pySigma
pySigma copied to clipboard
SigmaHQ
Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)
I'm getting my hands on correlations and am trying to support that in our PySigma Backend. Given this rule taken from the official sigma-specification repo: ```yaml title: Correlation - Multiple...
This is currently a draft. Would close #128 The goal of this PR to make it possible to use a yaml parser that has the most intensive parts written in...
Expected behaviour when using `AddConditionTransformation` on a `1 of them`/`any of them` condition?
I encountered the following behaviour when using the `AddConditionTransformation` on a rule using a `1 of them` condition: Consider the following rule: ```yaml detection: a: ... b: ... condition: 1...
At [this location](https://github.com/SigmaHQ/pySigma/blob/80902f2db11bdd57f2ee7d48c483c24d5cdbcd90/sigma/conversion/base.py#L147) the final conversion processing pipeline is created for each rule conversion. This is currently necessary because a processing pipeline also maintains a state and its recreation is...
I ran some profiling on our code that runs pysigma. It turns out that a significant amount of time is spent in pyyaml. Would you be open to accept a...
### Discussed in https://github.com/SigmaHQ/pySigma/discussions/80 Originally posted by **barvhaim** December 6, 2022 Hello, I am migrating the STIX backend to pySigma, in order to translate rules includes `not x`, we don't...
This class will help with the implementation of programmatic transformations, i.e., bulk convert field name to `snake_case,` etc.
In the current version custom field are ignored in the logsource section. The side effect is you can not detect typo error and the rule will be loaded. Like in...
Looking for guidance: I wonder how I can create a pipeline yml file that simply drops unsupported fields present the rule that there aren't supported by my backend. For example,...
There are times where you need to compare two substrings that you pull apart using Regex and in Splunk you can easily use named capture groups. Consider the following query:...
