search

humpalum / vscode-sigma

MIT License
15 stars 7 forks source link

Feature Request: Real Time Pipeline Updates #23

Closed joshnck closed 1 month ago

joshnck commented 4 months ago

On the sigconverter.io you can modify both the sigma rule and the pipeline and get real-time updates of the results in the right panel. In the VSC extension you can get real time updates up the Sigma rule with your applied pipeline, but you cannot get real time updates of your pipeline.

Here is my config: 

{
    "window.zoomLevel": -1,
    "files.autoSave": "afterDelay",
    "editor.suggestSelection": "first",
    "vsintellicode.modify.editor.suggestSelection": "automaticallyOverrodeDefaultValue",
    "python.jediEnabled": false,
    "python.languageServer": "Default",
    "git.autofetch": true,
    "debug.javascript.autoAttachFilter": "always",
    "python.createEnvironment.trigger": "off",
    "sigma.sigconverterConfigs": [
        {
            "name": "Splunk Default",
            "backend": "splunk"
        },
        {
            "name": "Splunk savedsearches",
            "backend": "splunk",
            "format": "savedsearches"
        },
        {
            "name": "Testing Pipeline",
            "backend": "splunk",
            "pipelineYML": ["C:\\Users\\Josh\\Documents\\testing\\pipeline_test.yml"]
        }
    ],
    "sigma.sigconverterEnabled": true
}

Pipeline:

name: testing
priority: 10
transformations:

#### INDEX AND OS ASSIGNMENTS
  - id: test_index
    type: add_condition
    conditions:
      index: "test index"
    rule_conditions:
      - type: logsource
        product: windows

If I execute this and convert a Sigma rule, it works as expected: image

Now, if I'd like to troubleshoot a configuration change in my pipeline with the following change:

name: testing
priority: 10
transformations:

#### INDEX AND OS ASSIGNMENTS
  - id: test_index
    type: add_condition
    conditions:
      index: "test index2: Electric Boogaloo"
    rule_conditions:
      - type: logsource
        product: windows

Even after saving the yaml file for my pipeline - the updates do not apply until I open the command palate and run Restart Extension Host

After restarting the extension host I can close the previous sigconverter window and open a new one where the changes are now applied: image

humpalum commented 1 month ago

fixed in 1.7.1

The sigconverter view will update when saving the pipelinefile