pySigma Loki backend
Project description
pySigma Loki Backend
This is the Loki backend for pySigma. It provides the package sigma.backends.loki with the LogQLBackend class.
It supports the following output formats:
default: plain Loki LogQL queriesruler: creates Loki LogQL queries in the ruler (YAML) format for generating alerts
It includes new Loki-specific pipeline transformations:
SetLokiStreamSelectionTransform: adds alogsource_loki_selectioncustom attribute to a rule, which should contain a stream selector that will be used in the generated querySetLokiParserTransformation: adds aloki_parsercustom attribute to a rule, which should contain a parser expression that will be used in the generated query
Further, it contains the processing pipelines in sigma.pipelines.loki:
loki_log_parser: converts field names to logfmt labels used by Grafanaloki_promtail_sysmon_message: parse and adjust field names for Windows sysmon data produced by promtail- Note: most rules lack the
sysmonservice tag, and hence this pipeline should be used in combination with the generic sysmon pipeline
- Note: most rules lack the
This backend is currently maintained by:
Installation
To get started developing/testing pySigma-backend-loki, these steps may help you get started:
- Install poetry
- Clone this repository and open a terminal/shell in the top-level directory
- Run
poetry installto install the Python dependencies - Run
poetry shellto activate the poetry environment - Check it all works by running
poetry run pytest - (Optional) If you wish to validate the generated rules using sigma_backend_tester.py, install LogCLI
Work in progress
These features are currently either WIP or are planned to be implemented in the near future.
- Various processing pipelines for other applications and log sources
- Generating more accurate log stream selectors based on logsource
- Translate field names in Sigma signatures into relevant labels for Loki using pipelines
Won't implement (probably)
These features are not easily supported by the backend, and hence are unlikely to be implemented.
- More complex keyword/line filter searches than ANDs of ORs
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pysigma_backend_loki-0.3.0.tar.gz.
File metadata
- Download URL: pysigma_backend_loki-0.3.0.tar.gz
- Upload date:
- Size: 17.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.2 CPython/3.10.6 Linux/5.15.0-56-generic
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8ce74ace1d882a26c60187f37582152cfa9b19a2a7d2617e8f3266f7f0574800
|
|
| MD5 |
7526062ec718bce6885f1d58e441e80e
|
|
| BLAKE2b-256 |
41f94f92ef7432eb0a203d8f996c9ed5f129e8a3f4a518931f9b0a2ec0a3d556
|
File details
Details for the file pysigma_backend_loki-0.3.0-py3-none-any.whl.
File metadata
- Download URL: pysigma_backend_loki-0.3.0-py3-none-any.whl
- Upload date:
- Size: 16.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.2 CPython/3.10.6 Linux/5.15.0-56-generic
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f71c0ea519b616afecf35ef467209a4b872fb58ad0d2aaee325857cb5bc43f20
|
|
| MD5 |
c4889d888729f3d3767247543b26012e
|
|
| BLAKE2b-256 |
7b949f83c48479233d465f3ede71bc03020dba5af97b99bfd718c20616388a25
|
