pySigma icon indicating copy to clipboard operation
pySigma copied to clipboard
verified publisher icon SigmaHQ

Processing pipelines on Keyword-based detections ?

Open thomaspatzke opened this issue 9 months ago • 1 comments

Idea

Extend the existing field name mapping to map null values to a field name.

Question: is this possible in YAML?

If not: dedicated transformation.

Discussed in https://github.com/SigmaHQ/pySigma/discussions/339

Originally posted by EzLucky April 7, 2025 I'm trying to create a processing pipeline to apply a default field to items of a keyword-based detection.

But it seems that all conditions and transformations are applying on field-based detections (or attributes not related to detection).

Let's take the following sigma detection :

detection:
    keywords:
      - a
      - b
      - c
    condition: keywords

It produces, in Splunk for example : a OR b OR c
I was aiming at applying a pipeline to give the following output : my_field=a OR my_field=b OR my_field=c.

I even just tried to throw a SigmaTransformationError using the detection_item_failure transformation pipeline when in input I have a rule not using fields, but one more time I could not add a condition related to the keyword-based detection.

Any advice on making something work only using pipelines ?

thomaspatzke avatar Apr 07 '25 22:04 thomaspatzke

Hello @thomaspatzke

We can close the issue as I found a working pipeline. I don't know why I didn't try it before ...

This pipeline is working (tested here) :

name: Default field name
transformations:
  - id: field_mapping
    type: field_name_mapping
    mapping:
      null:
        - my_field_name

EzLucky avatar Jun 16 '25 08:06 EzLucky