Pass Backend Object to Postprocessing Pipeline

sigma/processing/pipeline.py

@@ -235,7 +235,9 @@ def __post_init__(self):
                 )
 
     def apply(
-        self, pipeline: "ProcessingPipeline", rule: Union[SigmaRule, SigmaCorrelationRule]
+        self,
+        pipeline: "ProcessingPipeline",
+        rule: Union[SigmaRule, SigmaCorrelationRule],
     ) -> bool:
         """
         Matches condition against rule and performs transformation if condition is true or not present.
@@ -372,6 +374,7 @@ def apply(
         pipeline: "ProcessingPipeline",
         rule: Union[SigmaRule, SigmaCorrelationRule],
         query: str,
+        backend: "Backend" = None,
     ) -> Tuple[str, bool]:
         """
         Matches condition against rule and performs transformation of query if condition is true or not present.
@@ -380,7 +383,8 @@ def apply(
         if self.match_rule_conditions(
             pipeline, rule
         ):  # apply transformation if conditions match or no condition defined
-            result = self.transformation.apply(pipeline, rule, query)
+            # result = self.transformation.apply(pipeline, rule, query, backend)
+            result = self.transformation.apply(pipeline, rule, query, backend)
             return (result, True)
         else:  # just pass rule through
             return (query, False)
@@ -521,10 +525,12 @@ def apply(
                 self.applied_ids.add(itid)
         return rule
 
-    def postprocess_query(self, rule: Union[SigmaRule, SigmaCorrelationRule], query: Any) -> Any:
+    def postprocess_query(
+        self, rule: Union[SigmaRule, SigmaCorrelationRule], query: Any, backend: Any = None
+    ) -> Any:
         """Post-process queries with postprocessing_items."""
         for item in self.postprocessing_items:
-            query, applied = item.apply(self, rule, query)
+            query, applied = item.apply(self, rule, query, backend)
             if applied and (itid := item.identifier):
                 self.applied_ids.add(itid)
         return query

sigma/processing/postprocessing.py

@@ -21,7 +21,10 @@ class QueryPostprocessingTransformation(Transformation):
 
     @abstractmethod
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: Any
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: Any,
     ) -> Any:
         """Applies post-processing transformation to arbitrary typed query.
 
@@ -49,7 +52,11 @@ def __post_init__(self):
         self.suffix = self.suffix or ""
 
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: str,
+        backend: Any = None,
     ) -> str:
         super().apply(pipeline, rule, query)
         return self.prefix + query + self.suffix
@@ -71,7 +78,11 @@ class QuerySimpleTemplateTransformation(QueryPostprocessingTransformation):
     template: str
 
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: str,
+        backend: Any = None,
     ) -> str:
         return self.template.format(
             query=query,
@@ -96,9 +107,13 @@ class QueryTemplateTransformation(QueryPostprocessingTransformation, TemplateBas
     """
 
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: str,
+        backend: Any,
     ) -> str:
-        return self.j2template.render(query=query, rule=rule, pipeline=pipeline)
+        return self.j2template.render(query=query, rule=rule, pipeline=pipeline, backend=backend)
 
 
 @dataclass
@@ -124,7 +139,11 @@ def __post_init__(self):
         self.parsed_json = json.loads(self.json_template)
 
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: str,
+        backend: Any = None,
     ):
         super().apply(pipeline, rule, query)
         return json.dumps(self._replace_placeholder(self.parsed_json, query))
@@ -141,7 +160,11 @@ def __post_init__(self):
         self.re = re.compile(self.pattern)
 
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: str
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: str,
+        backend: Any = None,
     ):
         super().apply(pipeline, rule, query)
         return self.re.sub(self.replacement, query)
@@ -178,7 +201,11 @@ def from_dict(cls, d: Dict[str, Any]) -> "NestedQueryPostprocessingTransformatio
             )
 
     def apply(
-        self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", rule: SigmaRule, query: Any
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: SigmaRule,
+        query: Any,
+        backend: Any = None,
     ) -> Any:
         super().apply(pipeline, rule, query)
         query = self._nested_pipeline.postprocess_query(rule, query)

tests/test_postprocessing_transformations.py

@@ -11,6 +11,7 @@
 )
 from sigma.rule import SigmaRule
 from .test_processing_transformations import dummy_pipeline, sigma_rule
+from .test_backend_identifier import DummyBackend
 
 
 def test_embed_query_transformation(dummy_pipeline, sigma_rule):
@@ -50,15 +51,18 @@ def test_query_template_transformation(dummy_pipeline: ProcessingPipeline, sigma
 title = {{ rule.title }}
 query = {{ query }}
 state = {{ pipeline.state.test }}
+backend_id = {{ backend.identifier }}
     """
     )
     dummy_pipeline.state["test"] = "teststate"
+
     assert (
-        transformation.apply(dummy_pipeline, sigma_rule, 'field="value"')
+        transformation.apply(dummy_pipeline, sigma_rule, 'field="value"', DummyBackend)
         == """
 title = Test
 query = field="value"
 state = teststate
+backend_id = dummy
     """
     )