Fixed query table not applied to SigmaRules, added testing for SigmaR…

…ules

sigma/pipelines/azuremonitor/azuremonitor.py

@@ -1,7 +1,9 @@
 from typing import Optional
 
+from sigma.pipelines.kusto_common.postprocessing import (
+    PrependQueryTablePostprocessingItem,
+)
 from sigma.processing.conditions import (
-    # DetectionItemProcessingItemAppliedCondition,
     ExcludeFieldCondition,
     IncludeFieldCondition,
     LogsourceCondition,
@@ -16,7 +18,6 @@
 )
 
 from ..kusto_common.errors import InvalidFieldTransformation
-from ..kusto_common.finalization import QueryTableFinalizer
 from ..kusto_common.schema import create_schema
 from ..kusto_common.transformations import (
     DynamicFieldMappingTransformation,
@@ -215,5 +216,5 @@ def azure_monitor_pipeline(query_table: Optional[str] = None) -> ProcessingPipel
         priority=10,
         items=pipeline_items,
         allowed_backends=frozenset(["kusto"]),
-        finalizers=[QueryTableFinalizer()],
+        postprocessing_items=[PrependQueryTablePostprocessingItem],
     )

sigma/pipelines/kusto_common/conditions.py

@@ -0,0 +1,17 @@
+from dataclasses import dataclass
+from typing import Union
+
+from sigma.correlations import SigmaCorrelationRule
+from sigma.processing.conditions import RuleProcessingCondition
+from sigma.rule import SigmaRule
+
+
+@dataclass
+class QueryTableSetCondition(RuleProcessingCondition):
+    def match(
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",  # noqa: F821 # type: ignore
+        rule: Union[SigmaRule, SigmaCorrelationRule],
+    ) -> bool:
+        """Match condition on Sigma rule."""
+        return pipeline.state.get("query_table", None) is not None

sigma/pipelines/kusto_common/postprocessing.py

@@ -0,0 +1,19 @@
+from sigma.processing.pipeline import QueryPostprocessingItem
+from sigma.processing.postprocessing import QueryPostprocessingTransformation
+from sigma.rule import SigmaRule
+
+from ..kusto_common.conditions import QueryTableSetCondition
+
+
+class PrependQueryTablePostprocessingItem(QueryPostprocessingTransformation):
+    def apply(self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str) -> str:  # type: ignore # noqa: F821
+        return f"{pipeline.state['query_table']}\n| where {query}"
+
+
+PrependQueryTablePostprocessingItem = QueryPostprocessingItem(
+    identifier="kusto_prepend_query_table",
+    transformation=PrependQueryTablePostprocessingItem(),
+    rule_conditions=[
+        QueryTableSetCondition(),
+    ],
+)

sigma/pipelines/microsoftxdr/microsoftxdr.py

@@ -17,7 +17,7 @@
 )
 
 from ..kusto_common.errors import InvalidFieldTransformation
-from ..kusto_common.finalization import QueryTableFinalizer
+from ..kusto_common.postprocessing import PrependQueryTablePostprocessingItem
 from ..kusto_common.schema import create_schema
 from ..kusto_common.transformations import (
     DynamicFieldMappingTransformation,
@@ -253,5 +253,5 @@ def microsoft_xdr_pipeline(
         priority=10,
         items=pipeline_items,
         allowed_backends=frozenset(["kusto"]),
-        finalizers=[QueryTableFinalizer()],
+        postprocessing_items=[PrependQueryTablePostprocessingItem],
     )

sigma/pipelines/sentinelasim/sentinelasim.py

@@ -1,5 +1,8 @@
 from typing import Optional
 
+from sigma.pipelines.kusto_common.postprocessing import (
+    PrependQueryTablePostprocessingItem,
+)
 from sigma.processing.conditions import (
     DetectionItemProcessingItemAppliedCondition,
     ExcludeFieldCondition,
@@ -16,7 +19,6 @@
 )
 
 from ..kusto_common.errors import InvalidFieldTransformation
-from ..kusto_common.finalization import QueryTableFinalizer
 from ..kusto_common.schema import create_schema
 from ..kusto_common.transformations import (
     DynamicFieldMappingTransformation,
@@ -219,5 +221,5 @@ def sentinel_asim_pipeline(
         priority=10,
         items=pipeline_items,
         allowed_backends=frozenset(["kusto"]),
-        finalizers=[QueryTableFinalizer()],
+        postprocessing_items=[PrependQueryTablePostprocessingItem],
     )