📋 Rules supported
The analysis pipeline evaluates Sigma rules (YAML) against log entries extracted from parser outputs. Rules are user-provided; multiple documents can be concatenated with ---.
Sigma rule format
Rules follow the Sigma schema. Supported fields include title, id, description, status, level (critical / high / medium / low), and detection selection / condition.
title: Android Root Access Detection
id: android-root-001
description: Detects execution of su or root access on Android
status: experimental
level: critical
logsource:
category: android
detection:
selection:
field: "process"
contains: "su"
condition: selection
Rule levels
- critical — Critical security events (e.g. root access)
- high — High-risk behaviour (e.g. suspicious installs, exfiltration)
- medium — Medium-risk (e.g. system modification attempts)
- low — Low-risk or informational
Rules list
Rules are auto-loaded from /rules/ (20 files: NSO, Cellebrite, Novispy, FinFisher, Donot, Cytrox, CVE, and others). The analysis page fetches and concatenates them for Sigma evaluation.
🔧 Parsers & extracted data
Each parser reads specific parts of the bugreport and produces structured output. The fields below are those used in the UI and for Sigma detection.
📝 Header parser
Device identity and build from bugreport header.
- Android SDK version, Build ID, Kernel version
- Manufacturer & model (from Build fingerprint)
- Output:
device_info (manufacturer, model, android_version, build_id, kernel_version)
🔋 Battery parser
Per-app battery and usage stats.
- package_name, uid
- cpu_system_time_ms, cpu_user_time_ms, total_cpu_time_ms
- network_rx_mobile, network_rx_wifi, network_tx_mobile, network_tx_wifi, total_network_bytes
- total_wakelock_time_ms, total_job_time_ms, foreground_service_time_ms, total_job_count
- Output:
battery_apps (list of app usage entries)
📦 Package parser
Installed packages, install history, and comprehensive package details with permissions.
- Install logs: event_type, timestamp, versionCode, request_from, stagedDir, observer, caller, user, flags
- Packages: package_name, installer, timestamp, version_code, success, duration_seconds
- Package details: package_name, version_code, version_name, app_id, target_sdk, min_sdk, code_path, data_dir, resource_path, primary_cpu_abi, installer_package_name, initiating_package_name, originating_package_name, package_source, last_update_time, time_stamp, category, flags, pkg_flags, private_flags, signatures, apk_signing_version, permissions (granted/denied), install_logs, users (with per-user permissions)
- User information: user_id, first_install_time, last_disabled_caller, data_dir, enabled, installed, stopped, suspended, hidden, install_reason, permissions (per-user granted/denied with flags)
- Output:
packages, package_details, package_count
⚙️ Process parser
Running processes and resource usage.
- pid, cmd (process name), user
- Threads: cpu_percent per thread, aggregated for process
- res (memory), virt (virtual memory), pcy (scheduling policy)
- Output:
processes, process_count
⚡ Power parser
Power and wake history.
- Entries keyed by timestamp; each has reason, history_events, stack_trace
- history_events: event_type, timestamp, details, flags (e.g. SCREEN_ON, SCREEN_OFF, WAKE_LOCK)
- stack_trace: list of stack trace lines
- Output:
power_history
🌐 Network parser
Interfaces, network stats, and sockets.
- interfaces: name, ip_addresses, flags, rx_bytes, tx_bytes, mtu
- network_stats: network_type, wifi_network_name, rx/tx bytes/packets, default_network, metered, rat_type, subscriber_id
- sockets: protocol, local/remote address & port, state, uid, inode, recv_q, send_q, socket_key, additional_info
- Output:
network_info, network_stats, sockets
📶 Bluetooth parser
Bluetooth adapter and paired/bonded devices.
- adapter_properties: Name, Address, State, ConnectionState, Discovering, A2dpOffloadEnabled, MaxConnectedAudioDevices, SarHistory, SarStatus, SarType
- devices: name, mac_address, device_type, device_class, connected, transport_type, services
- Output:
bluetooth_info (adapter_properties, devices)
🔌 USB parser
USB ports and connected devices with events.
- Ports: port_name, connected_device
- connected_devices: driver, interface, first_seen, last_seen, last_action, events (action, timestamp, driver, interface)
- Output:
usb_info (ports, connected_devices)
💥 Crash parser
ANR and native crash data.
- anr_files: files (filename, size, timestamp, etc.), total_size
- anr_trace: subject, header, process_info, threads (name, tid, status, stack_trace with method/file_loc/line_number or address/library/details)
- tombstones: array of native crash objects (process_name, signal, code, timestamp, pid, tid, thread_name, fault_addr, backtrace)
- Output:
crash_info (anr_files, anr_trace, tombstones)
🔍 Detection
Detection is based on Sigma. Log entries are built from parser outputs via extract_all_log_entries; the Sigma engine evaluates each rule against these entries. Matches produce rule_id, rule_title, level, and matched_log (the log fields that matched).
What is evaluated
- Structured log entries derived from Header, Battery, Package, Process, Power, Network, Bluetooth, USB, and Crash parser results
- Rule conditions (selection/condition) are applied to the key–value fields of each entry
- Rules are supplied at analysis time as YAML (single or multiple documents separated by
---)
Match output
Each match includes the rule identifier, title, severity level, and the actual log payload (matched_log) so analysts can see exactly which data triggered the rule.