sigma.serializer.elastic module¶

class sigma.serializer.elastic.ElasticSecurityActionType(value)¶

Bases: str, enum.Enum

An enumeration.

EMAIL = 'email'¶

PAGERDUTY = 'pagerduty'¶

SLACK = 'slack'¶

WEBHOOK = 'webhook'¶

class sigma.serializer.elastic.ElasticSecurityBaseAction(*, type: sigma.serializer.elastic.ElasticSecurityActionType, group: str = 'default', id: str, tags: List[sigma.schema.RuleTag] = [])¶

Bases: pydantic.main.BaseModel

Schema for Elastic Security Rule actions

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'type': 'action-type', 'group': 'default', 'id': 'connector-id', 'tags': ['my_custom_tag']}]}¶

group: str¶: Optionally groups actions by use cases. Use default for alert notifications.

id: str¶: The connector ID

tags: List[sigma.schema.RuleTag]¶: List of tags to filter action application. If any of the given tags matches a rule, this action will be applied to the rule. If no tags are given, the action will be applied to all serialized rules.

to_rule_format() → Dict[str, Any]¶: Convert this elastic security action into a rule-compliant dictionary

type: sigma.serializer.elastic.ElasticSecurityActionType¶: The connector type used for sending notifications

class sigma.serializer.elastic.ElasticSecurityEmailAction(*, type: typing.Literal[<ElasticSecurityActionType.EMAIL: 'email'>], group: str = 'default', id: str, tags: typing.List[sigma.schema.RuleTag] = [], to: typing.List[str] = None, cc: typing.List[str] = None, bcc: typing.List[str] = None, subject: str = None, message: str)¶

Bases: sigma.serializer.elastic.ElasticSecurityBaseAction

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'type': 'email', 'group': 'default', 'id': 'connector-id', 'tags': ['my_custom_tag'], 'to': 'security@company.com', 'subject': 'NEW ALERT', 'message': 'OH NO! {{ context.rule.name }} FIRED!'}]}¶

bcc: Optional[List[str]]¶

cc: Optional[List[str]]¶

message: str¶

subject: Optional[str]¶

to: Optional[List[str]]¶

to_rule_format() → Dict[str, Any]¶: Convert this elastic security action into a rule-compliant dictionary

type: Literal[<ElasticSecurityActionType.EMAIL: 'email'>]¶: The connector type used for sending notifications

class sigma.serializer.elastic.ElasticSecurityPagerDutyAction(*, type: typing.Literal[<ElasticSecurityActionType.PAGERDUTY: 'pagerduty'>], group: str = None, id: str, tags: typing.List[sigma.schema.RuleTag] = [], severity: str, event_action: str, dedup_key: str = None, timestamp: datetime.datetime = None, component: str = None, source: str = None, summary: str = None, clazz: str = None)¶

Bases: sigma.serializer.elastic.ElasticSecurityBaseAction

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'type': 'slack', 'group': 'default', 'id': 'connector-id', 'tags': ['my_custom_tag'], 'severity': 'Critical', 'event_action': 'trigger'}]}¶

clazz: Optional[str]¶

component: Optional[str]¶

dedup_key: Optional[str]¶

event_action: str¶

group: Optional[str]¶: Optionally groups actions by use cases. Use default for alert notifications.

severity: str¶

source: Optional[str]¶

summary: Optional[str]¶

timestamp: Optional[datetime.datetime]¶

to_rule_format() → Dict[str, Any]¶: Convert this elastic security action into a rule-compliant dictionary

type: Literal[<ElasticSecurityActionType.PAGERDUTY: 'pagerduty'>]¶: The connector type used for sending notifications

class sigma.serializer.elastic.ElasticSecurityRule(*args, **kwargs)¶

Bases: sigma.serializer.Serializer

Serialize to a JSON Elastic Security Rule

DEFAULT_FORMAT: ClassVar[Optional[str]] = 'json'¶: Default format name when using dumps (used to highlight output)

class Schema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]), enable_rule: bool = False, interval: str = '5m', language: Union[Literal['eql'], Literal['kql'], Literal['lucene']] = 'eql', output_index: str = '.siem-signals-default', max_signals: int = 100, risk_map: Dict[str, int] = {'critical': 95, 'high': 65, 'low': 5, 'medium': 35}, risk_default: int = 35, severity_map: Dict[str, str] = {'critical': 'critical', 'high': 'high', 'informational': 'low', 'low': 'low', 'medium': 'medium'}, severity_default: str = 'medium', timestamp_override: str = None, actions: List[Union[sigma.serializer.elastic.ElasticSecurityWebhookAction, sigma.serializer.elastic.ElasticSecurityEmailAction, sigma.serializer.elastic.ElasticSecuritySlackAction, sigma.serializer.elastic.ElasticSecurityPagerDutyAction]] = [])¶

Bases: sigma.serializer.CommonSerializerSchema

Elastic Security Rule Configuration Schema

class Config¶

Bases: sigma.util.CopyableSchema

extra = 'forbid'¶

schema_extra = {'examples': [{'name': 'Serializer', 'description': 'A serializer', 'transforms': [], 'base': 'es-rule', 'logsource': {'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}, 'enable_rule': True, 'interval': '5m', 'language': 'eql', 'output_index': '.siem-signals-default', 'max_signals': 100, 'risk_map': {'low': 0, 'medium': 25, 'high': 75, 'critical': 100}, 'risk_default': 10, 'timestamp_override': 'event.ingested', 'actions': [{'type': 'slack', 'group': 'default', 'id': 'connector-id', 'tags': ['my_custom_tag'], 'message': 'OH NO! {{ context.rule.name }} FIRED!'}]}]}¶

actions: List[Union[sigma.serializer.elastic.ElasticSecurityWebhookAction, sigma.serializer.elastic.ElasticSecurityEmailAction, sigma.serializer.elastic.ElasticSecuritySlackAction, sigma.serializer.elastic.ElasticSecurityPagerDutyAction]]¶: List of actions to attach to this rule

enable_rule: bool¶: Set the enable field in the resulting rule to True

interval: str¶: Rule test interval

language: Union[Literal['eql'], Literal['kql'], Literal['lucene']]¶: The rule query type

max_signals: int¶

output_index: str¶: Output index for rule alerts

risk_default: int¶: Default risk value if the given level is not in the risk map or not provided

risk_map: Dict[str, int]¶: Mapping of sigma rule levels to risk values

severity_default: str¶: Default severity value if the level is not in the above map

severity_map: Dict[str, str]¶: Mapping of sigma rule levels to severity values

timestamp_override: Optional[str]¶: Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

dumps(rule: List[sigma.schema.Rule], format: Optional[str] = None, pretty: bool = False, ignore_skip: bool = False) → str¶: Dump the rule as a string in either JSON or YAML format

property eql: sigma.serializer.Serializer¶

property kql: sigma.serializer.Serializer¶

property lucene: sigma.serializer.Serializer¶

merge_config(config: Dict[str, Any])¶: Merge the given configuration into our current schema config

schema: sigma.serializer.elastic.ElasticSecurityRule.Schema¶

serialize(rule: sigma.schema.Rule, transform: bool = True) → Dict[str, Any]¶: Serialize the rule(s) to a dictionary representing an Elastic Security EQL rule.

class sigma.serializer.elastic.ElasticSecuritySlackAction(*, type: typing.Literal[<ElasticSecurityActionType.SLACK: 'slack'>], group: str = 'default', id: str, tags: typing.List[sigma.schema.RuleTag] = [], message: str)¶

Bases: sigma.serializer.elastic.ElasticSecurityBaseAction

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'type': 'slack', 'group': 'default', 'id': 'connector-id', 'tags': ['my_custom_tag'], 'message': 'OH NO! {{ context.rule.name }} FIRED!'}]}¶

message: str¶

to_rule_format() → Dict[str, Any]¶: Convert this elastic security action into a rule-compliant dictionary

type: Literal[<ElasticSecurityActionType.SLACK: 'slack'>]¶: The connector type used for sending notifications

class sigma.serializer.elastic.ElasticSecurityWebhookAction(*, type: typing.Literal[<ElasticSecurityActionType.WEBHOOK: 'webhook'>], group: str = 'default', id: str, tags: typing.List[sigma.schema.RuleTag] = [], body: typing.Any = None)¶

Bases: sigma.serializer.elastic.ElasticSecurityBaseAction

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'type': 'slack', 'group': 'default', 'id': 'connector-id', 'tags': ['my_custom_tag'], 'body': {'my_custom': 'data'}}]}¶

body: Any¶

to_rule_format() → Dict[str, Any]¶: Convert this elastic security action into a rule-compliant dictionary

type: Literal[<ElasticSecurityActionType.WEBHOOK: 'webhook'>]¶: The connector type used for sending notifications

class sigma.serializer.elastic.EventQueryLanguage(schema: sigma.serializer.TextQuerySerializer.Schema)¶

Bases: sigma.serializer.TextQuerySerializer

Elastic EQL Serializer

class Schema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]), quote: str = '"{}"', escape: str = '\\{}', list_separator: str = ',', or_format: str = '{} or {}', and_format: str = '{} and {}', not_format: str = 'not {}', grouping: str = '({})', escaped_characters: str = '(["\\\\])', field_equality: str = '{} == {}', field_like: str = '{}: {}', field_match: str = '{}: {}', field_regex: str = '{} regex {}', field_not_empty: str = '?{field} != null', keyword: str = '{}', field_startswith: str = None, field_endswith: str = None, field_contains: str = None, field_lookup: str = '{}: {}', field_lookup_regex: str = '{} regex {}', bool_true: str = 'true', bool_false: str = 'false', prepend_result: str = '', rule_separator: str = '\n')¶

Bases: sigma.serializer.TextQuerySerializer.Schema

Text Query configuration options which define how to combine the logical expressions into the correct query syntax for your detection engine.

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'name': 'Serializer', 'description': 'A serializer', 'transforms': [], 'base': 'eql', 'logsource': {'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}}]}¶

and_format: str¶: A format string to construct an AND expression (e.g. “{} or {}”)

escape: str¶: The character used to escape the following character in a string

escaped_characters: str¶: Characters aside from the quote and escape character that require escaping

field_contains: Optional[str]¶: A format string to test if a field contains another string

field_endswith: Optional[str]¶: A format string to test if a field ends with a string

field_equality: str¶: A format string to test field equality (e.g. “{} == {}”)

field_like: str¶: Format for matching a field to a single pattern (e.g. “{} like~ {}”)

field_lookup: str¶: Format for matching a field to a list of patterns (e.g. “{} like~ {}”)

field_lookup_regex: str¶: Format for matching a field to a list of regex patterns (e.g. “{} regex {}”)

field_match: str¶: A format string to test a field with a globbing pattern (e.g. “{}: {}”)

field_not_empty: Optional[str]¶: Test if a field exists

field_regex: str¶: A format string to test if a field matches a regex (e.g. “{} match {}”)

field_startswith: Optional[str]¶: A format string to test if a field starts with a string

grouping: str¶: A format string to construct a grouping (e.g. “({})”)

keyword: str¶: A format string to match a keyword across all fields (e.g. “{}”)

list_separator: str¶: The string used to separate list items

not_format: str¶: A format string to construct a NOT expression (e.g. “not {}”)

or_format: str¶: A format string to construct an OR expression (e.g. “{} or {}”)

prepend_result: str¶: String to prepend to the resulting query

quote: str¶: The character used for literal escapes in strings

rule_separator: str¶: Separator for when outputting multiple rules to a file

serialize(rule: sigma.schema.Rule, transform: bool = True) → str¶

Serialize the rule to a single text query

Parameters

rule (Rule) – a rule to be serialized
transform (bool) – whether to apply transformations (default: True)

Return type

str

Returns

the serialized rule

transforms: List[Transformation]¶

class sigma.serializer.elastic.KibanaQueryLanguage(schema: sigma.serializer.TextQuerySerializer.Schema)¶

Bases: sigma.serializer.TextQuerySerializer

Kibana Query Language Serialize

class Schema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]), quote: str = '{}', escape: str = '\\{}', list_separator: str = ' OR ', or_format: str = '{} OR {}', and_format: str = '{} AND {}', not_format: str = 'NOT {}', grouping: str = '({})', escaped_characters: str = '(["\\\\:])', field_equality: str = '{}:{}', field_like: str = '{}:{}', field_match: str = '{}:{}', field_regex: str = None, field_not_empty: str = '{field}:*', keyword: str = '{}', field_startswith: str = None, field_endswith: str = None, field_contains: str = None, field_lookup: str = '{}:{}', field_lookup_regex: str = None, bool_true: str = 'true', bool_false: str = 'false', rule_separator: str = '\n')¶

Bases: sigma.serializer.TextQuerySerializer.Schema

Text Query configuration options which define how to combine the logical expressions into the correct query syntax for your detection engine.

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'name': 'Serializer', 'description': 'A serializer', 'transforms': [], 'base': 'kql', 'logsource': {'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}}]}¶

and_format: str¶: A format string to construct an AND expression (e.g. “{} or {}”)

escape: str¶: The character used to escape the following character in a string

escaped_characters: str¶: Characters aside from the quote and escape character that require escaping

field_contains: Optional[str]¶: A format string to test if a field contains another string

field_endswith: Optional[str]¶: A format string to test if a field ends with a string

field_equality: str¶: A format string to test field equality (e.g. “{} == {}”)

field_like: str¶: Format for matching a field to a single pattern (e.g. “{} like~ {}”)

field_lookup: str¶: Format for matching a field to a list of patterns (e.g. “{} like~ {}”)

field_lookup_regex: Optional[str]¶: Format for matching a field to a list of regex patterns (e.g. “{} regex {}”)

field_match: str¶: A format string to test a field with a globbing pattern (e.g. “{}: {}”)

field_not_empty: Optional[str]¶: Test if a field exists

field_regex: Optional[str]¶: A format string to test if a field matches a regex (e.g. “{} match {}”)

field_startswith: Optional[str]¶: A format string to test if a field starts with a string

grouping: str¶: A format string to construct a grouping (e.g. “({})”)

keyword: str¶: A format string to match a keyword across all fields (e.g. “{}”)

list_separator: str¶: The string used to separate list items

not_format: str¶: A format string to construct a NOT expression (e.g. “not {}”)

or_format: str¶: A format string to construct an OR expression (e.g. “{} or {}”)

quote: str¶: The character used for literal escapes in strings

rule_separator: str¶: Separator for when outputting multiple rules to a file

transforms: List[Transformation]¶

class sigma.serializer.elastic.LuceneQueryLanguage(schema: sigma.serializer.TextQuerySerializer.Schema)¶

Bases: sigma.serializer.TextQuerySerializer

LuceneQueryLanguage Serializer

class Schema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]), quote: str = '{}', escape: str = '\\{}', list_separator: str = ' OR ', or_format: str = '{} {}', and_format: str = '{} AND {}', not_format: str = 'NOT {}', grouping: str = '({})', escaped_characters: str = '([+\\=!(){}\\[\\]^"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|\\\\u|&&|\\|\\|)', field_equality: str = '{}:{}', field_like: str = '{}:{}', field_match: str = '{}:{}', field_regex: str = '{}:/{}/', field_not_empty: str = '_exists_:{field}', keyword: str = '{}', field_startswith: str = None, field_endswith: str = None, field_contains: str = None, field_lookup: str = '{}:{}', field_lookup_regex: str = None, bool_true: str = 'true', bool_false: str = 'false', rule_separator: str = '\n')¶

Bases: sigma.serializer.TextQuerySerializer.Schema

Text Query configuration options which define how to combine the logical expressions into the correct query syntax for your detection engine.

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'name': 'Serializer', 'description': 'A serializer', 'transforms': [], 'base': 'kql', 'logsource': {'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}}]}¶

and_format: str¶: A format string to construct an AND expression (e.g. “{} or {}”)

escape: str¶: The character used to escape the following character in a string

escaped_characters: str¶: Characters aside from the quote and escape character that require escaping

field_contains: Optional[str]¶: A format string to test if a field contains another string

field_endswith: Optional[str]¶: A format string to test if a field ends with a string

field_equality: str¶: A format string to test field equality (e.g. “{} == {}”)

field_like: str¶: Format for matching a field to a single pattern (e.g. “{} like~ {}”)

field_lookup: str¶: Format for matching a field to a list of patterns (e.g. “{} like~ {}”)

field_lookup_regex: Optional[str]¶: Format for matching a field to a list of regex patterns (e.g. “{} regex {}”)

field_match: str¶: A format string to test a field with a globbing pattern (e.g. “{}: {}”)

field_not_empty: Optional[str]¶: Test if a field exists

field_regex: Optional[str]¶: A format string to test if a field matches a regex (e.g. “{} match {}”)

field_startswith: Optional[str]¶: A format string to test if a field starts with a string

grouping: str¶: A format string to construct a grouping (e.g. “({})”)

keyword: str¶: A format string to match a keyword across all fields (e.g. “{}”)

list_separator: str¶: The string used to separate list items

not_format: str¶: A format string to construct a NOT expression (e.g. “not {}”)

or_format: str¶: A format string to construct an OR expression (e.g. “{} or {}”)

quote: str¶: The character used for literal escapes in strings

rule_separator: str¶: Separator for when outputting multiple rules to a file

transforms: List[Transformation]¶

sigma.serializer.elastic module¶

Related Topics

This Page