25 +1,25 @@
 SYS_MON_EVENTS: dict[int, str] = {
     1: "Process Create",
-    2: "File Creation Time Changed",
-    3: "Network Connection",
-    4: "Sysmon Service State Changed",
-    5: "Process Terminated",
-    6: "Driver Loaded",
-    7: "Image Loaded",
+    2: "File Create Time",
+    3: "Network Connect",
+    4: "Sysmon State Change",
+    5: "Process Terminate",
+    6: "Driver Load",
+    7: "Image Load",
     8: "CreateRemoteThread",
     9: "RawAccessRead",
     10: "Process Access",
     11: "File Create",
-    12: "Registry Object Added or Deleted",
-    13: "Registry Value Set",
-    14: "Registry Key or Value Renamed",
+    12: "Registry Event",
+    13: "Registry Event",
+    14: "Registry Event",
     15: "File Create Stream Hash",
     16: "Sysmon Config State Changed",
-    17: "Pipe Created",
-    18: "Pipe Connected",
-    19: "WMI Event Filter",
-    20: "WMI Event Consumer",
-    21: "WMI Event Consumer To Filter",
+    17: "Pipe Event",
+    18: "Pipe Event",
+    19: "Wmi Event",
+    20: "Wmi Event",
+    21: "Wmi Event",
     22: "DNS Query",
     23: "File Delete",
     24: "Clipboard Change",
@@ -31,17 +31,20 @@
     30: "File Blocked",
 }
 
+def _normalize(tag: str) -> str:
+    return tag.replace(" ", "").lower()
+
 
 def get_event_xml_tag(event_id: int) -> str:
     name = SYS_MON_EVENTS.get(event_id, f"Event{event_id}")
     return name.replace(" ", "")
 
 
 def get_event_id_from_xml_tag(xml_tag: str) -> int | None:
-    normalized = xml_tag.replace(" ", "").lower()
+    normalized = _normalize(xml_tag)
 
     for event_id in SYS_MON_EVENTS:
-        if get_event_xml_tag(event_id).lower() == normalized:
+        if _normalize(get_event_xml_tag(event_id)) == normalized:
             return event_id
 
-    return None
+    return None

exporters/xml_exporter.py

@@ -46,15 +46,46 @@ def export_config(config: SysmonConfig, output_path: str) -> None:
                 attrib={"onmatch": rule_type},
             )
 
+            emitted_groups: set[str] = set()
+            grouped_rule_members: dict[str, list] = {}
+
+            for rule in rules:
+                if rule.group_id:
+                    grouped_rule_members.setdefault(rule.group_id, []).append(rule)
+
             for rule in rules:
-                field_element = ET.SubElement(
-                    event_element,
-                    rule.field_name,
-                    attrib={"condition": rule.condition},
-                )
-                field_element.text = rule.value
+                if not rule.group_id:
+                    field_element = ET.SubElement(
+                        event_element,
+                        rule.field_name,
+                        attrib={"condition": rule.condition},
+                    )
+                    field_element.text = rule.value
+                    continue
+
+                if rule.group_id in emitted_groups:
+                    continue
+
+                group_rules = grouped_rule_members.get(rule.group_id, [rule])
+                group_attrs: dict[str, str] = {}
+                if rule.group_name:
+                    group_attrs["name"] = rule.group_name
+                if rule.group_relation:
+                    group_attrs["groupRelation"] = rule.group_relation
+
+                rule_group_element = ET.SubElement(event_element, "Rule", attrib=group_attrs)
+
+                for grouped_rule in group_rules:
+                    field_element = ET.SubElement(
+                        rule_group_element,
+                        grouped_rule.field_name,
+                        attrib={"condition": grouped_rule.condition},
+                    )
+                    field_element.text = grouped_rule.value
+
+                emitted_groups.add(rule.group_id)
 
     xml_output: str = prettify_xml(root)
 
     output_file = Path(output_path)
-    output_file.write_text(xml_output, encoding="utf-8")
+    output_file.write_text(xml_output, encoding="utf-8")

gui/rule_editor.py

@@ -6,11 +6,12 @@
     QComboBox,
     QLineEdit,
     QPushButton,
-    QListWidget,
-    QListWidgetItem,
+    QTreeWidget,
+    QTreeWidgetItem,
 )
 from models.sysmon_config import RuleFilter, SysmonConfig
 from PySide6.QtGui import QColor
+from PySide6.QtCore import Qt
 
 
 class RuleEditor(QWidget):
@@ -20,7 +21,6 @@ def __init__(self, config: SysmonConfig) -> None:
         self.config = config
         self.current_event_id: int | None = None
         self.current_event_name: str = ""
-        self.displayed_rules: list[tuple[int, int]] = []
 
         self.layout = QVBoxLayout()
         self.setLayout(self.layout)
@@ -44,7 +44,8 @@ def __init__(self, config: SysmonConfig) -> None:
         self.add_button = QPushButton("Add Rule")
         self.remove_button = QPushButton("Remove Selected Rule")
 
-        self.rule_list = QListWidget()
+        self.rule_tree = QTreeWidget()
+        self.rule_tree.setHeaderHidden(True)
 
         self.rule_row_1 = QHBoxLayout()
         self.rule_row_1.addWidget(self.rule_type)
@@ -60,7 +61,7 @@ def __init__(self, config: SysmonConfig) -> None:
         self.layout.addLayout(self.rule_row_2)
         self.layout.addWidget(self.add_button)
         self.layout.addWidget(self.remove_button)
-        self.layout.addWidget(self.rule_list)
+        self.layout.addWidget(self.rule_tree)
 
         self.add_button.clicked.connect(self.add_rule)
         self.remove_button.clicked.connect(self.remove_selected_rule)
@@ -103,25 +104,54 @@ def load_value_presets_for_field(self, field_name: str) -> None:
             self.value_preset_box.addItems(presets)
 
     def refresh_rules(self) -> None:
-        self.rule_list.clear()
-        self.displayed_rules.clear()
+        self.rule_tree.clear()
 
         for event_id, event_config in sorted(self.config.events.items()):
+            if not event_config.rules:
+                continue
+
+            event_item = QTreeWidgetItem(
+                [f"{event_id} - {event_config.event_name}"]
+            )
+            self.rule_tree.addTopLevelItem(event_item)
+
+            grouped_parents: dict[str, QTreeWidgetItem] = {}
+            ungrouped_parent: QTreeWidgetItem | None = None
+
             for rule_index, rule in enumerate(event_config.rules):
+                if rule.group_id:
+                    if rule.group_id not in grouped_parents:
+                        group_name = rule.group_name or "Imported Rule"
+                        group_relation = rule.group_relation or "or"
+                        grouped_parents[rule.group_id] = QTreeWidgetItem(
+                            [f"Rule: {group_name} ({group_relation})"]
+                        )
+                        event_item.addChild(grouped_parents[rule.group_id])
+                    parent_item = grouped_parents[rule.group_id]
+                else:
+                    if ungrouped_parent is None:
+                        ungrouped_parent = QTreeWidgetItem(["Ungrouped Rules"])
+                        event_item.addChild(ungrouped_parent)
+                    parent_item = ungrouped_parent
+
                 rule_text = (
                     f"{event_id} | "
                     f"{rule.rule_type} | "
                     f"{rule.field_name} | "
                     f"{rule.condition} | "
                     f"{rule.value}"
                 )
-                item = QListWidgetItem(rule_text)
+                item = QTreeWidgetItem([rule_text])
+                item.setData(0, Qt.ItemDataRole.UserRole, (event_id, rule_index))
 
                 if not rule.imported:
-                    item.setBackground(QColor("#ffe6cc"))  # light orange
+                    item.setBackground(0, QColor("#ffe6cc"))  # light orange
+
+                parent_item.addChild(item)
 
-                self.rule_list.addItem(item)
-                self.displayed_rules.append((event_id, rule_index))
+            event_item.setExpanded(True)
+
+        self.rule_tree.expandAll()
 
     def add_rule(self) -> None:
         if self.current_event_id is None:
@@ -156,14 +186,15 @@ def remove_selected_rule(self) -> None:
         if self.current_event_id is None:
             return
 
-        selected_row = self.rule_list.currentRow()
-        if selected_row < 0:
+        selected_item = self.rule_tree.currentItem()
+        if selected_item is None:
             return
 
-        if selected_row >= len(self.displayed_rules):
+        rule_key = selected_item.data(0, Qt.ItemDataRole.UserRole)
+        if not isinstance(rule_key, tuple) or len(rule_key) != 2:
             return
 
-        event_id, rule_index = self.displayed_rules[selected_row]
+        event_id, rule_index = rule_key
         event_config = self.config.events.get(event_id)
 
         if event_config is None:
@@ -172,4 +203,4 @@ def remove_selected_rule(self) -> None:
         if 0 <= rule_index < len(event_config.rules):
             del event_config.rules[rule_index]
 
-        self.refresh_rules()
+        self.refresh_rules()

importers/xml_importer.py

@@ -4,21 +4,57 @@
 from models.sysmon_config import RuleFilter, SysmonConfig
 
 
+def strip_namespace(tag: str) -> str:
+    if "}" in tag:
+        return tag.split("}", 1)[1]
+    return tag
+
+
 def extract_rules_from_node(
     node: ET.Element,
     event_config,
     rule_type: str,
+    group_id: str | None = None,
+    group_relation: str | None = None,
+    group_name: str | None = None,
+    group_counter: list[int] | None = None,
 ) -> None:
     for child in node:
-        if child.tag == "Rule":
-            extract_rules_from_node(child, event_config, rule_type)
+        child_tag = strip_namespace(child.tag)
+
+        if child_tag == "Rule":
+            next_group_id = group_id
+            if next_group_id is None and group_counter is not None:
+                next_group_id = f"imported-group-{group_counter[0]}"
+                group_counter[0] += 1
+
+            next_group_relation = child.attrib.get("groupRelation", group_relation)
+            next_group_name = child.attrib.get("name", group_name)
+
+            extract_rules_from_node(
+                child,
+                event_config,
+                rule_type,
+                next_group_id,
+                next_group_relation,
+                next_group_name,
+                group_counter,
+            )
             continue
 
         if len(child) > 0:
-            extract_rules_from_node(child, event_config, rule_type)
+            extract_rules_from_node(
+                child,
+                event_config,
+                rule_type,
+                group_id,
+                group_relation,
+                group_name,
+                group_counter,
+            )
             continue
 
-        field_name = child.tag
+        field_name = child_tag
         condition = child.attrib.get("condition", "is")
         value = (child.text or "").strip()
 
@@ -32,6 +68,9 @@ def extract_rules_from_node(
                 condition=condition,
                 value=value,
                 imported=True,
+                group_id=group_id,
+                group_relation=group_relation,
+                group_name=group_name,
             )
         )
 
@@ -43,15 +82,23 @@ def import_config(input_path: str) -> SysmonConfig:
     config = SysmonConfig()
 
     event_filtering = root.find("EventFiltering")
+    if event_filtering is None:
+        for child in root:
+            if strip_namespace(child.tag) == "EventFiltering":
+                event_filtering = child
+                break
+
     if event_filtering is None:
         return config
 
-    for rule_group in event_filtering:
-        if rule_group.tag != "RuleGroup":
-            continue
+    group_counter = [1]
 
-        for event_element in rule_group:
-            event_tag = event_element.tag
+    for child in event_filtering:
+        child_tag = strip_namespace(child.tag)
+        event_elements = child if child_tag == "RuleGroup" else [child]
+
+        for event_element in event_elements:
+            event_tag = strip_namespace(event_element.tag)
             event_id = get_event_id_from_xml_tag(event_tag)
 
             if event_id is None:
@@ -61,6 +108,11 @@ def import_config(input_path: str) -> SysmonConfig:
             rule_type = event_element.attrib.get("onmatch", "include")
 
             event_config = config.get_or_create_event(event_id, event_name)
-            extract_rules_from_node(event_element, event_config, rule_type)
+            extract_rules_from_node(
+                event_element,
+                event_config,
+                rule_type,
+                group_counter=group_counter,
+            )
 
-    return config
+    return config

models/sysmon_config.py

@@ -9,6 +9,9 @@ class RuleFilter:
     condition: str
     value: str
     imported: bool = False
+    group_id: str | None = None
+    group_relation: str | None = None
+    group_name: str | None = None
 
 
 @dataclass
@@ -28,4 +31,4 @@ def get_or_create_event(self, event_id: int, event_name: str) -> EventConfig:
                 event_id=event_id,
                 event_name=event_name,
             )
-        return self.events[event_id]
+        return self.events[event_id]