{"id":20340584,"url":"https://github.com/0xrawsec/gene","last_synced_at":"2025-09-25T21:22:33.255Z","repository":{"id":41142926,"uuid":"97874394","full_name":"0xrawsec/gene","owner":"0xrawsec","description":"Signature engine for all your logs","archived":false,"fork":false,"pushed_at":"2023-11-13T10:00:41.000Z","size":5919,"stargazers_count":170,"open_issues_count":1,"forks_count":19,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-06-17T03:05:38.342Z","etag":null,"topics":["detection-engineering","dfir","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xrawsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["0xrawsec"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2017-07-20T20:11:21.000Z","updated_at":"2025-05-12T14:47:53.000Z","dependencies_parsed_at":"2023-10-16T04:49:59.295Z","dependency_job_id":"88d28c3f-d891-46e0-a8f8-ff6100367ff0","html_url":"https://github.com/0xrawsec/gene","commit_stats":null,"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"purl":"pkg:github/0xrawsec/gene","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xrawsec%2Fgene","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xrawsec%2Fgene/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xrawsec%2Fgene/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xrawsec%2Fgene/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xrawsec","download_url":"https://codeload.github.com/0xrawsec/gene/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xrawsec%2Fgene/sbom","scorecard":{"id":811,"data":{"date":"2025-08-11","repo":{"name":"github.com/0xrawsec/gene","commit":"cfc3ab3e9b45c8e1217a940817511a40e28a3630"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/go.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/0xrawsec/gene/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/0xrawsec/gene/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/0xrawsec/gene/go.yml/master?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.6.4 not signed: https://api.github.com/repos/0xrawsec/gene/releases/33543442","Warn: release artifact v1.6.3 not signed: https://api.github.com/repos/0xrawsec/gene/releases/28431346","Warn: release artifact v1.6.1 not signed: https://api.github.com/repos/0xrawsec/gene/releases/19265929","Warn: release artifact v1.6.0 not signed: https://api.github.com/repos/0xrawsec/gene/releases/19025541","Warn: release artifact v1.5.0 not signed: https://api.github.com/repos/0xrawsec/gene/releases/17781157","Warn: release artifact v1.6.4 does not have provenance: https://api.github.com/repos/0xrawsec/gene/releases/33543442","Warn: release artifact v1.6.3 does not have provenance: https://api.github.com/repos/0xrawsec/gene/releases/28431346","Warn: release artifact v1.6.1 does not have provenance: https://api.github.com/repos/0xrawsec/gene/releases/19265929","Warn: release artifact v1.6.0 does not have provenance: https://api.github.com/repos/0xrawsec/gene/releases/19025541","Warn: release artifact v1.5.0 does not have provenance: https://api.github.com/repos/0xrawsec/gene/releases/17781157"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: PYSEC-2018-49 / GHSA-rprw-h62v-c2w7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-14T12:28:24.270Z","repository_id":41142926,"created_at":"2025-08-14T12:28:24.270Z","updated_at":"2025-08-14T12:28:24.270Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276983751,"owners_count":25739988,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-25T02:00:09.612Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detection-engineering","dfir","threat-hunting"],"created_at":"2024-11-14T21:22:40.154Z","updated_at":"2025-09-25T21:22:33.210Z","avatar_url":"https://github.com/0xrawsec.png","language":"Go","funding_links":["https://github.com/sponsors/0xrawsec"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\u003cimg src=\"assets/logo.svg\" width=\"300\"/\u003e\u003c/div\u003e\n\n[![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/0xrawsec/gene/go.yml?style=for-the-badge)](https://github.com/0xrawsec/gene/actions/workflows/go.yml)\n[![coverage](https://raw.githubusercontent.com/0xrawsec/gene/coverage/.github/coverage/badge.svg)](https://github.com/0xrawsec/gene/blob/coverage/.github/coverage/coverage.txt)\n![GitHub tag (with filter)](https://img.shields.io/github/v/tag/0xrawsec/gene?style=for-the-badge\u0026label=version\u0026color=orange)\n[![Documentation](https://img.shields.io/badge/docs-latest-blue.svg?style=for-the-badge\u0026logo=docsdotrs)][doc-link]\n\n[doc-link]: https://rawsec.lu/doc/gene/2.0/\n\n# Gene(sis)\n\nA long long time ago (in 2017) after doing many responses to incidents, I realized \nI was always ending up doing the same thing to search inside Windows EVTX logs: \nwritting a custom script to match log entries against our findings ! At that moment I\ndecided to start coding this tool, not only to ease my daily work but also to be able\nto share detection rules between parties.\n\nSince then, the tool has evolved and it can now be used to match against\nany kind of log (formatted in JSON) and has native support for Windows EVTX parsing.\n\n# Some use cases\n\n* Digital forensic analysis\n  * early compromise information collection\n  * infected host analysis\n  * IOC scan on a whole network\n\n* (Retro)Hunt on cold storage\n  * backups\n  * logs forwarded\n \n* Combined with other tools to achieve powerful detection primitives\n  * [Microsoft Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)\n  * [Kunai](https://github.com/0xrawsec/kunai)\n\n# Additional resources\n * To convert old rules (prior to 2.0.0 schema) to the new format, use [migraterule.py](./scripts/migraterule.py)\n * [Where to find rules ?](https://github.com/0xrawsec/gene-rules)\n\n# Changelog\n\n## v2.0.0\n  * Code refactoring:\n    * Changes in package organisation\n    * Changes in API definitions\n    * Implementation of an Event interface making APIs more generic\n    * Default actions to apply on detections\n  * Changes in the rule format:\n    * New way define events to apply rule on\n    * Schema field to enforce rule format compatibility with engine\n    * Removed trace support (not up to date and not used)\n  * Regex templates defined in **TOML** format\n\n## v1.6.0\n  * Indirect Match Support (we can now compare two fields of the same event)\n  * Containers are now case insensitive\n  * New `-test` command line switch to create easy Gene unit testing\n\n## v1.5.0\n  * Support for Mitre ATT\u0026CK framework\n  * Changes in the reducer function\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xrawsec%2Fgene","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xrawsec%2Fgene","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xrawsec%2Fgene/lists"}