⚠️ Make sure you follow the (Process|File)Monitor prerequisites so that Endpoint Security Framework works properly:
The terminal app you're using to run sigma-esf needs to have "Full Disk Access" granted.
You need to be running sigma-esf as root.
Install sigma-esf using either:
go install github.com/bradleyjkemp/sigma-esf
brew install bradleyjkemp/formulae/sigma-esf
Usage
The most basic usage of sigma-esf is to simply run sudo sigma-esf within your Sigma rules folder.
There's not much configuration available yet other than:
Disabling either file or process events (collecting all events can be quite CPU intensive so disable ones you don't need)
Pointing to a directory of Sigma rules rather than using the current directory
Usage of sigma-esf:
-monitor_files
Whether to monitor file events (default true)
-monitor_processes
Whether to monitor process creation events (default true)
-sigma_rules string
Path to a directory containing the Sigma rules to run (default ".")