search

SigmaHQ / pySigma-backend-elasticsearch

pySigma Elasticsearch backend
GNU Lesser General Public License v3.0
42 stars 26 forks source link

Custom Attributes Problem #30

Closed Yuvijadeja closed 1 week ago

Yuvijadeja commented 1 year ago

When we pass any custom attributes in rule it's not return that attributes in response.

request = {
    "title": "Test",
    "status": "test",
    "logsource": {
        "category": "test_category",
        "product": "test_product",
    },
    "building_block": True,
    "detection": {
        "selection": {
            "fieldA": "valueA",
            "fieldB": ''
        },
        "condition": "selection",
    }
}

response = {
  "name": "SIGMA - Test",
  "tags": [],
  "consumer": "siem",
  "enabled": true,
  "throttle": null,
  "schedule": { "interval": "5m" },
  "params": {
    "author": [],
    "description": "No description",
    "ruleId": "None",
    "falsePositives": [],
    "from": "now-5m",
    "immutable": false,
    "license": "DRL",
    "outputIndex": "",
    "meta": { "from": "1m" },
    "maxSignals": 100,
    "riskScore": 21,
    "riskScoreMapping": [],
    "severity": "low",
    "severityMapping": [],
    "threat": [],
    "to": "now",
    "references": [],
    "version": 1,
    "exceptionsList": [],
    "relatedIntegrations": [],
    "requiredFields": [],
    "setup": "",
    "type": "query",
    "language": "lucene",
    "index": [
      "apm-*-transaction*",
      "auditbeat-*",
      "endgame-*",
      "filebeat-*",
      "logs-*",
      "packetbeat-*",
      "traces-apm*",
      "winlogbeat-*",
      "-*elastic-cloud-logs-*"
    ],
    "query": "fieldA:valueA AND fieldB:\"\"",
    "filters": []
  },
  "rule_type_id": "siem.queryRule",
  "notify_when": "onActiveAlert",
  "actions": []
}
andurin commented 1 week ago

I can only guess that you would expect to see the building_block: true somewhere down in the backend result.

There come several "challenges" in my mind:

  1. You are changing a sigma rule with additional data not mentioned in the specs.
  2. You have the need to see that for the elasticsearch backend in some output formats - what should other output formats do with the additional information? Also: What should other backends do with it?

If you need some sort of customization explicit for the backend you are using the postprocessing pipelines may fit your needs.

If you think that option is generic enough to have a own backend option for - please send some more descriptive use case and I will be happy to support that during a feature request.

Please feel free to re-open this issue.