search

AttackIQ / pySigma-backend-kusto

GNU Lesser General Public License v3.0
30 stars 10 forks source link

Remove newline character after table name #20

Closed xg5-simon closed 7 months ago

xg5-simon commented 7 months ago

Hi Team,

First, awesome work on this sigma backend!

The finalize_query_default function in the microsoft365defender.py backend has a hardcoded \n . This is great for an analysts readability when printing the rule to the terminal but has the potential to break when creating rules to be consumed by an API.

FYSA, I'm using the following post processing pipeline to convert sigma rules to KQL wrapped in JSON for use with the MDE API and the rule is rendered as:

  {
    "queryDescription": "Uncommon Child Process Of AddinUtil.EXE",
    "query": "DeviceProcessEvents 
| where InitiatingProcessFolderPath endswith \"\\addinutil.exe\""
  }

mdepipeline.yml

postprocessing:
- type: template
  template: |+
    {
      "queryDescription": "{{ rule.title }}",
      "query": "{{ query }} | order by Timestamp asc"
    }
finalizers:
- type: concat
  separator: |
    ,
  prefix: |
    [
  suffix: |
    ]

My recommendation is to remove the hard coded newline to support rule conversion to be consumed by APIs and users can use the Format Document or Format Selection options within MDE or Sentinel.

xg5-simon commented 7 months ago

Although I think its better to remove hard coded newlines, here is how I used Jinja2 statements and filters to convert the query output to JSON.

postprocessing:
- type: template
  template: |+
    {
      "queryDescription": "{{ rule.title }}",
      "query": {% set timesort = " | order by Timestamp asc" %} {% set query = query|replace('\n', ' ') ~ timerange %} {{ query | tojson }}
    }
finalizers:
- type: concat
  separator: |
    ,
  prefix: |
    [
  suffix: |
    ]