Project description

Tests Coverage Badge Status

pySigma SQLite Backend

This is the SQLite backend for pySigma. It provides the package sigma.backends.sqlite with the sqliteBackend class.

This backend also aims to be compatible with Zircolite which uses pure SQLite queries to perform SIGMA-based detection on EVTX, Auditd, Sysmon for linux, XML or JSONL/NDJSON Logs.

It supports the following output formats:

default: plain SQLite queries
zircolite : SQLite queries in JSON format for Zircolite

This backend is currently maintained by:

wagga

Known issues/limitations

Full text search support will need some work and is not a priority since it needs virtual tables on SQLite side
In a future update, changing table name will be handled by a backend option
Aggregation is not supported since it is deprecated by the sigma specification and there are nearly no rule using it in the official repository

Quick Start

Example script (default output) with sysmon pipeline

Add pipelines

poetry add pysigma-pipeline-sysmon
poetry add pysigma-pipeline-windows

Convert a rule

from sigma.collection import SigmaCollection
from sigma.backends.sqlite import sqlite
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.pipelines.windows import windows_logsource_pipeline

from sigma.processing.resolver import ProcessingPipelineResolver

# Create the pipeline resolver
piperesolver = ProcessingPipelineResolver()
# Add pipelines
piperesolver.add_pipeline_class(sysmon_pipeline()) # Syssmon  
piperesolver.add_pipeline_class(windows_logsource_pipeline()) # Windows
# Create a combined pipeline
combined_pipeline = piperesolver.resolve(piperesolver.pipelines)
# Instantiate backend using the combined pipeline
sqlite_backend = sqlite.sqliteBackend(combined_pipeline)

rule = SigmaCollection.from_yaml(
r"""
    title: Test
    status: test
    logsource:
        category: test_category
        product: test_product
    detection:
        sel:
            fieldA: valueA
            fieldB: valueB
        condition: sel
""")

print(sqlite_backend.convert(rule)[0])

Running

poetry run python3 example.py

Project details

These details have not been verified by PyPI

Project links

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.1.2

Feb 4, 2024

0.1.1

Dec 29, 2023

0.1.0

Oct 27, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pysigma_backend_sqlite-0.1.2.tar.gz (9.5 kB view hashes)

Uploaded Feb 4, 2024 Source

Built Distribution

pysigma_backend_sqlite-0.1.2-py3-none-any.whl (10.2 kB view hashes)

Uploaded Feb 4, 2024 Python 3

Hashes for pysigma_backend_sqlite-0.1.2.tar.gz

Hashes for pysigma_backend_sqlite-0.1.2.tar.gz
Algorithm	Hash digest
SHA256	`9a57a4f89689f980c4cd53cdfb2f8fbfc49ea301b9446f39659e9a84f688302f`
MD5	`3992f6a8cbe6dc8019a9f0ffdf3518a6`
BLAKE2b-256	`f9a744f3af755fc30d693c9c1242b8f3e52507ffaed34c4847329c3eb0ba62f3`

Hashes for pysigma_backend_sqlite-0.1.2-py3-none-any.whl

Hashes for pysigma_backend_sqlite-0.1.2-py3-none-any.whl
Algorithm	Hash digest
SHA256	`099575cc736219b022dea5760d59d3656ad64422b56834190dd36db447c9b5e6`
MD5	`286ae90629914c3a2ac9f6d7879bd735`
BLAKE2b-256	`1eb305e5b3452e0d6e9dbdcdae2a32f514335f252c0ef09ccb1f16c38e9f2623`