Merge pull request #2939 from wmetcalf/feat/sigma-evtx-web

feat: enhanced EVTX collection and event logs web UI with Sigma support

Author: kevoreilly

analyzer/windows/modules/auxiliary/evtx.py

@@ -68,8 +68,15 @@ def get_package(self):
                 raise CuckooProcessingError(f"Error opening {self.log_path}: {e}") from e
             else:
                 with suppress(Exception):
-                    idx = analysis_log.index('INFO: Automatically selected analysis package "')
-                    package = analysis_log[idx + 47 :].split('"', 1)[0]
+                    # Try both Windows and Linux analyzer log formats
+                    for marker in (
+                        'INFO: analysis package selected: "',
+                        'INFO: Automatically selected analysis package "',
+                    ):
+                        idx = analysis_log.find(marker)
+                        if idx != -1:
+                            package = analysis_log[idx + len(marker) :].split('"', 1)[0]
+                            break
         return package
 
     def run(self):

modules/processing/analysisinfo.py

@@ -0,0 +1,14 @@
+[Unit]
+Description=Update CAPE Sigma rules via Zircolite
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=cape
+Group=cape
+WorkingDirectory=/opt/zircolite
+ExecStart=/etc/poetry/bin/poetry --directory /opt/CAPEv2/ run python zircolite.py --update-rules
+ExecStartPost=/bin/bash -c 'for f in /opt/zircolite/rules/*.json; do cp "$f" "/opt/CAPEv2/data/sigma/$(basename "$f")"; done'
+ExecStartPost=+/bin/systemctl restart cape-processor.service
+TimeoutStartSec=300

systemd/cape-sigma-update.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Daily CAPE Sigma rules update
+
+[Timer]
+OnCalendar=*-*-* 03:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target

systemd/cape-sigma-update.timer

@@ -11,6 +11,8 @@
     re_path(r"^page/(?P<page>\d+)/$", views.index, name="index"),
     re_path(r"^(?P<task_id>\d+)/$", views.report, name="report"),
     re_path(r"^load_files/(?P<task_id>\d+)/(?P<category>\w+)/$", views.load_files, name="load_files"),
+    re_path(r"^load_evtx_channel/(?P<task_id>\d+)/$", views.load_evtx_channel, name="load_evtx_channel"),
+    re_path(r"^load_evtx_channel_count/(?P<task_id>\d+)/$", views.load_evtx_channel_count, name="load_evtx_channel_count"),
     re_path(r"^surialert/(?P<task_id>\d+)/$", views.surialert, name="surialert"),
     re_path(r"^surihttp/(?P<task_id>\d+)/$", views.surihttp, name="surihttp"),
     re_path(r"^suritls/(?P<task_id>\d+)/$", views.suritls, name="suritls"),