sigma.serializer package¶

Serializers are used to convert a rule from the in-memory python representation to other arbitrary formats (such as Splunk queries or Elastic EQL queries). A serializer inherits from Serializer and defines the serialize() method which can return an arbitrary object which represents the serialized detection rule.

class sigma.serializer.CommonSerializerSchema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]))¶

Bases: pydantic.main.BaseModel

Base serializer schema which all schemas should inherit. Every serializer configuration is required to, at a minimum, conform to this schema. Custom serializers simply build off of this definition.

The base definition is one of the following

A built-in serializer name (as seen in sigma list serializer).
Path to a YAML serializer config
A fully qualified class name (e.g. package.module:ClassName).

Each transform definition must conform to the schema for the transform type, and at a minimum the Base Transformation Schema.

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'name': 'Serializer', 'description': 'A serializer', 'transforms': [], 'base': 'base_class', 'logsource': {'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}}]}¶

base: str¶: The base type for this serialization. This is either the name of a builtin serializer class (e.g. TextQuerySerializer) or the name of another serialization schema file. If the latter case, the transforms from this serializer will be appended to the base, and any further configuration is ignored.

description: Optional[str]¶: Description of the schema

logsource: sigma.serializer.LogSourceRules¶: Rules to match log sources to indices

name: str¶: Arbitrary name for this serialization schema

transforms: Optional[List[sigma.transform.Transformation.Schema]]¶: List of transforms to be applied

class sigma.serializer.LogSourceMatch(*, name: str = None, product: str = None, service: str = None, category: str = None, conditions: sigma.schema.RuleDetectionFields = None, index: Optional[Union[str, List[str]]] = None)¶

Bases: pydantic.main.BaseModel

A single log source matching rule. The fields product, service and category are optional, but if specified must equal their respective fields in Rule.logsource.

The provided conditions are in the same format as a field selector within the Sigma rule itself, and can contain any of the common modifiers. The given conditions are joined with a logical AND expression to any matching rules.

The index can either be a string or list of strings and is used by some serializers to restrict the index on which the log search query is made.

The name field is not used internally, but is helpful to organize your serializer configuration if you have multiple different logsource matching sections.

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}¶

category: Optional[str]¶: Category name match

compare(rule: sigma.schema.Rule) → bool¶

Test if Rule.logsource <sigma.schema.Rule.logsource matches this logsource definition.

Parameters: rule (Rule) – the rule to test
Return type: bool
Returns: True if the rule’s logsource details match this definition

conditions: Optional[sigma.schema.RuleDetectionFields]¶: List of field selectors to add to matching condition

index: Optional[Union[str, List[str]]]¶: One or more indices to search

name: Optional[str]¶: The matching rule name

product: Optional[str]¶: Product match

service: Optional[str]¶: Service name match

classmethod validate_detection(v)¶: Validate the schema for the

class sigma.serializer.LogSourceRules(*, defaultindex: Optional[Union[str, List[str]]] = [], merging: Union[Literal['or'], Literal['and']] = 'or', rules: List[sigma.serializer.LogSourceMatch] = [])¶

Bases: pydantic.main.BaseModel

This class represents the logsource field of a serializer definition, and controls the selection of indices based on matching rule logsource details to a list of logsource criteria.

A serializer can use the match_rule() method to identify matching logsource criteria defined by the serializer configuration and a list of matching indices to use when serializing the rule.

class Config¶

Bases: sigma.util.CopyableSchema

schema_extra = {'examples': [{'defaultindex': 'logs-*', 'merging': 'or', 'rules': [{'name': 'logsource match', 'product': 'windows', 'category': 'process_creation', 'index': 'logs-*'}]}]}¶

defaultindex: Optional[Union[str, List[str]]]¶: The default index if no log sources match or no indices defined

match_rule(rule: sigma.schema.Rule) → Tuple[List[str], sigma.schema.Rule]¶

Match the given rule to one or more logsource matches and return a list of indices and a (possibly modified) rule. This process is similar to a rule transformation, but matches rules to LogSourceMatches by inspecting the Rule.logsource field.

If no LogSourceMatch’s match this rule or no indices are defined in the match objects, the default index will be returned. The indices returned will always be a list regardless of the length. If no default index is defined, then the first item in the returned tuple could be an empty list.

The rule may have one or more conditional expressions joined to the original expression with a logical AND expression based on the conditions defined in one or more LogSourceMatch matches and the merging property.

Parameters: rule (Rule) – the rule to match against logsource matches
Return type: Tuple[List[str], Rule]
Returns: A tuple of (list_of_indices, modified_rule)

merging: Union[Literal['or'], Literal['and']]¶: how to merge multiple matching log sources

rules: List[sigma.serializer.LogSourceMatch]¶: List of log source matching rules

class sigma.serializer.Serializer(schema: sigma.serializer.CommonSerializerSchema)¶

Bases: abc.ABC

Base serialization class for Sigma rules. This class facilitates the transformation and serialization of sigma rules into a variety of arbitrary formats.

DEFAULT_FORMAT: ClassVar[Optional[str]] = None¶: Default format name when using dumps (used to highlight output)

Schema: ClassVar[Type[sigma.serializer.CommonSerializerSchema]]¶: The type for this serializers config schema

apply_rule_transform(rule: sigma.schema.Rule) → sigma.schema.Rule¶

Apply all rule and expression transformations, returning either a modified rule or a completely new rule depending on the transformations defined.

Parameters: rule (Rule) – the rule to transform
Return type: Rule
Returns: the transformed rule object (may be different from input)

abstract dumps(rule: List[sigma.schema.Rule], format: Optional[str] = None, pretty: bool = False, ignore_skip: bool = False) → str¶

Serialize the given rule(s) and return a string representation. Regardless of the number of rules passed, this method should always return a single string in the requested format. Formats are things like “raw”, “yaml”, or “json”. If the requested format is not supported, an UnsupportedSerializerFormat exception should be raised. If no format is given, this method should use the default format for the serializer.

Parameters

rule (List[Rule]) – list of rules to serialize and dump
format (str) – a format for dumping (e.g. “yaml” or “json”)
pretty (bool) – dump pretty-formatted output (default: false)
ignore_skip – If true, log and ignore SkipRule exceptions (default: false)

Return type

str

Returns

A string representation of the rule in the new target format

classmethod from_dict(definition: Dict[str, Any]) → sigma.serializer.Serializer¶

Construct a serializer from a dictionary definition conforming, at a minimum, to the CommonSerializerSchema schema. Other configuration may be necessary to construct the given base serializer class.

Parameters: definition (Dict[str, Any]) – a dictionary serializer configuration
Return type: Serializer
Returns: A new serializer instance of the requested type

classmethod from_yaml(path: Union[pathlib.Path, str, importlib.abc.Traversable]) → sigma.serializer.Serializer¶

Construct a serializer from a definition in a yaml file. This is the same as loading the YAML into a python dictionary and using Serializer.from_dict().

Parameters: path (Union[pathlib.Path, str, Traversable]) – a path-like object or string path to a YAML serializer definition
Return type: Serializer
Returns: A new serializer instance of the requested type

classmethod load(name: str, config: Optional[Union[Dict[str, Any], sigma.serializer.CommonSerializerSchema]] = None)¶

Load a serializer definition from any of:

Built-in definitions (see sigma list serializers)
A local file path
A fully qualified Python class path (e.g. package.module:ClassName)

If the provided name refers to a named serializer class or a fully qualified class name, then you should also provide the associated configuration dictionary to initialize the class. If no configuration is provided, an empty dictionary is passed to the classes initializer which could cause errors.

If the provided name refers to a serializer definition file (built-in or local), then the configuration argument is ignored.

Parameters: name (str) – name of the serializer to load
Return type: Serializer
Returns: A constructed serializer class from the given name/type

merge_config(config: sigma.serializer.CommonSerializerSchema)¶: Merge the given configuration into our current schema config

abstract serialize(rule: sigma.schema.Rule, transform: bool = True) → Any¶

Serialize the given sigma rule into a new format. The return value can be any python object which represents the equivalent rule in a new format.

Parameters

rule (Rule) – a rule to serialize
transform (bool) – whether to apply transformations (default: True, mainly used internally for inheritence)

Return type

Any

Returns

The serialized representation of the rule or a list of serialized representations.

transform(rule: sigma.schema.Rule) → Iterator[sigma.schema.Rule]¶

class sigma.serializer.TextQuerySerializer(schema: sigma.serializer.TextQuerySerializer.Schema)¶

Bases: sigma.serializer.Serializer

A basic serializer which only produces a static text query based on the condition and detection fields.

Parameters: schema (Schema) – A valid TextQuerySerializer configuration schema

class Schema(*, name: str, description: str = None, transforms: List[sigma.transform.Transformation.Schema] = None, base: str, logsource: sigma.serializer.LogSourceRules = LogSourceRules(defaultindex=[], merging='or', rules=[]), quote: str, escape: str, list_separator: str, or_format: str, and_format: str, not_format: str, grouping: str, escaped_characters: str, field_equality: str, field_like: str, field_match: str, field_regex: str, field_not_empty: str, keyword: str, field_startswith: str = None, field_endswith: str = None, field_contains: str = None, field_lookup: str = None, field_lookup_regex: str = None, bool_true: str = 'true', bool_false: str = 'false')¶

Bases: sigma.serializer.CommonSerializerSchema

Text Query configuration options which define how to combine the logical expressions into the correct query syntax for your detection engine.

and_format: str¶: A format string to construct an AND expression (e.g. “{} or {}”)

bool_false: str¶: Representation of a negative boolean value

bool_true: str¶: Representation of a positive boolean value

escape: str¶: The character used to escape the following character in a string

escaped_characters: str¶: Characters aside from the quote and escape character that require escaping

field_contains: Optional[str]¶: A format string to test if a field contains another string

field_endswith: Optional[str]¶: A format string to test if a field ends with a string

field_equality: str¶: A format string to test field equality (e.g. “{} == {}”)

field_like: str¶: Format for matching a field to a single pattern (e.g. “{} like~ {}”)

field_lookup: Optional[str]¶: Format for matching a field to a list of patterns (e.g. “{} like~ {}”)

field_lookup_regex: Optional[str]¶: Format for matching a field to a list of regex patterns (e.g. “{} regex {}”)

field_match: str¶: A format string to test a field with a globbing pattern (e.g. “{}: {}”)

field_not_empty: str¶: Test if a field exists

field_regex: str¶: A format string to test if a field matches a regex (e.g. “{} match {}”)

field_startswith: Optional[str]¶: A format string to test if a field starts with a string

grouping: str¶: A format string to construct a grouping (e.g. “({})”)

keyword: str¶: A format string to match a keyword across all fields (e.g. “{}”)

list_separator: str¶: The string used to separate list items

not_format: str¶: A format string to construct a NOT expression (e.g. “not {}”)

or_format: str¶: A format string to construct an OR expression (e.g. “{} or {}”)

quote: str¶: The character used for literal escapes in strings

dumps(rule: List[sigma.schema.Rule], format: Optional[str] = None, pretty: bool = False, ignore_skip: bool = True) → str¶: The rule(s) to a string. In the case of a TextQuerySerializer, this is the same as dumping the rule(s) directly, with newlines separating

serialize(rule: sigma.schema.Rule, transform: bool = True) → str¶

Serialize the rule to a single text query

Parameters

rule (Rule) – a rule to be serialized
transform (bool) – whether to apply transformations (default: True)

Return type

str

Returns

the serialized rule

transforms: List[sigma.transform.Transformation]¶

sigma.serializer.get_builtin_serializers() → Generator[Tuple[str, str], None, None]¶: Iterate over built-in serializers. This method is a generator which yields a tuple of [name, description] for all built-in serializers.

sigma.serializer.get_serializer_class(name: str) → Type[sigma.serializer.Serializer]¶: Retrieve the class backing the given serializer

Submodules¶

sigma.serializer.elastic module

sigma.serializer package¶

Submodules¶

Table of Contents

Related Topics

This Page