pySigma-backend-splunk icon indicating copy to clipboard operation
pySigma-backend-splunk copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Question: How to avoid processing the fields?

Open 0xFustang opened this issue 2 years ago • 2 comments

Hi!

I am currently using the splunk_windows pipeline and I am looking for a pipeline option to avoid the Splunk table output as the following:

... | table ComputerName,User,SourceImage,TargetImage,CallTrace

The Splunk table is processed thanks to the fact that the author of the Sigma rule issued the fields for the analyst. I would like to have an option to avoid that and have my post-processing handle the | table part, is there any transformation rule for that purpose?

Sigma rule:

title: Load Undocumented Autoelevated COM Interface
id: fb3722e4-1a06-46b6-b772-253e2e7db933
...
fields:
    - ComputerName
    - User
    - SourceImage
    - TargetImage
    - CallTrace
...
level: high

0xFustang avatar Oct 20 '23 12:10 0xFustang

This would be an extension, query postprocessing is currently not able to remove parts of the generated query. I mark this as enhancement request.

thomaspatzke avatar Oct 27 '23 22:10 thomaspatzke

I've created a new query post-processing transformation replace with the parameters pattern an replacement. The following (untested) should do what you want:

postprocessing:
- type: replace
  pattern: "| table \S+"
  replacement: ""

Keeping the issue open because a dedicated option for this is nicer.

thomaspatzke avatar Oct 27 '23 23:10 thomaspatzke