- Unique ID
- modified, automatic date
- date, automatic date
- References: List
- author: Name from Config
- logsource:
- ex. lssysmon -> logsource: product: windows\n service: sysmon product: Windows/Linux/Webserver/Proxy/(EDR, Amazon,...) category: ... service: ...
- level: Critical/High/medium/low
- status: experimental, test, stable, deprecated, unsupported
- relation: (LowPrio)
- "|" opens modifier
- New File Generation -- Thats the Hard part. Templates for every kind of rule? Sort Rule by Logsource? Get current combination of Logsources? (LowPrio)
- get author. Set author in config
- Automatic UUID
- Set Logsource? From file Directory?
- status: experimental
- date
- FalsePositives
- tags: Own module
- Load Tags with a search?
- Mouse Over a Tag -> Description...
- escaped stuff "" '' \ doesn't need escapes. Check exceptions
- Warn when \ AND \ is in there - Check char after \ "Rule Creation Guide \\ Backshlashes"
- autocompletion
- 1 of [identifier in the condition]
- and [1 of | identifier]
- Check sigma test script for further tests to do on the fly
- mark: 1/one of them
- 1/one of Selection* ist ok
- Description Length
- Title Length
- Date Format
- Reference
- unique ID (LowPrio)
- unique ID Checker
- check if ID is used somewhere else
- Check if all modifiers are valid
- Check if all identifier are used
- contains should be at the end of modifier (Exception contains|all)
- Mark yellow: contains|base64 as most likely unwanted
- mark blue: String with *abc* instead of contains #MARKDOWN ESCAPES
- mark: 1/one of them
- Check for Arrays with 1 Entry in detection:
- Experimental Rule older than 1 Year???
- https://github.com/SigmaHQ/sigma/wiki/Specification#rx-yaml
- make this live
-
Sort Keys
-
3 Spaces as tabs for sigma files
-
If in condition, give fieldnames as completion
-
Update to todays Date /modified
Fix Highlighting:
- panda syntax
- Codelens for regenerating id
- Codelens for reset modified Date