Custom savedsearch.conf settings

[ericzinnikas]

Add support for arbitrary savedsearch.conf settings, both per-rule and overall. A use-case for this might be for configuring Splunk alert actions (e.g. send to email / webhook) or search frequency (as in #11). Adds two new args to the backend constructor:

• query_settings -- pass in a function which takes a SigmaRule object as an arg and returns a dict of settings that should apply to that specific rule. This needs to be dynamic as setting values could depend on the rule description/severity/etc.
• output_settings -- pass in a dict of settings that should apply to all rules/alerts

A (simplified) example use-case of dynamically setting the alert's email subject and search frequency:

def gen_settings(rule):
    settings = {
        "action.email.subject": f"[{rule.level} alert]: {rule.title}",
    }
    if rule.level in ["high", "critical"]:
        settings["dispatch.earliest_time"] = "-10m"
        settings["cron_schedule"] = "*/10 * * * *"
    return settings

backend = SplunkBackend(
    processing_pipeline=pipelines,
    min_time="-45m",
    query_settings=gen_settings,
    output_settings={"action.email.to": "alerts@example.com", "cron_schedule": "*/45 * * * *"},
)

[default]
dispatch.earliest_time = -45m
dispatch.latest_time = now
action.email.to = alerts@example.com
cron_schedule = */45 * * * *

[Rule 1]
action.email.subject = [medium alert]: Rule 1
search = abc

[Rule 2]
action.email.subject = [critical alert]: Rule 2
dispatch.earliest_time = -10m
cron_schedule = */10 * * * *
search = xyz

I didn't see any formatting/linter configs, so I attempted to mimic existing style (not sure what you want to do about line 79... thoughts on applying something like black to this library?).

Welcome any thoughts/comments about this PR!

[thomaspatzke]

Great PR, thanks for it 😊👍 Suggestion: some simplistic setting templates will make it easier to integrate this into Sigma CLI, as passing a function from the command line is...challenging 😉

Regarding the formatting question: it's currently a mix of VS Code defaults as well as some custom settings/formatting habits. Introducing a formatting tool to the pySigma projects is a good idea. I don't have much experience/overview in this area and currently lots of functional stuff on my todo list, so this is likely something for the future.

[ericzinnikas]

Sounds good and that makes sense. Would highly recommend looking into black for formatting, have used in several large projects with good results. As for templating/etc -- I'll see if I can take a stab at that too, as there are probably some generally useful defaults for Splunk.