Open Sentinel-Siem opened 5 days ago
Thanks for raising this issue! This should be fixed in v0.4.1 which I just released. Let me know if you're still having issues after using the new version.
Hello, there seems to be some progress but the original issue is still present.
now when I’m running the example sigma rule from command line: “sigma convert -t kusto -p microsoft_xdr mimikatz.yml” in can see the table in output.
when running from python then there is still no table in the output.
My apologies, I switched from automatically applying the pipeline via the backend in the recent versions and forgot to update this example to reflect that change. I've updated it, and it now reads:
from sigma.rule import SigmaRule
from sigma.backends.kusto import KustoBackend
from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline
# Load your Sigma rule
rule = SigmaRule.from_yaml(
"""
title: Mimikatz CommandLine
status: test
logsource:
category: process_creation
product: windows
detection:
sel:
CommandLine|contains: mimikatz.exe
condition: sel
"""
)
# Convert the rule
xdr_pipeline = microsoft_xdr_pipeline()
backend = KustoBackend(processing_pipeline=xdr_pipeline)
print(backend.convert_rule(rule)[0])
Please try the new example, it should work as expected
Hello,
i have tried setting up sigma-cli and pySigma-backend-kusto, but the examples in the readme do not produce the same results.
steps: Install python 3.12 Pip install pysigma-backend-kusto (0.4.0) Pip install sigma-cli (1.0.4) (pysigma version 0.11.14)
Copy contents of readme quick start 3. to a file, save as file.py, run python3 file.py This outputs “CommandLine contains “mimikatz.exe” (Table is missing)
copy contents of python script from paragraph - also no table output.
Modify the python to change the pipeline = microsoft_xdr_pipeline(query_table=“SecurityEvent”) Run the script, still no table name in the output.