Cannot Generate Splunk Queries
Closed this issue · 3 comments
Describe the bug
When I attempt to Generate Queries I get the following in the SigmaLog:
Processing Admin User Remote Logon
python.exe : The backend you want to use usually requires a configuration to generate valid results. Please provide
one with --config/-c.
At line:1304 char:31
- ... igmaquery = python.exe $sigmaLocation -t $target ($yamlPath + $filena ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : NotSpecified: (The backend you...th --config/-c.:String) [], RemoteException
- FullyQualifiedErrorId : NativeCommandError
The EventsList-Queries produces the following:
Available choices for this backend (get complete list with --lists/-l):
splunk-windows-index : Splunk Windows index and EventID field mapping
splunk-windows : Splunk Windows log source conditions
sysmon : Conversion of generic rules into Sysmon
windows-audit : Conversion of generic process_creation rules into Security/4688
https://github.com/login?return_to=%2Fmiriamxyra%2FEventList
To Reproduce
Steps to reproduce the behavior:
Attempt to generate Splunk Queries.
Expected behavior
I was expecting Queries to be generated for Splunk.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: [e.g. iOS] Windows 10 1903
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
Smartphone (please complete the following information):
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
Additional context
Add any other context about the problem here.
Same here, made a manual test with -l "my-in-sigma-configured-indexes" then it worked out fine... had no time to have a look into the ps-calls by now...
teletobsi,
I was able to manually get it to work with ./sigmac -c config/splunk-windows.yml --target splunk
I was not able to get it to work with -l. I am not really familiar with using sigmac so I could be doing something wrong with it.
I fixed it in EventList release 1.1.0 - now it is possible to use Sigma without having it configured before.