Create separate files for converted rules in specified directory

[Mat0vu]

Hi everyone,

it would be great if there would be an option like -o that specifies an output, but instead of a file, it would accept a directory.

The issue with -o is, that when multiple rules are converted (like e.g. sigma convert rules/* -p ecs_windows -t esql -o translated_rules/rules.txt), then all rules from the rules/ directory are translated and written in the rules.txt file.

rules/
├── rule_1.yml
├── rule_2.yml
├── rule_3.yml

The current output looks like this, where rules.txt contains all three translated rules.

translated_rules/
├── rules.txt

---

To make it easier to only upload changed rules into Elasticsearch it would be nice to have separate files for all the rules.

The desired output would look somehow like this.

translated_rules/
├── rule_1.txt
├── rule_2.txt
├── rule_3.txt

This would also make it much easier to track changes in the converted rule with version control.

Maybe some people also have the use-case of nested rules/ directories which they would like to be mirrored to the translated_rules. For example:

(translated_)rules/
├── windows/
│   └── rule_1.yml
│   └── rule_2.yml
├── linux/
│   └── rule_3.yml
│   └── rule_4.yml

I have not seen a way to achieve this with sigma-cli yet. But it would be really nice to be able to create separate files in a specified directory for the converted rules.