pySigma NetWitness Backend

This is the NetWitness backend for pySigma. It provides the package sigma.backends.netwitness with the NetWitnessBackend class. Further, it contains the following processing pipelines in sigma.pipelines.netwitness:

• netwitness_windows_pipeline: NetWitness mapping and conversions for Windows

This backend is currently maintained by:

• Marcel Kwaschny
• Nik Stuckenbrock
• puQy

Requirements

• pySigma

Installation

pip install pysigma-backend-netwitness

Example

• Create a file main.py with:

from sigma.collection import SigmaCollection
from sigma.backends.netwitness.netwitness import NetWitnessBackend
from sigma.pipelines.netwitness.windows import netwitness_windows_pipeline

netwitness_backend = NetWitnessBackend(processing_pipeline=netwitness_windows_pipeline())

conversion_result: list[str] = netwitness_backend.convert(
    SigmaCollection.from_yaml(
        """
        title: Test
        status: test
        logsource:
            product: windows
            category: process_creation
        detection:
            sel:
                CommandLine: test
            condition: sel
        """
    )
)

print(conversion_result[0])

Run the example with:

$ python main.py

reference.id = '4688' && param = 'test'