Sigma rules not working

[feayeas]

Hi together,

unfortunately I am not able to use the complete repository of SigmaHQ-rules. For example, every time I want to use the "Powershell" folder from the Windows rules, I get the following error in Timesketch after running Sigma Analyzer:

Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/analyzers/interface.py", line 995, in run_wrapper result = self.run() File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/analyzers/sigma_tagger.py", line 69, in run sigma_rules = ts_sigma_lib.get_all_sigma_rules() File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/sigma_util.py", line 156, in get_all_sigma_rules sigma_rules.extend(get_sigma_rules(folder)) File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/sigma_util.py", line 135, in get_sigma_rules parsed_rule = get_sigma_rule(rule_file_path, sigma_config) File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/sigma_util.py", line 210, in get_sigma_rule parsed_sigma_rules = parser.generate(sigma_backend) File "/usr/local/lib/python3.8/dist-packages/sigma/parser/collection.py", line 70, in generate [ backend.generate(parser) for parser in self.parsers ] File "/usr/local/lib/python3.8/dist-packages/sigma/parser/collection.py", line 70, in <listcomp> [ backend.generate(parser) for parser in self.parsers ] File "/usr/local/lib/python3.8/dist-packages/sigma/backends/elasticsearch.py", line 53, in generate return super().generate(sigmaparser) File "/usr/local/lib/python3.8/dist-packages/sigma/backends/base.py", line 118, in generate query = self.generateQuery(parsed) File "/usr/local/lib/python3.8/dist-packages/sigma/backends/base.py", line 135, in generateQuery result += self.generateAggregation(parsed.parsedAgg) File "/usr/local/lib/python3.8/dist-packages/sigma/backends/base.py", line 212, in generateAggregation raise NotImplementedError("Aggregations not implemented for this backend") NotImplementedError: Aggregations not implemented for this backend

anyone had this error already and could fix it?

[jaegeral]

Hey @feayeas as the error message expresses, the method used in a rule is not implemented in Timesketch (or more precise in Elastic).

Besides, it is not recommended (and not supported) to just copy the whole Sigma project into your rule folder. It will break things and some rules will create false results.
(e.g. #1532)