-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed query table not applied to SigmaRules, added testing for SigmaR…
…ules
- Loading branch information
1 parent
9e81001
commit 697a2d0
Showing
8 changed files
with
1,236 additions
and
1,346 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
from dataclasses import dataclass | ||
from typing import Union | ||
|
||
from sigma.correlations import SigmaCorrelationRule | ||
from sigma.processing.conditions import RuleProcessingCondition | ||
from sigma.rule import SigmaRule | ||
|
||
|
||
@dataclass | ||
class QueryTableSetCondition(RuleProcessingCondition): | ||
def match( | ||
self, | ||
pipeline: "sigma.processing.pipeline.ProcessingPipeline", # noqa: F821 # type: ignore | ||
rule: Union[SigmaRule, SigmaCorrelationRule], | ||
) -> bool: | ||
"""Match condition on Sigma rule.""" | ||
return pipeline.state.get("query_table", None) is not None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
from sigma.processing.pipeline import QueryPostprocessingItem | ||
from sigma.processing.postprocessing import QueryPostprocessingTransformation | ||
from sigma.rule import SigmaRule | ||
|
||
from ..kusto_common.conditions import QueryTableSetCondition | ||
|
||
|
||
class PrependQueryTablePostprocessingItem(QueryPostprocessingTransformation): | ||
def apply(self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str) -> str: # type: ignore # noqa: F821 | ||
return f"{pipeline.state['query_table']}\n| where {query}" | ||
|
||
|
||
PrependQueryTablePostprocessingItem = QueryPostprocessingItem( | ||
identifier="kusto_prepend_query_table", | ||
transformation=PrependQueryTablePostprocessingItem(), | ||
rule_conditions=[ | ||
QueryTableSetCondition(), | ||
], | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.