Fixed sentinelasim pipeline bugs, added basic test for sentinelasim p…

…ipeline
AttackIQ · Sep 9, 2024 · 68e9d47 · 68e9d47
1 parent 6d6b133
commit 68e9d47
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 4 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pySigma-backend-kusto"
-version = "0.3.1"
+version = "0.3.2"
 description = "pySigma Kusto backend"
 authors = ["Stephen Lincoln <stephen.lincoln@attackiq.com>"]
 license = "LGPL-3.0-only"

diff --git a/sigma/pipelines/sentinelasim/sentinelasim.py b/sigma/pipelines/sentinelasim/sentinelasim.py
@@ -19,14 +19,18 @@
 from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline
 from sigma.rule import SigmaDetectionItem, SigmaDetection
 
-from .microsoft365defender import (
+from sigma.pipelines.microsoft365defender.microsoft365defender import (
     SplitDomainUserTransformation,
     HashesValuesTransformation,
     RegistryActionTypeValueTransformation,
     ParentImageValueTransformation,
     InvalidFieldTransformation,
 )
 
+from sigma.pipelines.microsoft365defender.finalization import Microsoft365DefenderTableFinalizer
+from sigma.pipelines.microsoft365defender.transformations import SetQueryTableStateTransformation
+
+
 process_events_table = 'imProcessCreate'
 registry_events_table = 'imRegistry'
 file_events_table = 'imFileEvent'
@@ -307,7 +311,7 @@
 query_table_proc_items = [
     ProcessingItem(
         identifier=f"microsoft_365_defender_set_query_table_{table_name}",
-        transformation=SetStateTransformation("query_table", table_name),
+        transformation=SetQueryTableStateTransformation(table_name),
         rule_conditions=[
             category_to_conditions_mappings[rule_category] for rule_category in rule_categories
         ],
@@ -465,7 +469,7 @@
 ]
 
 
-def sentinel_asim_pipeline(transform_parent_image: Optional[bool] = True) -> ProcessingPipeline:
+def sentinel_asim_pipeline(transform_parent_image: Optional[bool] = True, query_table: Optional[str] = None) -> ProcessingPipeline:
     """Pipeline for transformations for SigmaRules to use with the Sentinel ASIM Functions
 
     :param transform_parent_image: If True, the ParentImage field will be mapped to InitiatingProcessParentFileName, and
@@ -496,4 +500,5 @@ def sentinel_asim_pipeline(transform_parent_image: Optional[bool] = True) -> Pro
         priority=10,
         items=pipeline_items,
         allowed_backends=frozenset(["kusto"]),
+        finalizers=[Microsoft365DefenderTableFinalizer(table_names=query_table)]
     )
diff --git a/tests/test_pipelines_sentinelasim.py b/tests/test_pipelines_sentinelasim.py
@@ -0,0 +1,26 @@
+import pytest
+from sigma.exceptions import SigmaTransformationError
+from sigma.pipelines.microsoft365defender.microsoft365defender import InvalidHashAlgorithmError
+
+from sigma.backends.kusto import KustoBackend
+from sigma.collection import SigmaCollection
+from sigma.pipelines.sentinelasim import sentinel_asim_pipeline
+
+
+def test_sentinel_asim_basic_conversion():
+    """Tests splitting username up into different fields if it includes a domain"""
+    assert KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
+        SigmaCollection.from_yaml("""
+                title: Test
+                status: test
+                logsource:
+                    category: process_creation
+                    product: windows
+                detection:
+                    sel1:
+                        CommandLine: command1
+                    condition: any of sel*
+            """)
+    ) == ['imProcessCreate\n| '
+          'where TargetProcessCommandLine =~ "command1"']
+