issues with qradar pipeline

[nasbench]

Check https://twitter.com/b4kl4z4n/status/1724422932615541239

TL;DR - There seem to be a bug in one of the Qradar backends where the pipelines that are accepted by one are not compatible with the other. The issue is most probably because they both define the accepted backend as all but only one actually support the pipelines named qradar.

Verify the following:

• https://github.com/IBM/pySigma-backend-QRadar-aql
• https://github.com/nNipsx-Sec/pySigma-backend-qradar

[gabrielvrcamara]

Any updates?

I'm trying to use the sysmon pipeline together with the qradar backend but I get the following error:

`python3 -m poetry run sigma convert -p sysmon -t q_radar_aql proc_creation_win_anydesk_piped_password_via_cli.yml Usage: sigma convert [OPTIONS] INPUT... Try 'sigma convert --help' for help.

Error: The pipeline 'sysmon' was not found. List all installed processing pipelines with: sigma list pipelines q_radar_aql List pipeline plugins for installation with: sigma plugin list --plugin-type pipeline Pipelines not listed here are treated as file names.`

I tried using qradar's native backend but without success tbb:

`python3 -m poetry run sigma convert -t qradar proc_creation_win_anydesk_piped_password_via_cli.yml Usage: sigma convert [OPTIONS] INPUT... Try 'sigma convert --help' for help.

Error: Invalid value for '--target' / '-t': 'qradar' is not 'q_radar_aql'. - run sigma plugin list --plugin-type backend for a list of available plugins.`

[nasbench]

what's the issue here exactly? How is this related to the issue here?

From your output it seems that you're missing the sysmon pipeline installed. You can install using sigma plugin list to check the name and then sigma plugin install <name>

[gabrielvrcamara]

Hi, sorry for taking your time, this really was the problem. I was about to delete the comment lol. Still, thank you very much

[nasbench]

No worries.