diff --git a/README.md b/README.md
index 004a471..b111137 100644
--- a/README.md
+++ b/README.md
@@ -354,87 +354,90 @@ Output:
### Available Backends
-| Backend Option | Description | Associated Pipelines | Default Pipeline |
-|-----------------|-------------|----------------------|-------------------|
-| carbonblack | Carbon Black EDR | carbonblack
carbonblack_enterprise | carbonblack |
-| cortexxdr | Palo Alto Cortex XDR | cortexxdr | cortexxdr |
-| crowdstrike_splunk | Crowdstrike FDR Splunk Query | crowdstrike_fdr | crowdstrike_fdr |
-| crowdstrike_logscale | Crowdstrike Logscale Query | crowdstrike_falcon | crowdstrike_falcon |
-| elasticsearch | Elastic Elasticsearch SIEM | ecs_windows
ecs_kubernetes
ecs_windows_old
ecs_zeek_beats
ecs_zeek_corelight
zeek_raw | ecs_windows |
-| insightidr | Rapid7 InsightIDR SIEM | insightidr | insightidr |
-| loki | Grafana Loki LogQL SIEM | loki_grafana_logfmt
loki_promtail_sysmon
loki_okta_system_log | loki_grafana_logfmt |
-| microsoft_xdr | Microsoft XDR Advanced Hunting Query (KQL) (Defender, Office365, etc) | microsoft_xdr | microsoft_xdr |
-| microsoft_sentinel_asim | Microsoft Sentinel ASIM Query (KQL) | sentinel_asim | sentinel_asim |
-| microsoft_azure_monitor | Microsoft Azure Monitor Query (KQL) | azure_monitor | azure_monitor |
-| netwitness | Netwitness Query | netwitness_windows | netwitness_windows |
-| opensearch | OpenSearch Lucene | ecs_windows
ecs_windows_old
ecs_zeek_beats
ecs_zeek_corelight
zeek_raw | ecs_windows |
-| qradar | IBM QRadar | qradar_fields
qradar_payload | qradar_fields |
-| sentinelone | SentinelOne EDR | sentinelone | sentinelone |
-| splunk | Splunk SIEM | splunk_windows
splunk_wineventlog
splunk_windows_sysmon_acc
splunk_cim_dm | splunk_windows |
-| sigma | Original YAML/JSON Sigma Rule Output | sigma_default | sigma_default |
-| stix | STIX 2.0 & STIX Shifter Queries | stix_2_0
stix_shifter | stix_2_0 |
+| Backend Option | Description | Associated Pipelines | Default Pipeline |
+| ----------------------- | --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------- |
+| carbonblack | Carbon Black EDR | carbonblack
carbonblack_enterprise | carbonblack |
+| cortexxdr | Palo Alto Cortex XDR | cortexxdr | cortexxdr |
+| crowdstrike_splunk | Crowdstrike FDR Splunk Query | crowdstrike_fdr | crowdstrike_fdr |
+| crowdstrike_logscale | Crowdstrike Logscale Query | crowdstrike_falcon | crowdstrike_falcon |
+| elasticsearch | Elastic Elasticsearch SIEM | ecs_windows
ecs_kubernetes
ecs_windows_old
ecs_zeek_beats
ecs_zeek_corelight
zeek_raw | ecs_windows |
+| insightidr | Rapid7 InsightIDR SIEM | insightidr | insightidr |
+| loki | Grafana Loki LogQL SIEM | loki_grafana_logfmt
loki_promtail_sysmon
loki_okta_system_log | loki_grafana_logfmt |
+| microsoft_xdr | Microsoft XDR Advanced Hunting Query (KQL) (Defender, Office365, etc) | microsoft_xdr | microsoft_xdr |
+| microsoft_sentinel_asim | Microsoft Sentinel ASIM Query (KQL) | sentinel_asim | sentinel_asim |
+| microsoft_azure_monitor | Microsoft Azure Monitor Query (KQL) | azure_monitor | azure_monitor |
+| netwitness | Netwitness Query | netwitness_windows | netwitness_windows |
+| opensearch | OpenSearch Lucene | ecs_windows
ecs_windows_old
ecs_zeek_beats
ecs_zeek_corelight
zeek_raw | ecs_windows |
+| qradar | IBM QRadar | qradar_fields
qradar_payload | qradar_fields |
+| secops | Google SecOps (Chronicle) | secops_udm | secops_udm |
+| sentinelone | SentinelOne EDR | sentinelone | sentinelone |
+| splunk | Splunk SIEM | splunk_windows
splunk_wineventlog
splunk_windows_sysmon_acc
splunk_cim_dm | splunk_windows |
+| sigma | Original YAML/JSON Sigma Rule Output | sigma_default | sigma_default |
+| stix | STIX 2.0 & STIX Shifter Queries | stix_2_0
stix_shifter | stix_2_0 |
### Backend Output Formats
-| Backend Option | Output Format Option | Description |
-|-----------------|------------------------|-------------|
-| carbonblack | default
json | Plain CarbonBlack queries
CarbonBlack JSON query |
-| cortexxdr | default
json | Plain CortexXDR queries
json output format |
-| crowdstrike_splunk | default | Plain SPL queries |
-| crowdstrike_logscale | default | CrowdStrike LogScale queries |
-| elasticsearch | default
kibana_ndjson
dsl_lucene
siem_rule
siem_rule_ndjson | Plain Elasticsearch Lucene queries
Kibana NDJSON import file with Lucene queries
Elasticsearch query DSL with embedded Lucene queries
Elasticsearch query DSL as SIEM Rules in JSON Format
Elasticsearch query DSL as SIEM Rules in NDJSON Format |
-| insightidr | default
leql_advanced_search
leql_detection_definition | Simple log search query mode
Advanced Log Entry Query Language (LEQL) queries
LEQL format roughly matching the 'Rule Logic' tab in ABA detection rule definition |
-| loki | default
ruler | Plain Loki queries
Loki 'ruler' output format for generating alerts |
-| microsoft_xdr | default | Kusto Query Language search strings |
-| microsoft_sentinel_asim | default | Kusto Query Language search strings |
-| microsoft_azure_monitor | default | Kusto Query Language search strings |
-| netwitness | default | Plain netwitness queries |
-| opensearch | default
dashboards_ndjson
monitor_rule
dsl_lucene | Plain OpenSearch Lucene queries
OpenSearch Dashboards NDJSON import file with Lucene queries
OpenSearch monitor rule with embedded Lucene query
OpenSearch query DSL with embedded Lucene queries |
-| qradar | default | Plain QRadar queries |
-| sentinelone | default
json | Plaintext
JSON format |
-| splunk | default
savedsearches
data_model
stanza | Plain SPL queries
Plain SPL in a savedsearches.conf file
Data model queries with tstats
Enterprise Security savedsearches.conf stanza |
-| sigma | default
yaml
json | Default output format
Default Sigma Rule output format
JSON style Sigma Rule Output |
-| stix | default | Plain stix queries |
+| Backend Option | Output Format Option | Description |
+| ----------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| carbonblack | default
json | Plain CarbonBlack queries
CarbonBlack JSON query |
+| cortexxdr | default
json | Plain CortexXDR queries
json output format |
+| crowdstrike_splunk | default | Plain SPL queries |
+| crowdstrike_logscale | default | CrowdStrike LogScale queries |
+| elasticsearch | default
kibana_ndjson
dsl_lucene
siem_rule
siem_rule_ndjson | Plain Elasticsearch Lucene queries
Kibana NDJSON import file with Lucene queries
Elasticsearch query DSL with embedded Lucene queries
Elasticsearch query DSL as SIEM Rules in JSON Format
Elasticsearch query DSL as SIEM Rules in NDJSON Format |
+| insightidr | default
leql_advanced_search
leql_detection_definition | Simple log search query mode
Advanced Log Entry Query Language (LEQL) queries
LEQL format roughly matching the 'Rule Logic' tab in ABA detection rule definition |
+| loki | default
ruler | Plain Loki queries
Loki 'ruler' output format for generating alerts |
+| microsoft_xdr | default | Kusto Query Language search strings |
+| microsoft_sentinel_asim | default | Kusto Query Language search strings |
+| microsoft_azure_monitor | default | Kusto Query Language search strings |
+| netwitness | default | Plain netwitness queries |
+| opensearch | default
dashboards_ndjson
monitor_rule
dsl_lucene | Plain OpenSearch Lucene queries
OpenSearch Dashboards NDJSON import file with Lucene queries
OpenSearch monitor rule with embedded Lucene query
OpenSearch query DSL with embedded Lucene queries |
+| qradar | default | Plain QRadar queries |
+| secops | default
yara_l | Plain UDM queries
YARA-L 2.0 Detection Rules Output Format |
+| sentinelone | default
json | Plaintext
JSON format |
+| splunk | default
savedsearches
data_model
stanza | Plain SPL queries
Plain SPL in a savedsearches.conf file
Data model queries with tstats
Enterprise Security savedsearches.conf stanza |
+| sigma | default
yaml
json | Default output format
Default Sigma Rule output format
JSON style Sigma Rule Output |
+| stix | default | Plain stix queries |
## Pipelines
### Available Named Pipelines
-| Pipeline Option | Description | Display Name |
-|------------------|-------------|---------------|
-| splunk_wineventlog | SigmAIQ Custom combined windows_audit and splunk_windows pipelines to convert Sysmon fields to Windows Event Log fields for Splunk searches | Splunk WinEventLog |
-| carbonblack | Uses Carbon Black EDR field mappings | CB |
-| cortexxdr | Uses Palo Alto Cortex XDR field mappings | Palo Alto Cortex XDR |
-| carbonblack_enterprise | Uses Carbon Black Enterprise EDR field mappings | CB |
-| crowdstrike_fdr | Crowdstrike FDR Splunk Mappings | CrowdStrike FDR SPL |
-| crowdstrike_falcon | Crowdstrike Falcon Logscale Mappings | CrowdStrike Falcon Logscale |
-| ecs_kubernetes | Elastic Common Schema (ECS) Kubernetes audit log mappings | ECS Kubernetes |
-| ecs_windows | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7 | ECS Winlogbeat |
-| ecs_windows_old | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6 | ESC Winlogbeat (<= v6.x) |
-| ecs_zeek_beats | Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1 | ECS Zeek (Elastic) |
-| ecs_zeek_corelight | Elastic Common Schema (ECS) mapping from Corelight | ESC Zeek (Corelight) |
-| zeek_raw | Zeek raw JSON field naming | Zeek Raw JSON |
-| insightidr | InsightIDR Log Entry Query Language (LEQL) Transformations | InsightIDR LEQL |
-| loki_grafana_logfmt | Converts field names to logfmt labels used by Grafana | Logfmt Labels |
-| loki_promtail_sysmon | Parse and adjust field names for Windows sysmon data produced by promtail | WinSysmon Promtail |
-| loki_okta_system_log | Parse the Okta System Log event json, adjusting field-names appropriately | Okta System Event |
-| microsoft_xdr | Mappings for Sysmon -> XDR Advanced Hunting Query Table Schema | Microsoft XDR KustoQL |
-| sentinel_asim | Mappings for Sysmon -> Sentinel ASIM Query Table Schema | Sentinel ASIM KustoQL |
-| azure_monitor | Mappings for Sysmon -> Azure Monitor Query Table Schema | Azure Monitor KustoQL |
-| netwitness_windows | Netwitness Windows log mappings | Netwitness Windows |
-| qradar_fields | Supports only the Sigma fields in the Field Mapping | Sigma Fields |
-| qradar_payload | Uses UTF8(payload) instead of fields unsupported by the Field Mapping. | UTF8(payload) (Non-Sigma Fields) |
-| sigma_default | Empty ProcessingPipeline placeholder | Sigma |
-| sentinelone | Mappings for SentinelOne Deep Visibility Queries | SentinelOne Deep Visibility |
-| splunk_windows | Splunk Query, Windows Mappings | Splunk Query (Windows) |
-| splunk_windows_sysmon_acc | Splunk Windows Sysmon search acceleration keywords | Splunk Query (Sysmon) |
-| splunk_cim_dm | Splunk Datamodel Field Mappings | Splunk Datamodel Query |
-| stix_2_0 | STIX 2.0 Mappings | STIX 2.0 |
-| stix_shifter | STIX Shifter Mappings | STIX Shifter |
-| windows_sysmon | Sysmon for Windows | Sysmon |
-| windows_audit | Windows Event Logs | Windows Event Logs |
-| windows_logsource | Windows Logs, General | Windows Logs, General |
+| Pipeline Option | Description | Display Name |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
+| splunk_wineventlog | SigmAIQ Custom combined windows_audit and splunk_windows pipelines to convert Sysmon fields to Windows Event Log fields for Splunk searches | Splunk WinEventLog |
+| carbonblack | Uses Carbon Black EDR field mappings | CB |
+| cortexxdr | Uses Palo Alto Cortex XDR field mappings | Palo Alto Cortex XDR |
+| carbonblack_enterprise | Uses Carbon Black Enterprise EDR field mappings | CB |
+| crowdstrike_fdr | Crowdstrike FDR Splunk Mappings | CrowdStrike FDR SPL |
+| crowdstrike_falcon | Crowdstrike Falcon Logscale Mappings | CrowdStrike Falcon Logscale |
+| ecs_kubernetes | Elastic Common Schema (ECS) Kubernetes audit log mappings | ECS Kubernetes |
+| ecs_windows | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7 | ECS Winlogbeat |
+| ecs_windows_old | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6 | ESC Winlogbeat (<= v6.x) |
+| ecs_zeek_beats | Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1 | ECS Zeek (Elastic) |
+| ecs_zeek_corelight | Elastic Common Schema (ECS) mapping from Corelight | ESC Zeek (Corelight) |
+| zeek_raw | Zeek raw JSON field naming | Zeek Raw JSON |
+| insightidr | InsightIDR Log Entry Query Language (LEQL) Transformations | InsightIDR LEQL |
+| loki_grafana_logfmt | Converts field names to logfmt labels used by Grafana | Logfmt Labels |
+| loki_promtail_sysmon | Parse and adjust field names for Windows sysmon data produced by promtail | WinSysmon Promtail |
+| loki_okta_system_log | Parse the Okta System Log event json, adjusting field-names appropriately | Okta System Event |
+| microsoft_xdr | Mappings for Sysmon -> XDR Advanced Hunting Query Table Schema | Microsoft XDR KustoQL |
+| sentinel_asim | Mappings for Sysmon -> Sentinel ASIM Query Table Schema | Sentinel ASIM KustoQL |
+| azure_monitor | Mappings for Sysmon -> Azure Monitor Query Table Schema | Azure Monitor KustoQL |
+| netwitness_windows | Netwitness Windows log mappings | Netwitness Windows |
+| qradar_fields | Supports only the Sigma fields in the Field Mapping | Sigma Fields |
+| qradar_payload | Uses UTF8(payload) instead of fields unsupported by the Field Mapping. | UTF8(payload) (Non-Sigma Fields) |
+| sigma_default | Empty ProcessingPipeline placeholder | Sigma |
+| secops_udm | Mappings for Google SecOps (Chronicle) UDM | Google SecOps UDM |
+| sentinelone | Mappings for SentinelOne Deep Visibility Queries | SentinelOne Deep Visibility |
+| splunk_windows | Splunk Query, Windows Mappings | Splunk Query (Windows) |
+| splunk_windows_sysmon_acc | Splunk Windows Sysmon search acceleration keywords | Splunk Query (Sysmon) |
+| splunk_cim_dm | Splunk Datamodel Field Mappings | Splunk Datamodel Query |
+| stix_2_0 | STIX 2.0 Mappings | STIX 2.0 |
+| stix_shifter | STIX Shifter Mappings | STIX Shifter |
+| windows_sysmon | Sysmon for Windows | Sysmon |
+| windows_audit | Windows Event Logs | Windows Event Logs |
+| windows_logsource | Windows Logs, General | Windows Logs, General |
# Contributing
diff --git a/sigmaiq/backends/secops/__init__.py b/sigmaiq/backends/secops/__init__.py
new file mode 100644
index 0000000..a00d2f0
--- /dev/null
+++ b/sigmaiq/backends/secops/__init__.py
@@ -0,0 +1 @@
+from .secops import SigmAIQSecOpsBackend
diff --git a/sigmaiq/backends/secops/secops.py b/sigmaiq/backends/secops/secops.py
new file mode 100644
index 0000000..50a866d
--- /dev/null
+++ b/sigmaiq/backends/secops/secops.py
@@ -0,0 +1,10 @@
+from sigma.backends.secops import SecOpsBackend
+from sigmaiq.backends.sigmaiq_abstract_backend import AbstractGenericSigmAIQBackendClass
+
+
+class SigmAIQSecOpsBackend(AbstractGenericSigmAIQBackendClass, SecOpsBackend):
+ """SigmAIQ backend interface for the pySigma SecOps Backend library to translate a SigmaRule object
+ to a SecOps query"""
+
+ associated_pipelines = ["secops_udm"]
+ default_pipeline = "secops_udm"
diff --git a/sigmaiq/sigmaiq_backend_factory.py b/sigmaiq/sigmaiq_backend_factory.py
index a25a7ff..8f923bc 100644
--- a/sigmaiq/sigmaiq_backend_factory.py
+++ b/sigmaiq/sigmaiq_backend_factory.py
@@ -15,11 +15,12 @@
)
from sigmaiq.backends.elasticsearch import SigmAIQElasticsearchBackend
from sigmaiq.backends.insightidr import SigmAIQInsightIDRBackend
-from sigmaiq.backends.kusto import SigmAIQDefenderXDRBackend, SigmAIQSentinelASIMBackend, SigmAIQAzureMonitorBackend
+from sigmaiq.backends.kusto import SigmAIQAzureMonitorBackend, SigmAIQDefenderXDRBackend, SigmAIQSentinelASIMBackend
from sigmaiq.backends.loki import SigmAIQLokiBackend
from sigmaiq.backends.netwitness import SigmAIQNetwitnessBackend
from sigmaiq.backends.opensearch import SigmAIQOpensearchBackend
from sigmaiq.backends.qradar import SigmAIQQRadarBackend
+from sigmaiq.backends.secops import SigmAIQSecOpsBackend
from sigmaiq.backends.sentinelone import SigmAIQSentinelOneBackend
from sigmaiq.backends.sigma import SigmAIQSigmaBackend
@@ -47,6 +48,7 @@
"netwitness": "Netwitness Query",
"opensearch": "OpenSearch Lucene",
"qradar": "IBM QRadar",
+ "secops": "Google SecOps (Chronicle)",
"sentinelone": "SentinelOne EDR",
"splunk": "Splunk SIEM",
"sigma": "Original YAML/JSON Sigma Rule Output",
@@ -61,7 +63,7 @@ class SigmAIQBackend:
"""
def __init__(
- self, backend: str, processing_pipeline: Union[str, list, ProcessingPipeline] = None, output_format: str = None
+ self, backend: str, processing_pipeline: Optional[Union[str, list, ProcessingPipeline]] = None, output_format: Optional[str] = None
):
"""Initialize instance attributes.
@@ -133,15 +135,17 @@ def create_backend(self) -> AbstractGenericSigmAIQBackendClass:
# QRadar Backend
if self.backend == "qradar":
return SigmAIQQRadarBackend(**kwargs)
+ # SecOps Backend
+ if self.backend == "secops":
+ return SigmAIQSecOpsBackend(**kwargs)
# SentinelOne
if self.backend == "sentinelone":
return SigmAIQSentinelOneBackend(**kwargs)
# Splunk Backend
if self.backend == "splunk":
if kwargs["output_format"] == "data_model":
- kwargs["processing_pipeline"] = SigmAIQPipelineResolver(
- ["splunk_cim_dm", kwargs.get("processing_pipeline")]
- ).process_pipelines()
+ pipelines = [p for p in ["splunk_cim_dm", kwargs.get("processing_pipeline")] if p is not None]
+ kwargs["processing_pipeline"] = SigmAIQPipelineResolver(pipelines).process_pipelines()
return SigmAIQSplunkBackend(**kwargs)
# Raw sigma output
if self.backend == "sigma":
diff --git a/sigmaiq/sigmaiq_pipeline_factory.py b/sigmaiq/sigmaiq_pipeline_factory.py
index 526284e..c8bc222 100644
--- a/sigmaiq/sigmaiq_pipeline_factory.py
+++ b/sigmaiq/sigmaiq_pipeline_factory.py
@@ -1,4 +1,4 @@
-from typing import Dict, Union, Callable, List
+from typing import Dict, Optional, Union, Callable, List
from uuid import uuid4
from sigmaiq.exceptions import InvalidCustomFieldMapping, InvalidSigmAIQPipeline
@@ -50,6 +50,9 @@
## QRadar
from sigma.pipelines.QRadarAQL import QRadarAQL_fields_pipeline, QRadarAQL_payload_pipeline
+## SecOps
+from sigma.pipelines.secops import secops_udm_pipeline
+
## SentinelOne
from sigma.pipelines.sentinelone import sentinelone_pipeline
@@ -200,6 +203,12 @@
"pipeline": ProcessingPipeline(name="Sigma Placeholder"),
"display_name": "Sigma",
},
+ # SecOps
+ "secops_udm": {
+ "description": "Mappings for Google SecOps (Chronicle) UDM",
+ "pipeline": secops_udm_pipeline(),
+ "display_name": "Google SecOps UDM",
+ },
# SentinelOne
"sentinelone": {
"description": "Mappings for SentinelOne Deep Visibility Queries",
@@ -256,7 +265,7 @@ class SigmAIQPipeline:
"""
- def __init__(self, processing_pipeline: Union[str, ProcessingPipeline, Callable] = None):
+ def __init__(self, processing_pipeline: Optional[Union[str, ProcessingPipeline, Callable]] = None):
"""Initialize the class to create a ProcessingPipeline
:param processing_pipeline: Specifies the desired pipeline to create. This can be one of three types:
@@ -411,7 +420,7 @@ def _setup(processing_pipelines):
raise TypeError(f"processing_pipelines is not of type list or set: type is {type(processing_pipelines)}")
raise ValueError("processing_pipelines is empty or None, please provide valid values to processing_pipelines")
- def process_pipelines(self, name: str = None) -> ProcessingPipeline:
+ def process_pipelines(self, name: Optional[str] = None) -> ProcessingPipeline:
"""Consolidates processing_pipelines with a resolver by creating a ProcessingPipeline via
SigmAIQPipeline for each item in the processing_pipelines list. An optional name can be passed
to the method; if present, the final resolved singular ProcessingPipeline will be given this name. Otherwise,