pySigma Logpoint backend
Project description
pySigma Logpoint Backend
Overview
This is the Logpoint backend for pySigma. It provides the package sigma.backends.logpoint with the Logpoint class.
Further, it contains the processing pipieline sigma.pipelines.logpoint, which performs field mapping and error handling.
The sigma.pipelines.logpoint module includes the following processing pipelines:
logpoint_windows: This pipeline is designed to convert Sigma rules into queries specifically tailored for the Windows event logging format used by Logpoint.
Rule Support
The Logpoint backend supports the following log sources/rule types:
- Windows Sysmon
- Windows
Usage example
Sigma CLI
Requirements
- To use Sigma CLI (the Sigma Rule Converter) and its underlying library, ensure you have Python version 3.8 or higher installed.
- Install dependent pysigma verison 0.11.13. Installing other versions may output errors.
pip3 install pysigma==0.11.13
- Install sigma-cli, command line tool for sigma rule conversion
pip3 install sigma-cli
- After installing Sigma CLI, you need to add the Logpoint backend plugin. Choose one of the following methods:
sigma plugin install logpoint
OR
pip3 install pysigma-backend-logpoint
Converting Sigma Rules
Once the packages are successfully installed, you can convert Sigma rules into Logpoint queries using the command below. For example, to convert the Suspicious Process Masquerading As SvcHost.EXE
sigma convert -t logpoint -p logpoint_windows rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml
Output
╭─ubuntu@ubuntu
╰─$ sigma convert -t logpoint -p logpoint_windows rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml
Parsing Sigma rules [####################################] 100%
label="Create" label="Process" "process"="*\svchost.exe" - ("process" IN ["C:\Windows\System32\svchost.exe", "C:\Windows\SysWOW64\svchost.exe"] OR file="svchost.exe")
Limitations and Constraints
This backend is in its preliminary stage, which means there may be issues with query conversion from uncommon log types and it does not yet support conversion from all log sources covered by Sigma. Attempting to convert such rule types may result in an error.
This backend is currently maintained by Logpoint, with contributions from the following individuals:
Report Issues
If you encounter any issues, please don't hesitate to open a new issue.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pysigma_backend_logpoint-0.2.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1a4ae8f2ac0f6521373d56155de7195a04c2bb221f03d3c93731411425e20447 |
|
| MD5 | f228ede54e73bd210e2c2c90fb15e2e9 |
|
| BLAKE2b-256 | 97f92508c8105620af34a28e1f8984031a0a83c1b83c00e29355043beecfb740 |
Hashes for pysigma_backend_logpoint-0.2.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 67bacca7c4f71b8420e8e29576749fc560d3de0b83741582be3641486f5d46a6 |
|
| MD5 | 85b774cc64d28315c3d4dc76c6a16665 |
|
| BLAKE2b-256 | b8ffb63a243ee1a100a220596f1ed1f8d141f5626ef08e747fde619577f1200d |
