SigmaHQ / pySigma

Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)
GNU Lesser General Public License v2.1
395 stars 100 forks source link

Ability to apply rule_conditions to postprocessing #283

Open 0xFustang opened 3 weeks ago

0xFustang commented 3 weeks ago

Description

Hello! Is there a way to apply rule_conditions in a post-processing? The idea would be to apply a post-processing based on a certain condition such as:

- type: template
  template: |+
    {{ query }} | extend ServiceName = tostring(ParsedFields.ServiceName) | project foo, bar, ServiceName
  rule_conditions:
    - type: contains_detection_item
      field: "Provider_Name"
      value: "Service Control Manager"

- type: template
  template: |+
    {{ query }} | extend Balance = tostring(ParsedFields.Bar) | project foo, Balance
  rule_conditions:
    - type: contains_detection_item
      field: "Provider_Name"
      value: "balance"
thomaspatzke commented 5 days ago

Postprocessing items are already capable of this. Did you tried it and it doesn't worked?