search

SigmaHQ / pySigma

Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)
GNU Lesser General Public License v2.1
380 stars 95 forks source link

Match Rules based on their Fields (RuleContainsFieldCondition) #272

Closed HenrikWittemeier closed 2 days ago

HenrikWittemeier commented 1 week ago

In my processing pipeline id like to change the logsource of a rule based on the fields it has. My network events on different layers have different logsources but all have ["linux","network_event"] as predefined logsource. So i need to change the logsource depending on "IP" or "Hostname" fields in the rule. In my understanding there is no such possibility at the moment. I found the RuleContainsDetectionItemCondition but it only works when i set field and value. I would appreciate a RuleProcessingCondition that has only the Fieldname as Input or a workaround to achieve this.

thomaspatzke commented 6 days ago

Hi! My first thought was that IncludeFieldCondition would do it, but as field name condition it's not applied to a rule transformation as the logsource change is. Shouldn't be a big thing to implement.

thomaspatzke commented 2 days ago

Just pushed the implementation, will be contained in the next release.