Open pquerna opened 1 month ago
abraithwaite
commented
1 month ago I think marshaling a rule back to YAML a reasonable thing to consider. Can you elaborate with a concrete example of what you mean by the gap though? Do you already have expressions that you're now trying to convert into a Sigma rule without a source rule?
pquerna
commented
1 month ago Yes, basically I am programmatically building Sigma rules based on my code that generates events, what I've done right now is build the struct with YAML struct tags myself generally like this:
dt := Detection{
Selectors: map[string]any{
"selection": map[string]any{
"category_uid": int32(appEnums.API_ACTIVITY_CATEGORY_UID_API_ACTIVITY_CATEGORY_UID_APPLICATION_ACTIVITY.Number()),
"class_uid": int32(appEnums.API_ACTIVITY_CLASS_UID_API_ACTIVITY_CLASS_UID_API_ACTIVITY.Number()),
"api.operation": methodFullName,
},
},
Condition: "selection",
}Then I serialize these to YAML... and then Parse them with Sigmalite [which is fine as a round trip test case]. Was mostly wondering if I could pure "construct" the Sigma Rule "AST" in sigmalite code.
Curious if Marshaling back into YAML is in scope for
sigmalite. I think the main gap would be being able to construct the Expressions without Parse() being involed, and then handling JSON/YAML Marshaler tags or functions as needed? [mostly there, but private structs]?