-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Souji edited this page Dec 25, 2023
·
24 revisions
Omega rules are a SIEM detection format for JavaScript objects. They try to follow the Sigma rule specification relatively closely but extend it with some useful modifiers to deal with dates and snowflakes. It is worthwhile to read through https://sigmahq.io/docs/basics/rules.html to understand the basic concepts of the format!
import { createRuleCache, loadRulesInto, loadRuleRepositoryInto, getRuleCache, evaluateOmega } from "omega-rules";
const ruleCache = createRuleCache(); // initialize the rule cache
await loadRulesInto("../rules", ruleCache); // fill it with local rules...
await loadRuleRepositoryInto("ownername", "repositoryname", "path/to/rulesfolder", ruleCache); // or load rules from a GitHub rules repository
someEmitter.on("someEvent", (data) => {
for (const rule of getRuleChache().values()) { // iterate the rule cache or get specific rules based on execution context
const result = evaluateOmega(data, rule); // evaluate data against a rule
if (result.matches) {
// ... the result holds an object variant of the supplied YAML file so you can easily retrieve informational fields
// and notify relevant parties
}
}
}
- Omega is not compiling queries for use in other systems but offers a homebrew evaluation engine
- Omega rules do not require a
logsource
- Omega allows using some powerful custom custom value modifiers for dates and snowflakes