pySigma Loki backend
Project description
pySigma Loki Backend
This is the Loki backend for pySigma. It provides the package sigma.backends.loki with the LogQLBackend class.
It supports the following output formats:
default: plain Loki LogQL queriesruler: creates Loki LogQL queries in the ruler (YAML) format for generating alerts
It includes the following pipeline transformations in sigma.pipelines.loki:
SetCustomAttributeTransformation: adds a specified custom attribute to a rule, which can be used to introduce a stream selector or parser expression into the generated query- The
LokiCustomAttributesenum contains the relevant custom attribute names used by the backend
- The
Further, it contains the processing pipelines in sigma.pipelines.loki:
loki_log_parser: converts field names to logfmt labels used by Grafanaloki_promtail_sysmon_message: parse and adjust field names for Windows sysmon data produced by promtail- Note: most rules lack the
sysmonservice tag, and hence this pipeline should be used in combination with the generic sysmon pipeline
- Note: most rules lack the
This backend is currently maintained by:
Installation
To get started developing/testing pySigma-backend-loki, these steps may help you get started:
- Install poetry
- Clone this repository and open a terminal/shell in the top-level directory
- Run
poetry installto install the Python dependencies - Run
poetry shellto activate the poetry environment - Check it all works by running
poetry run pytest - (Optional) If you wish to validate the generated rules using sigma_backend_tester.py, install LogCLI
Work in progress
These features are currently either WIP or are planned to be implemented in the near future.
- Various processing pipelines for other applications and log sources
- Generating more accurate log stream selectors based on logsource
- Translate field names in Sigma signatures into relevant labels for Loki using pipelines
Won't implement (probably)
These features are not easily supported by the backend, and hence are unlikely to be implemented.
- More complex keyword/line filter searches than ANDs of ORs
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pysigma_backend_loki-0.4.0.tar.gz.
File metadata
- Download URL: pysigma_backend_loki-0.4.0.tar.gz
- Upload date:
- Size: 17.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.0 CPython/3.8.15 Linux/5.15.0-1030-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d4a13cf1f9773e252379d23fd80d5e4f92ef5aa330b5fc300b236bb9e4adbe9e |
|
| MD5 | e6f468f323beafe4b07a094fe80008bd |
|
| BLAKE2b-256 | ca32d48d05d47aea919be308a0c7dd9d10a9448f0afbc903ac08a58e2d93aef0 |
File details
Details for the file pysigma_backend_loki-0.4.0-py3-none-any.whl.
File metadata
- Download URL: pysigma_backend_loki-0.4.0-py3-none-any.whl
- Upload date:
- Size: 16.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.0 CPython/3.8.15 Linux/5.15.0-1030-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cc4bb47301a89a7c4e157700263081c86f62dcaefefdd192e5da12a75293aff4 |
|
| MD5 | e2fc9a2e4316bac9c0c951954ca070e9 |
|
| BLAKE2b-256 | 7535cf1647e69befefed1cfa59ca5b10720afbb7ccef0479c933a7d8dbcef5d5 |
