Hi Timo,
You might find that a lot of the Sigma rules are already present as vendor alerts in LogPoint - I know they were often not easy to find, but hopefully with the changes in 6.12 you can more easily spot the rules that are already there. The LogPoint queries generated by the Sigma encoder are often “suboptimal”, i.e. full text searches, not using lists etc.
PAK files are generated programmatically and signed, so unfortunately it’s not possible to create them yourself. However, one thing that might work is using the XML produced by LogPoint “Sync” - I have used it myself in limited forms to ingest configuration data into LogPoint. You can check the XML file it produces by exporting from your LogPoint, and you can then cut it down to just the section that you need and import it with any changes. I have only tried it with some user accounts, but there is no reason it couldn’t work for alerts provided the XML is valid. Perhaps worth trying out on a test VM first.
Other than that there is a feature request for programmatic creation of alert rules, it just unfortunately hasn’t made it into the product yet :(
Nils.
Hi Nils,
thanks the “Sync” Approach is working fine as it looks.
Best Regards