Git Product home page Git Product logo

sigma-esf's Introduction

sigma-esf

Run Sigma detection rules on logs from the new MacOS Endpoint Security Framework.

This is a super simple CLI that ties together:

  • ProcessMonitor and FileMonitor from Patrick Wardle to do the Endpoint Security Framework subscribing
  • sigma-go to take the stream of Endpoint Security events and match them against Sigma rules.

Installation

  1. Install ProcessMonitor and FileMonitor from https://objective-see.com/products/utilities.html
  2. ⚠️ Make sure you follow the (Process|File)Monitor prerequisites so that Endpoint Security Framework works properly:
    • The terminal app you're using to run sigma-esf needs to have "Full Disk Access" granted.
    • You need to be running sigma-esf as root.
  3. Install sigma-esf using either:
    • go install github.com/bradleyjkemp/sigma-esf
    • brew install bradleyjkemp/formulae/sigma-esf

Usage

The most basic usage of sigma-esf is to simply run sudo sigma-esf within your Sigma rules folder.

There's not much configuration available yet other than:

  • Disabling either file or process events (collecting all events can be quite CPU intensive so disable ones you don't need)
  • Pointing to a directory of Sigma rules rather than using the current directory
Usage of sigma-esf:
  -monitor_files
    	Whether to monitor file events (default true)
  -monitor_processes
    	Whether to monitor process creation events (default true)
  -sigma_rules string
    	Path to a directory containing the Sigma rules to run (default ".")

sigma-esf's People

Contributors

bradleyjkemp avatar

Stargazers

avatar Denise Nepraunig avatar XCyberWar avatar Thomas Strömberg avatar Luke Hamburg avatar 南知 avatar Dmitry Shvedov avatar Avinash_thumma avatar Angelo T. Aschert avatar J avatar Matthew Conway avatar DanDye avatar Ferdous Saljooki avatar Robert avatar avatar alpha1 avatar yk avatar muuk avatar Jeff McJunkin avatar

Watchers

Matthew Conway avatar James Cloos avatar Luke Hamburg avatar avatar avatar avatar

Forkers

blank-man ctfbuster webvul icipher18

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.