Linux sigma rules to kusto via microsoft xdr

[KyootyBella]

rules laying in sigma under the linux folder has the "none" category and breaks when trying to be converted via the kusto backend.

Routinely getting: Error while conversion: Unable to determine table name for category: None, category is not yet supported by the pipeline. Please provide the 'query_table' parameter to the pipeline instead.

Is there planned support for those rules or shall we use 'query_table' for every rule?

[KyootyBella]

When adding a category to the rule, specifically this rule sigma convert now gives said error:

sigma convert -t kusto -p sentinel_asim linux/builtin/lnx_file_copy.yml 
Parsing Sigma rules  [####################################]  100%
Error: Error while conversion: Invalid SigmaDetectionItem field name encountered: None. Please use valid fields for the imProcessCreate table, or the following fields that have fieldmappings in this pipeline:
ActingProcessCommandLine, ActingProcessCreationTime, ActingProcessFileCompany, ActingProcessFileDescription, ActingProcessFileInternalName, ActingProcessFileOriginalName, ActingProcessFileProduct, ActingProcessFileSize, ActingProcessFileVersion, ActingProcessGuid, ActingProcessIMPHASH, ActingProcessId, ActingProcessInjectedAddress, ActingProcessIntegrityLevel, ActingProcessIsHidden, ActingProcessMD5, ActingProcessName, ActingProcessSHA1, ActingProcessSHA256, ActingProcessSHA512, ActingProcessTokenElevation, ActorOriginalUserType, ActorScope, ActorSessionId, ActorUserId, ActorUserIdType, ActorUserType, ActorUsername, ActorUsernameType, CallTrace, CommandLine, Company, Computer, CurrentDirectory, Description, DeviceHostname, DeviceName, Dvc fields, EventID, EventSchema, EventSchemaVersion, EventType, FileVersion, GrantedAccess, Hash, HashType, Hashes, Hostname, Image, InitiatingProcessCommandLine, InitiatingProcessFolderPath, IntegrityLevel, IpAddress, LogonGuid, LogonId, OriginalFileName, ParentCommandLine, ParentImage, ParentIntegrityLevel, ParentProcessCreationTime, ParentProcessFileCompany, ParentProcessFileDescription, ParentProcessFileProduct, ParentProcessFileVersion, ParentProcessGuid, ParentProcessIMPHASH, ParentProcessId, 
ParentProcessInjectedAddress, ParentProcessIntegrityLevel, ParentProcessIsHidden, ParentProcessMD5, ParentProcessName, ParentProcessSHA1, ParentProcessSHA256, ParentProcessSHA512, ParentProcessTokenElevation, ParentUser, Process, ProcessGuid, ProcessId, ProcessIntegrityLevel, ProcessVersionInfoFileDescription, ProcessVersionInfoOriginalFileName, Product, SourceImage, SourceProcessGUID, SourceProcessId, SourceSystem, SourceUser, TargetImage, TargetOriginalUserType, TargetProcessCommandLine, TargetProcessCreationTime, TargetProcessCurrentDirectory, TargetProcessFileCompany, TargetProcessFileDescription, TargetProcessFileInternalName, TargetProcessFileOriginalName, TargetProcessFileProduct, TargetProcessFileSize, TargetProcessFileVersion, TargetProcessGUID, TargetProcessGuid, TargetProcessIMPHASH, TargetProcessId, TargetProcessInjectedAddress, TargetProcessIntegrityLevel, TargetProcessIsHidden, TargetProcessMD5, TargetProcessName, TargetProcessSHA1, TargetProcessSHA256, TargetProcessSHA512, TargetProcessStatusCode, TargetProcessTokenElevation, TargetUser, TargetUserId, TargetUserIdType, TargetUserSessionId, TargetUserType, TargetUsername, TargetUsernameType, TerminalSessionId, TimeGenerated, User, Vendor, md5, sha1, sha256

[slincoln-aiq]

Hey there,

Thanks for bringing this to my attention! I just released v0.4.1, which fixes the error that's raised in your second comment.

As for the the category field, that field is currently used to determine what table to select for the query. I do plan on adding support/mapping out other fields like product & service to tables for each pipeline in the future, but as for now it just relies on the category field or your own supplied query_table parameter.

[KyootyBella]

Sounds perfect, I found a loophole where I could just write windows instead in the product which made some of the rules work instantly 😄 Looking forward to testing your fix!