Feature Request: support YAML multi-document files (multiple Sigma rules separated by --- in a single .yml file) #223
Description
When a single .yml file contains multiple Sigma rules separated by ---, only the first rule is loaded. The remaining ones are ignored. Is it possible to add support for this multi-document format?
title: MyApp Registry Key Created
id: 10000000-0000-0000-0000-000000000001
status: test
description: Detects creation of MyApp registry key
logsource:
product: windows
category: registry_add
detection:
selection:
TargetObject|contains: '\Software\MyApp'
condition: selection
level: low
---
title: MyApp Registry Value Modified
id: 10000000-0000-0000-0000-000000000002
status: test
description: Detects modification of values in MyApp registry key
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Software\MyApp'
condition: selection
level: medium
---
title: MyApp Registry Key Deleted
id: 10000000-0000-0000-0000-000000000003
status: test
description: Detects deletion of MyApp registry key
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|contains: '\Software\MyApp'
condition: selection
level: highPS C:\Users\agemes\Downloads> chainsaw.exe hunt C:\Users\agemes\Downloads\sysmon.evtx -s myapp_rules.yml --mapping C:\Users\agemes\git-repos\chainsaw\mappings\sigma-event-logs-all.yml
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By WithSecure Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading detection rules from: myapp_rules.yml
[+] Loaded 1 detection rules
[+] Loading forensic artefacts from: C:\Users\agemes\Downloads\sysmon.evtx (extensions: .evt, .evtx)
[+] Loaded 1 forensic artefacts (62.1 MiB)
[+] Current Artifact: C:\Users\agemes\Downloads\sysmon.evtx
[+] Hunting [========================================] 1/1 - [00:00:01]
[+] Group: Sigma
┌─────────────────────┬──────────────────────────────┬───────┬──────────────────────────┬──────────┬───────────┬───────────────────────┬────────────────────────────────┐
│ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │
├─────────────────────┼──────────────────────────────┼───────┼──────────────────────────┼──────────┼───────────┼───────────────────────┼────────────────────────────────┤
│ 2026-02-09 14:41:42 │ + MyApp Registry Key Created │ 1 │ Microsoft-Windows-Sysmon │ 12 │ 35295 │ HTNB-3006.hightec.htc │ TargetObject: HKU\S-1-5-21-218 │
│ │ │ │ │ │ │ │ 5766489-2577382833-530242202-2 │
│ │ │ │ │ │ │ │ 112\Software\MyApp │
│ │ │ │ │ │ │ │ RuleName: '-' │
│ │ │ │ │ │ │ │ EventType: CreateKey │
│ │ │ │ │ │ │ │ ProcessId: 39920 │
│ │ │ │ │ │ │ │ ProcessGuid: D2B54B40-F225-698 │
│ │ │ │ │ │ │ │ 9-870C-0C0000003800 │
│ │ │ │ │ │ │ │ User: HIGHTEC\agemes │
│ │ │ │ │ │ │ │ UtcTime: 2026-02-09 14:41:42.0 │
│ │ │ │ │ │ │ │ 14 │
│ │ │ │ │ │ │ │ Image: C:\WINDOWS\system32\reg │
│ │ │ │ │ │ │ │ .exe │
└─────────────────────┴──────────────────────────────┴───────┴──────────────────────────┴──────────┴───────────┴───────────────────────┴────────────────────────────────┘
[+] 1 Detections found on 1 documents
When I split them into separate files, it works properly:
PS C:\Users\agemes\Downloads> chainsaw.exe hunt C:\Users\agemes\Downloads\sysmon.evtx -s myapp_rules\ --mapping C:\Users\agemes\git-repos\chainsaw\mappings\sigma-event-logs-all.yml
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By WithSecure Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading detection rules from: myapp_rules\
[+] Loaded 3 detection rules
[+] Loading forensic artefacts from: C:\Users\agemes\Downloads\sysmon.evtx (extensions: .evtx, .evt)
[+] Loaded 1 forensic artefacts (62.1 MiB)
[+] Current Artifact: C:\Users\agemes\Downloads\sysmon.evtx
[+] Hunting [========================================] 1/1 - [00:00:01]
[+] Group: Sigma
┌─────────────────────┬──────────────────────────────┬───────┬──────────────────────────┬──────────┬───────────┬───────────────────────┬────────────────────────────────┐
│ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │
├─────────────────────┼──────────────────────────────┼───────┼──────────────────────────┼──────────┼───────────┼───────────────────────┼────────────────────────────────┤
│ 2026-02-09 14:41:42 │ + MyApp Registry Key Created │ 1 │ Microsoft-Windows-Sysmon │ 12 │ 35295 │ HTNB-3006.hightec.htc │ TargetObject: HKU\S-1-5-21-218 │
│ │ + MyApp Registry Key Deleted │ │ │ │ │ │ 5766489-2577382833-530242202-2 │
│ │ │ │ │ │ │ │ 112\Software\MyApp │
│ │ │ │ │ │ │ │ RuleName: '-' │
│ │ │ │ │ │ │ │ EventType: CreateKey │
│ │ │ │ │ │ │ │ ProcessId: 39920 │
│ │ │ │ │ │ │ │ ProcessGuid: D2B54B40-F225-698 │
│ │ │ │ │ │ │ │ 9-870C-0C0000003800 │
│ │ │ │ │ │ │ │ User: HIGHTEC\agemes │
│ │ │ │ │ │ │ │ UtcTime: 2026-02-09 14:41:42.0 │
│ │ │ │ │ │ │ │ 14 │
│ │ │ │ │ │ │ │ Image: C:\WINDOWS\system32\reg │
│ │ │ │ │ │ │ │ .exe │
├─────────────────────┼──────────────────────────────┼───────┼──────────────────────────┼──────────┼───────────┼───────────────────────┼────────────────────────────────┤
│ 2026-02-09 14:41:42 │ + MyApp Registry Value │ 1 │ Microsoft-Windows-Sysmon │ 13 │ 35296 │ HTNB-3006.hightec.htc │ Image: C:\WINDOWS\system32\reg │
│ │ Modified │ │ │ │ │ │ .exe │
│ │ │ │ │ │ │ │ TargetObject: HKU\S-1-5-21-218 │
│ │ │ │ │ │ │ │ 5766489-2577382833-530242202-2 │
│ │ │ │ │ │ │ │ 112\Software\MyApp\Test │
│ │ │ │ │ │ │ │ RuleName: '-' │
│ │ │ │ │ │ │ │ EventType: SetValue │
│ │ │ │ │ │ │ │ ProcessId: 39920 │
│ │ │ │ │ │ │ │ ProcessGuid: D2B54B40-F225-698 │
│ │ │ │ │ │ │ │ 9-870C-0C0000003800 │
│ │ │ │ │ │ │ │ User: HIGHTEC\agemes │
│ │ │ │ │ │ │ │ UtcTime: 2026-02-09 14:41:42.0 │
│ │ │ │ │ │ │ │ 14 │
│ │ │ │ │ │ │ │ Details: changed │
└─────────────────────┴──────────────────────────────┴───────┴──────────────────────────┴──────────┴───────────┴───────────────────────┴────────────────────────────────┘
[+] 3 Detections found on 2 documents