- Updated the Hayabusa
countrules to correlation rules. (@yamatosecurity)
- Bug fix: Two rules were causing errors because we deleted
rules/config/regex/LOLBAS_paths.txt. The rules now do not reference any external file. (#730) (@yamatosecurity)
- Deprecate the use of regular expression wordlists (
regexesandallowlistfields) inside rules. Instead, the regular expressions will be in normal lists inside the rule. (#725) (@yamatosecurity)
- The windash modifier (ex:
|windash|contains) is now left as is and we do not convert these to more compatible rules now that Hayabusa supports windash natively as of version 2.15.0. (#646) (@fukusuket)
- Updated the
proven_rules.txtfile. (@YamatoSecurity)
- Newly created rules are assigned with new UUIDv4 IDs. (#629) (@fukusuket)
- Fixed a bug where
logsource_mapping.pywas creating rules withnearconditions. (#632) (@fukusuket) - Refactored
logsource_mapping.pyand adding unit tests. (#627) (@fukusuket) - Updated
exclude_rules.txt. (@fukusuket)
- Bug fix: the
nullkeyword was converted to an empty string. This may have been a regression when comments were left as is. Nownullkeywords are being convert correctly. (#620) (@fukusuket) |contains|windashmodifier is now being converted to a usable form. (#622) (@fukusuket)
- Comments in Sigma rules are left as is. Before, they would be stripped after conversion. (#568) (@fukusuket)
- Package management for the sigma conversion backend is now handled by Poetry and static code analysis is performed by Ruff. (#567) (@fukusuket)
- Added field mapping support for registry rules (
service::registry_add,registry_set,registry_event) to detect built-in Windows event logs (Security EID 4657). Before, only Sysmon (EID 12, 13, 14) logs would be able to be detected. (#476) (@fukusuket) - Added checks for ignoring rules that use field modifiers that Hayabusa does yet not support. (Ex:
|expand) (#553, #554) (@fukusuket)
- Added support for
category: antivirus. (#456) (@fukusuket)
There is now a field mapping check for process_creation rules.
There were about 60 process_creation rules that were being generated for Security 4688 events, however, they were looking for fields that only exist in Sysmon 1 so there was no need for them.
These incompatible Security 4688 rules are no longer being created which will speed up processing time.
Also, IntegrityLevel, User and other fields are now being mapped to the correct field name and data type providing more accurate results.
This was all done thanks to Fukusuke Takahashi.
Details: #445
Rule converter was completely rewritten to only convert the logsource to Channel and EventID and leave everything else as the original sigma rule. (#396) (@fukusuket)
This makes reading the converted rules much easier as well as improves speed.
Started to self host config files when converting rules from Sigma as the sigmac tool is deprecated and not updated anymore.
deprecated and unsupported sigma rules are now also being added to the hayabusa-rules repository.
Hayabusa now supports rules that use base64offset|contains.
Fixed a bug when rules with fields with null values would not be converted properly.
Stopped fixing regular expressions in |re fields during sigma rule conversion to work with the regex crate as we fixed the regular expressions upstream.
Automatically update sigma rules daily.
Include Channel in rule filename.
Deprecated Japanese localization support: title_jp, details_jp, description_jp