{"id":21158187,"url":"https://github.com/attackiq/pysigma-backend-secops","last_synced_at":"2025-09-05T21:40:41.808Z","repository":{"id":258180043,"uuid":"873038702","full_name":"AttackIQ/pySigma-backend-secops","owner":"AttackIQ","description":"pySigma-backend-secops","archived":false,"fork":false,"pushed_at":"2024-11-06T20:43:42.000Z","size":156,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-24T20:42:46.007Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AttackIQ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-15T13:54:51.000Z","updated_at":"2025-03-25T16:20:43.000Z","dependencies_parsed_at":"2024-10-23T21:41:45.688Z","dependency_job_id":"28592317-4e78-4dd5-9002-eabe692888c0","html_url":"https://github.com/AttackIQ/pySigma-backend-secops","commit_stats":null,"previous_names":["attackiq/pysigma-backend-secops"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/AttackIQ/pySigma-backend-secops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FpySigma-backend-secops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FpySigma-backend-secops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FpySigma-backend-secops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FpySigma-backend-secops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AttackIQ","download_url":"https://codeload.github.com/AttackIQ/pySigma-backend-secops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AttackIQ%2FpySigma-backend-secops/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273826614,"owners_count":25175232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-05T02:00:09.113Z","response_time":402,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-20T12:17:53.473Z","updated_at":"2025-09-05T21:40:41.782Z","avatar_url":"https://github.com/AttackIQ.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pySigma Google SecOps (Chronicle) Backend (Beta)\n\n![Tests](https://github.com/AttackIQ/pySigma-backend-secops/actions/workflows/test.yml/badge.svg)\n![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/slincoln-aiq/f9db5eaebc0a30cde8045bea889df922/raw/slincoln-aiq-pySigma-backend-secops.json)\n![Status](https://img.shields.io/badge/Status-pre--release-orange)\n![PyPI version](https://badge.fury.io/py/pysigma-backend-secops.svg)\n![Python versions](https://img.shields.io/pypi/pyversions/pysigma-backend-secops.svg)\n![pySigma version](https://img.shields.io/badge/pySigma-%3E%3D0.11.17-blue)\n![License](https://img.shields.io/github/license/AttackIQ/pySigma-backend-secops.svg)\n\n## Contents\n\n- [pySigma Google SecOps (Chronicle) Backend (Beta)](#pysigma-google-secops-chronicle-backend-beta)\n  - [📖 Overview](#-overview)\n  - [🚀 Quick Start](#-quick-start)\n  - [🛠️ Advanced Features](#️-advanced-features)\n  - [Development Status](#development-status)\n  - [🚀 Latest Features](#-latest-features)\n  - [🔧 Processing Pipelines](#-processing-pipelines)\n  - [📤 Output Formats](#-output-formats)\n  - [🗺️ Field Mappings](#️-field-mappings)\n  - [🤝 Contributing](#-contributing)\n  - [📄 License](#-license)\n\n\n## 📖 Overview\n\nThe **pySigma SecOps Backend** transforms Sigma Rules into UDM queries and YARA-L 2.0 for Google SecOps, formally Chronicle.\n\n### 🔑 Key Features\n\n- **Backend**: `sigma.backends.secops` with `SecOpsBackend` class\n- **Pipelines**: Provides `secops_udm_pipeline` for query tables and field renames\n- **Output**: Query strings in Google SecOps UDM (Unified Data Model) format and YARA-L 2.0 Detection Rules format\n- \n**This backend is currently in development and not yet complete.**\n\n### 🧑‍💻 Maintainer\n\n- [Stephen Lincoln](https://github.com/slincoln-aiq) via [AttackIQ](https://github.com/AttackIQ)\n\n## 🚀 Quick Start\n\n1. Install the package:\n\n   ```bash\n   pip install pysigma-backend-secops\n   ```\n\n   \u003e **Note:** This package requires `pySigma` version 0.11.17 or higher.\n\n2. Convert a Sigma rule to Google SecOps UDM query using sigma-cli:\n\n   ```bash\n   sigma convert -t secops -p secops_udm path/to/your/rule.yml\n   ```\n\n3. Or use in a Python script:\n\n   ```python\n   from sigma.rule import SigmaRule\n\n   from sigma.backends.secops import SecOpsBackend\n   from sigma.pipelines.secops import secops_udm_pipeline\n\n   # Load your Sigma rule\n   rule = SigmaRule.from_yaml(\n      \"\"\"\n      title: Mimikatz CommandLine\n      status: test\n      logsource:\n            category: process_creation\n            product: windows\n      detection:\n            sel:\n               CommandLine|contains: mimikatz.exe\n            condition: sel\n      \"\"\"\n   )\n\n   # Convert the rule\n   udm_pipeline = secops_udm_pipeline()\n   backend = SecOpsBackend(processing_pipeline=udm_pipeline)\n   print(backend.convert_rule(rule)[0])\n\n   ```\n\n### 🖥️ sigma-cli\n\nUse with `sigma-cli` per [typical sigma-cli usage](https://github.com/SigmaHQ/sigma-cli#usage):\n\n```bash\nsigma convert -t secops -p secops_udm -f default -s ~/sigma/rules\n```\n\n### 🐍 Python Script\n\nUse the backend and pipeline in a standalone Python script. Note, the backend automatically applies the pipeline, but\nyou can manually add it if you would like.\n\n```python\nfrom sigma.rule import SigmaRule\nfrom sigma.backends.secops import SecOpsBackend\nfrom sigma.pipelines.secops import secops_udm_pipeline\n\n# Define an example rule as a YAML str\nsigma_rule = SigmaRule.from_yaml(\"\"\"\n  title: Mimikatz CommandLine\n  status: test\n  logsource:\n      category: process_creation\n      product: windows\n  detection:\n      sel:\n          CommandLine|contains: mimikatz.exe\n      condition: sel\n\"\"\")\n# Create backend, which automatically adds the pipeline\nsecops_backend = SecOpsBackend()\n\n# Or apply the pipeline manually\npipeline = secops_udm_pipeline()\npipeline.apply(sigma_rule)\n\n# Convert the rule\nprint(sigma_rule.title + \" UDM Query: \\n\")\nprint(secops_backend.convert_rule(sigma_rule)[0])\n\n# Or convert to YARA-L 2.0\nprint(sigma_rule.title + \" YARA-L 2.0 Query: \\n\")\nprint(secops_backend.convert_rule(sigma_rule, output_format=\"yara_l\")[0])\n```\n\nOutput:\n\n```text\nMimikatz CommandLine UDM Query:\n\n(metadata.event_type = \"PROCESS_LAUNCH\") AND (target.process.command_line = /.*mimikatz.exe.*/ nocase)\n\nMimikatz CommandLine YARA-L 2.0 Query:\n\nrule mimikatz_commandline {\n  meta:\n    id = \"None\"\n    title = \"Mimikatz CommandLine\"\n    description = \"None\"\n    author = \"None\"\n    reference = \"\"\n    date = \"None\"\n    tags = \"\"\n    severity = \"None\"\n    falsepositives = \"Unknown\" \n\n  events:\n    $event1.metadata.event_type = \"PROCESS_LAUNCH\"\n    $event1.target.process.command_line = /.*mimikatz.exe.*/ nocase\n    \n  conditions: \n    $event1\n}\n```\n\n## 🛠️ Advanced Features\n\n### 🔄 Pipeline Args\n\n- `prepend_metadata`: Prepends `(metadata.event_type = \u003cevent_type\u003e) AND` to the query\n    - Defaults to `True`\n    - When `True` will prepend `(metadata.event_type = \u003cevent_type\u003e) AND` to the query\n    - When False, the `metadata.event_type` field/values will be excluded from the query\n\n### Event Type and Field Mapping Determination (New in 0.2.0)\n\n- Improved event type determination logic in `determine_event_type` function\n- Now considers logsource category, product, and service values to determine the event type\n- If no event type can be determined via logsource, the EventID field (if present in a selection) will be used to determine the event type\n- Field mappings are determined based on the event type discovered for the rule.\n- Common field mappings are applied automatically after event type mappings\n\n## Development Status\n\nThis backend is currently under development. The following features are planned or in progress:\n\n* [X] Customize backend to use regex for contains, startswith, endswith, etc.\n* [X] Implement `nocase` for case insensitive matching in backend\n* [X] Imply rule `event_type` using more robust category, service, product matching, and from EventID/EventCodes to determine appropriate field mappings\n* [X] Pipeline testing\n* [X] Backend testing\n* [X] Confirm current field mapping and add more mappings for rule coverage\n* [X] Add YARA-L v2.0 output format/converter in backend\n* [ ] Add more robust field mapping logic\n* [ ] Add $selection and $filter variables to YARA-L condition, and break out events into multiple lines based on $selection and $filter detection items for better readability\n\n## 🚀 Latest Features\n\n### Event Type Determination (New in v0.0.3)\n- Improved event type determination logic in `determine_event_type` function\n- Now considers both category and specific fields in the rule to accurately set the event type\n- Supports various event types including process, network, file, authentication, and registry events\n\n### Field Mapping Enhancements\n- Introduced new field mappings for different event types\n- Added separate mapping functions for common, process, network, file, authentication, and registry fields\n- Improved flexibility and accuracy in field translations\n\n### UDM Schema Validation\n- Implemented `is_valid_udm_field` function to validate fields against the UDM schema\n- Ensures that all mapped fields conform to the Universal Data Model (UDM) standard\n\n### Pipeline Simplification\n- Removed unnecessary transformations and postprocessing items\n- Streamlined the pipeline to focus on core functionality\n\n### Improved Error Handling\n- Added `InvalidUDMFieldError` for better error reporting when encountering invalid UDM fields\n\n### Code Optimization\n- Refactored and optimized various utility functions\n- Improved overall code structure and readability\n\n### Testing Improvements\n- Updated and expanded test cases to cover new functionality\n- Enhanced test coverage for field mappings and UDM validation\n\nThese new features and improvements enhance the backend's ability to accurately convert Sigma rules to UDM-compliant queries, with better event type determination and more precise field mappings.\n\n## 🔧 Processing Pipelines\n\nThe backend provides the following processing pipeline in `sigma.pipelines.secops`:\n\n* `secops_udm_pipeline`: Converts Sigma rules into Google SecOps UDM (Unified Data Model) compatible format.\n\nThis pipeline performs the following transformations:\n\n1. Determines the appropriate event type based on rule categories and fields\n2. Maps Sigma field names to their UDM equivalents\n3. Validates mapped fields against the UDM schema\n4. Applies necessary transformations for UDM compatibility\n5. Prepends `(metadata.event_type = \u003cevent_type\u003e) AND` to the query if `prepend_metadata` is `True`\n\n## 📤 Output Formats\n\nThe SecOps backend supports the following output formats:\n\n* `default`: Plain Google SecOps UDM queries\n* `yara_l`: YARA-L v2.0 output format (In Beta)\n\n## 🗺️ Field Mappings\n\nThe backend includes comprehensive field mappings for various event types:\n\n* Common fields (applicable to all event types, includes grouped fields)\n* Process event fields\n* Network event fields\n* File event fields\n* Authentication event fields\n* Registry event fields\n* DNS event fields\n* Authentication event fields\n\nThese mappings ensure that Sigma rule fields are correctly translated to their UDM counterparts.\n\n## 🤝 Contributing\n\nContributions to this backend are welcome. Please ensure your contributions align with the overall design of pySigma. Here are some ways you can contribute:\n\n* Adding support for new event types\n* Expanding field mappings\n* Improving UDM schema validation\n* Enhancing the YARA-L output format\n* Writing additional tests\n\n## 📄 License\n\nThis project is licensed under the LGPLv3 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fattackiq%2Fpysigma-backend-secops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fattackiq%2Fpysigma-backend-secops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fattackiq%2Fpysigma-backend-secops/lists"}