sigma

This extension will enhance your VSCode for the Sigma signature format

Installation
Features
Requirements
Extension Settings
Known Issues
Changelog

Checkout Ideas.md for planned features!

Installation

Simply grab it in the VSCode marketplace.
Install it from VSCode in the Extension Tab (Ctrl + Shift + X) and search for Sigma.

Setup your Author name in the extensions config section. sigma.author

Setup your sigmac compile configs in sigma.compileConfig

For example:

[
 {
    "tag": "OptionalTag",
    "target": "kibana",
    "config":["~/sigma/tools/config/winlogbeat.yml"],
    "additionalArgs": ""
  },
  {
    "target": "splunk",
    "config":["~/sigma/tools/config/generic/windows-audit.yml","~/sigma/tools/config/splunk-windows.yml"]
  }
]

Features

Snippets

Various Snippets:

new Rule Snippet
auto uuid
automatic Author
Date/modifiedDate
logsource
- category
- product

falsepositives
status
level
title
reference (links will be auto-pasted)

Diagnostics

Title too Long
Description too Short
'contains' at wrong position in modifiers
Whitespace at end of Line
Single Item with All modifier
YAML not parsing
Various Tests from the official sigma repo

Quickfixes for some of the Diagnostics

Automatic continuation of lists

Lists will be automatically continued by pressing the enter key.
Use the CTRL (Command on Mac) modifier to create a new line regardless of the curent position of the cursor. Use the Shift modifier to ignore this feature.
When there is an empty string, it gets deleted.

Sigmac compile

After defining your sigmac configs, click on the codelens in the first line. The compile sigma rule will be in your clipboard.

Webextension Support (Quite untested)

The extension can be used in github vscode mode and on vscode.dev. However these are not really tested, so in case you find bugs with it, feel free to open an issue.

Sigma Search Engine Integration

Integration of https://sigmasearchengine.com/.

Look Up Related --> Look up related Sigma rules (see codelense above related)
Look Up --> Look for similar rules with multiline selection (see codelense above detection)
Hovering over detection-strings --> Look for similar rules

Requirements

For sigmac compilation: sigmatools

pip install sigmatools

Extension Settings

sigma.author: Set this for the newRule and author snippet
sigma.debug: If true, debug messages will be printed in console

Known Issues

Only Files that are opened and begin with title: are set as sigma

Changelog

Check out CHANGELOG for more information.

Name		Name	Last commit message	Last commit date
Latest commit History 67 Commits
.vscode		.vscode
images		images
snippets		snippets
src		src
syntaxes/external		syntaxes/external
.eslintrc.json		.eslintrc.json
.gitignore		.gitignore
.prettierrc.yaml		.prettierrc.yaml
.vscodeignore		.vscodeignore
CHANGELOG.md		CHANGELOG.md
Ideas.md		Ideas.md
LICENSE		LICENSE
README.md		README.md
buildattck.py		buildattck.py
enterprise-attack.json		enterprise-attack.json
language-configuration.json		language-configuration.json
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json
vsc-extension-quickstart.md		vsc-extension-quickstart.md
webpack.config.js		webpack.config.js

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

sigma

Installation