Question: Using stats instead of table for the fields field

[burnsn1]

I'd like to have this backend output a dynamic stats command based on the fields field.

Take this example detection

title: Example Detection
date: 2024/03/26
status: experimental
author: burnsn1
description: Test Rule
logsource:
    category: process_creation
    product: windows
detection:
    susp_exec:
        process_path:
        -   'C:\Windows'
    condition: susp_exec
fields:
-  process_path
-  process_name

Output of sigma convert --target splunk -p splunk_windows rules/example_detection.yml:

process_path="C:\\Windows" | table process_path,process_name

I'd like the output to be:

process_path="C:\\Windows" | stats values(process_path), values(process_name)

I've tried using a post processing query template transformation but that doesn't provide any field name translations which forces me to create a template per data source which is onerous.

Any thoughts on how I could achieve this with pySigma?

[thomaspatzke]

The original intention of fields was to describe what is important to the analyst if a breakdown of the event should be shown instead of the whole event. There are lots of other representations that are useful and make sense, I also prefer a stats aggregation by such fields with first/last seen times, counts and sparklines.

I think a possible solution would be to use a Jinja2 post-processing template that iterates over all fields to generate the stats. Something like {query} | stats {% for field in rule.fields %}values({field}) {% endfor %} could solve this.