valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Structured backends module with comments

Browse Source
This commit is contained in:
Thomas Patzke 2017-05-26 23:42:49 +02:00
parent 998bb0079d
commit 6a29884615
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
tools/backends.py
View File

@ -17,6 +17,8 @@ def getBackend(name):
except KeyError as e:
raise LookupError("Backend not found") from e
### Generic base classes
class BaseBackend:
"""Base class for all backends"""
identifier = "base"
@ -77,6 +79,8 @@ class BaseBackend:
def generateAggregation(self, agg):
raise NotImplementedError("Aggregations not implemented for this backend")
### Backends for specific SIEMs
class ElasticsearchQuerystringBackend(BaseBackend):
"""Converts Sigma rule into Elasticsearch query string. Only searches, no aggregations."""
identifier = "es-qs"
@ -208,6 +212,8 @@ class SplunkBackend(BaseBackend):
else:
return " | stats %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield, agg.groupfield, agg.cond_op, agg.condition)
### Backends for developement purposes
class FieldnameListBackend(BaseBackend):
"""List all fieldnames from given Sigma rules for creation of a field mapping configuration."""
identifier = "fieldlist"