Clickhouse backend for sigma
Project description
pySigma Clickhouse Backend
This is the Clickhouse backend for pySigma. It provides the package sigma.backends.clickhouse with the ClickhouseBackend class.
It supports the following output formats for Sigma rules:
default: plain clickhouse SQL querieclicksiem: rule format for clickdetect
Thanks
To implement this Clickhouse backend I have leanerd a lot of code, and this is my thanks to most helpful to me.
- Thanks for SQLite implementation
- Thanks for the incredible blog post Creating a Sigma Backend for Fun (and no profit)
How To
Converting sigma to clickhouse
from sigma.backends.clickhouse.clickhouse import ClickhouseBackend
from sigma.collection import SigmaCollection
rule = """
title: Run Whoami Showing Privileges
id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
status: experimental
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Florian Roth
date: 2021/05/05
modified: 2022/05/13
tags:
- attack.privilege_escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains: '/priv'
condition: all of selection*
falsepositives:
- Administrative activity (rare lookups on current privileges)
level: high
"""
backend = ClickhouseBackend()
rule_sigma = SigmaCollection.from_yaml(rule)
print(backend.convert(rule_sigma)[0])
Maintainer
Created an maintaned by souzo
Dev
Setup your dev environment
uv sync
source .venv/bin/activate
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pysigma_backend_clickhouse-0.3.1.tar.gz.
File metadata
- Download URL: pysigma_backend_clickhouse-0.3.1.tar.gz
- Upload date:
- Size: 33.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7c6605131dd70f76f024b0e288caa45833c5a9bec34657a4f89b6af874b8d8b3
|
|
| MD5 |
038bbbb32fb6312344074349740a0385
|
|
| BLAKE2b-256 |
e75bed5caeb47fafa4c3b35cfd0ec8292dd80895cba4f63a02de0469cc57b4b1
|
File details
Details for the file pysigma_backend_clickhouse-0.3.1-py3-none-any.whl.
File metadata
- Download URL: pysigma_backend_clickhouse-0.3.1-py3-none-any.whl
- Upload date:
- Size: 7.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1ec1e357eb33a0622ea6ceb774c4692cd1a756dedf3893ced6da7056d6faed0e
|
|
| MD5 |
b28f2943cb319ed97734aa68539fb049
|
|
| BLAKE2b-256 |
45be383d49f257009dcd142d0f034aee0803ec5ed61b8a4adf5f7e2a7ebdf6d0
|
