search

AttackIQ / pySigma-backend-kusto

GNU Lesser General Public License v3.0
29 stars 9 forks source link

Table missing from output #28

Open Sentinel-Siem opened 5 days ago

Sentinel-Siem commented 5 days ago

Hello,

i have tried setting up sigma-cli and pySigma-backend-kusto, but the examples in the readme do not produce the same results.

steps: Install python 3.12 Pip install pysigma-backend-kusto (0.4.0) Pip install sigma-cli (1.0.4) (pysigma version 0.11.14)

  1. Copy contents of readme quick start 3. to a file, save as file.py, run python3 file.py This outputs “CommandLine contains “mimikatz.exe” (Table is missing)

  2. copy contents of python script from paragraph - also no table output.

  3. Modify the python to change the pipeline = microsoft_xdr_pipeline(query_table=“SecurityEvent”) Run the script, still no table name in the output.

slincoln-aiq commented 4 days ago

Thanks for raising this issue! This should be fixed in v0.4.1 which I just released. Let me know if you're still having issues after using the new version.

Sentinel-Siem commented 2 days ago

Hello, there seems to be some progress but the original issue is still present.

now when I’m running the example sigma rule from command line: “sigma convert -t kusto -p microsoft_xdr mimikatz.yml” in can see the table in output.

when running from python then there is still no table in the output.

slincoln-aiq commented 1 day ago

My apologies, I switched from automatically applying the pipeline via the backend in the recent versions and forgot to update this example to reflect that change. I've updated it, and it now reads:

   from sigma.rule import SigmaRule

   from sigma.backends.kusto import KustoBackend
   from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline

   # Load your Sigma rule
   rule = SigmaRule.from_yaml(
      """
      title: Mimikatz CommandLine
      status: test
      logsource:
            category: process_creation
            product: windows
      detection:
            sel:
               CommandLine|contains: mimikatz.exe
            condition: sel
      """
   )

   # Convert the rule
   xdr_pipeline = microsoft_xdr_pipeline()
   backend = KustoBackend(processing_pipeline=xdr_pipeline)
   print(backend.convert_rule(rule)[0])

Please try the new example, it should work as expected