Currently the configuration file for this compiler takes:
A FieldMaping section outlining a mapping between fields in the sigma rule and fields in the event itself
Sources section outlining a set of queries (which produce events) for each named log source.
A particular sigma rule declares a source and a set of fields in the detection section.
For the rule to be valid, the fields that are referenced in the detection section must actually appear in the events delivered by the specific log source.
Currently we check that the fields mentioned are defined at all but they can actually also belong to another source.
We need to update the linter to be able to detect when a rule refers to an invalid field which is does not appear in the declared source, even though the field appears in a different unrelated source.
Currently the configuration file for this compiler takes:
FieldMaping
section outlining a mapping between fields in the sigma rule and fields in the event itselfSources
section outlining a set of queries (which produce events) for each named log source.A particular sigma rule declares a source and a set of fields in the
detection
section.For the rule to be valid, the fields that are referenced in the detection section must actually appear in the events delivered by the specific log source.
Currently we check that the fields mentioned are defined at all but they can actually also belong to another source.
We need to update the linter to be able to detect when a rule refers to an invalid field which is does not appear in the declared source, even though the field appears in a different unrelated source.