sigma.serializer package¶
Serializers are used to convert a rule from the in-memory python representation
to other arbitrary formats (such as Splunk queries or Elastic EQL queries). A
serializer inherits from Serializer
and defines the
serialize()
method which can return an arbitrary object
which represents the serialized detection rule.
- class sigma.serializer.CommonSerializerSchema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]))¶
Bases:
pydantic.main.BaseModel
Base serializer schema which all schemas should inherit. Every serializer configuration is required to, at a minimum, conform to this schema. Custom serializers simply build off of this definition.
The base definition is one of the following
A built-in serializer name (as seen in
sigma list serializer
).Path to a YAML serializer config
A fully qualified class name (e.g.
package.module:ClassName
).
Each transform definition must conform to the schema for the transform type, and at a minimum the
Base Transformation Schema
.- class Config¶
Bases:
sigma.util.CopyableSchema
- schema_extra = {'examples': [{'name': 'Serializer', 'description': 'A serializer', 'transforms': [], 'base': 'base_class', 'logsource': {'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}}]}¶
- base: str¶
The base type for this serialization. This is either the name of a builtin serializer class (e.g. TextQuerySerializer) or the name of another serialization schema file. If the latter case, the transforms from this serializer will be appended to the base, and any further configuration is ignored.
- description: Optional[str]¶
Description of the schema
- logsource: sigma.serializer.LogSourceRules¶
Rules to match log sources to indices
- name: str¶
Arbitrary name for this serialization schema
- transforms: Optional[List[sigma.transform.Transformation.Schema]]¶
List of transforms to be applied
- class sigma.serializer.LogSourceMatch(*, name: str = None, product: str = None, service: str = None, category: str = None, conditions: sigma.schema.RuleDetectionFields = None, index: Optional[Union[str, List[str]]] = None)¶
Bases:
pydantic.main.BaseModel
A single log source matching rule. The fields
product
,service
andcategory
are optional, but if specified must equal their respective fields inRule.logsource
.The provided
conditions
are in the same format as a field selector within the Sigma rule itself, and can contain any of the common modifiers. The given conditions are joined with a logical AND expression to any matching rules.The
index
can either be a string or list of strings and is used by some serializers to restrict the index on which the log search query is made.The name field is not used internally, but is helpful to organize your serializer configuration if you have multiple different logsource matching sections.
- class Config¶
Bases:
sigma.util.CopyableSchema
- schema_extra = {'examples': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}¶
- category: Optional[str]¶
Category name match
- compare(rule: sigma.schema.Rule) bool ¶
Test if
Rule.logsource <sigma.schema.Rule.logsource
matches this logsource definition.- Parameters
rule (Rule) – the rule to test
- Return type
bool
- Returns
True if the rule’s logsource details match this definition
- conditions: Optional[sigma.schema.RuleDetectionFields]¶
List of field selectors to add to matching condition
- index: Optional[Union[str, List[str]]]¶
One or more indices to search
- name: Optional[str]¶
The matching rule name
- product: Optional[str]¶
Product match
- service: Optional[str]¶
Service name match
- classmethod validate_detection(v)¶
Validate the schema for the
- class sigma.serializer.LogSourceRules(*, defaultindex: Optional[Union[str, List[str]]] = [], merging: Union[Literal['or'], Literal['and']] = 'or', rules: List[sigma.serializer.LogSourceMatch] = [])¶
Bases:
pydantic.main.BaseModel
This class represents the
logsource
field of a serializer definition, and controls the selection of indices based on matching rule logsource details to a list of logsource criteria.A serializer can use the
match_rule()
method to identify matching logsource criteria defined by the serializer configuration and a list of matching indices to use when serializing the rule.- class Config¶
Bases:
sigma.util.CopyableSchema
- schema_extra = {'examples': [{'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}]}¶
- defaultindex: Optional[Union[str, List[str]]]¶
The default index if no log sources match or no indices defined
- match_rule(rule: sigma.schema.Rule) Tuple[List[str], sigma.schema.Rule] ¶
Match the given rule to one or more logsource matches and return a list of indices and a (possibly modified) rule. This process is similar to a rule transformation, but matches rules to LogSourceMatches by inspecting the
Rule.logsource
field.If no
LogSourceMatch
’s match this rule or no indices are defined in the match objects, the default index will be returned. The indices returned will always be a list regardless of the length. If no default index is defined, then the first item in the returned tuple could be an empty list.The rule may have one or more conditional expressions joined to the original expression with a logical AND expression based on the conditions defined in one or more
LogSourceMatch
matches and themerging
property.
- merging: Union[Literal['or'], Literal['and']]¶
how to merge multiple matching log sources
- rules: List[sigma.serializer.LogSourceMatch]¶
List of log source matching rules
- class sigma.serializer.Serializer(schema: sigma.serializer.CommonSerializerSchema)¶
Bases:
abc.ABC
Base serialization class for Sigma rules. This class facilitates the transformation and serialization of sigma rules into a variety of arbitrary formats.
- DEFAULT_FORMAT: ClassVar[Optional[str]] = None¶
Default format name when using dumps (used to highlight output)
- Schema: ClassVar[Type[sigma.serializer.CommonSerializerSchema]]¶
The type for this serializers config schema
- apply_rule_transform(rule: sigma.schema.Rule) sigma.schema.Rule ¶
Apply all rule and expression transformations, returning either a modified rule or a completely new rule depending on the transformations defined.
- abstract dumps(rule: List[sigma.schema.Rule], format: Optional[str] = None, pretty: bool = False, ignore_skip: bool = False) str ¶
Serialize the given rule(s) and return a string representation. Regardless of the number of rules passed, this method should always return a single string in the requested format. Formats are things like “raw”, “yaml”, or “json”. If the requested format is not supported, an
UnsupportedSerializerFormat
exception should be raised. If no format is given, this method should use the default format for the serializer.- Parameters
rule (List[Rule]) – list of rules to serialize and dump
format (str) – a format for dumping (e.g. “yaml” or “json”)
pretty (bool) – dump pretty-formatted output (default: false)
ignore_skip – If true, log and ignore SkipRule exceptions (default: false)
- Return type
str
- Returns
A string representation of the rule in the new target format
- classmethod from_dict(definition: Dict[str, Any]) sigma.serializer.Serializer ¶
Construct a serializer from a dictionary definition conforming, at a minimum, to the
CommonSerializerSchema
schema. Other configuration may be necessary to construct the given base serializer class.- Parameters
definition (Dict[str, Any]) – a dictionary serializer configuration
- Return type
- Returns
A new serializer instance of the requested type
- classmethod from_yaml(path: Union[pathlib.Path, str, importlib.abc.Traversable]) sigma.serializer.Serializer ¶
Construct a serializer from a definition in a yaml file. This is the same as loading the YAML into a python dictionary and using
Serializer.from_dict()
.- Parameters
path (Union[pathlib.Path, str, Traversable]) – a path-like object or string path to a YAML serializer definition
- Return type
- Returns
A new serializer instance of the requested type
- classmethod load(name: str, config: Optional[Union[Dict[str, Any], sigma.serializer.CommonSerializerSchema]] = None)¶
Load a serializer definition from any of:
Built-in definitions (see
sigma list serializers
)A local file path
A fully qualified Python class path (e.g.
package.module:ClassName
)
If the provided name refers to a named serializer class or a fully qualified class name, then you should also provide the associated configuration dictionary to initialize the class. If no configuration is provided, an empty dictionary is passed to the classes initializer which could cause errors.
If the provided name refers to a serializer definition file (built-in or local), then the configuration argument is ignored.
- Parameters
name (str) – name of the serializer to load
- Return type
- Returns
A constructed serializer class from the given name/type
- merge_config(config: sigma.serializer.CommonSerializerSchema)¶
Merge the given configuration into our current schema config
- abstract serialize(rule: sigma.schema.Rule, transform: bool = True) Any ¶
Serialize the given sigma rule into a new format. The return value can be any python object which represents the equivalent rule in a new format.
- Parameters
rule (Rule) – a rule to serialize
transform (bool) – whether to apply transformations (default: True, mainly used internally for inheritence)
- Return type
Any
- Returns
The serialized representation of the rule or a list of serialized representations.
- transform(rule: sigma.schema.Rule) Iterator[sigma.schema.Rule] ¶
- class sigma.serializer.TextQuerySerializer(schema: sigma.serializer.TextQuerySerializer.Schema)¶
Bases:
sigma.serializer.Serializer
A basic serializer which only produces a static text query based on the condition and detection fields.
- Parameters
schema (Schema) – A valid TextQuerySerializer configuration schema
- class Schema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]), quote: str, escape: str, list_separator: str, or_format: str, and_format: str, not_format: str, grouping: str, escaped_characters: str, field_equality: str, field_like: str, field_match: str, field_regex: str, field_not_empty: str, keyword: str, field_startswith: str = None, field_endswith: str = None, field_contains: str = None, field_lookup: str = None, field_lookup_regex: str = None, bool_true: str = 'true', bool_false: str = 'false')¶
Bases:
sigma.serializer.CommonSerializerSchema
Text Query configuration options which define how to combine the logical expressions into the correct query syntax for your detection engine.
- and_format: str¶
A format string to construct an AND expression (e.g. “{} or {}”)
- bool_false: str¶
Representation of a negative boolean value
- bool_true: str¶
Representation of a positive boolean value
- escape: str¶
The character used to escape the following character in a string
- escaped_characters: str¶
Characters aside from the quote and escape character that require escaping
- field_contains: Optional[str]¶
A format string to test if a field contains another string
- field_endswith: Optional[str]¶
A format string to test if a field ends with a string
- field_equality: str¶
A format string to test field equality (e.g. “{} == {}”)
- field_like: str¶
Format for matching a field to a single pattern (e.g. “{} like~ {}”)
- field_lookup: Optional[str]¶
Format for matching a field to a list of patterns (e.g. “{} like~ {}”)
- field_lookup_regex: Optional[str]¶
Format for matching a field to a list of regex patterns (e.g. “{} regex {}”)
- field_match: str¶
A format string to test a field with a globbing pattern (e.g. “{}: {}”)
- field_not_empty: str¶
Test if a field exists
- field_regex: str¶
A format string to test if a field matches a regex (e.g. “{} match {}”)
- field_startswith: Optional[str]¶
A format string to test if a field starts with a string
- grouping: str¶
A format string to construct a grouping (e.g. “({})”)
- keyword: str¶
A format string to match a keyword across all fields (e.g. “{}”)
- list_separator: str¶
The string used to separate list items
- not_format: str¶
A format string to construct a NOT expression (e.g. “not {}”)
- or_format: str¶
A format string to construct an OR expression (e.g. “{} or {}”)
- quote: str¶
The character used for literal escapes in strings
- dumps(rule: List[sigma.schema.Rule], format: Optional[str] = None, pretty: bool = False, ignore_skip: bool = True) str ¶
The rule(s) to a string. In the case of a TextQuerySerializer, this is the same as dumping the rule(s) directly, with newlines separating
- serialize(rule: sigma.schema.Rule, transform: bool = True) str ¶
Serialize the rule to a single text query
- Parameters
rule (Rule) – a rule to be serialized
transform (bool) – whether to apply transformations (default: True)
- Return type
str
- Returns
the serialized rule
- transforms: List[sigma.transform.Transformation]¶
- sigma.serializer.get_builtin_serializers() Generator[Tuple[str, str], None, None] ¶
Iterate over built-in serializers. This method is a generator which yields a tuple of [name, description] for all built-in serializers.
- sigma.serializer.get_serializer_class(name: str) Type[sigma.serializer.Serializer] ¶
Retrieve the class backing the given serializer