You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
following my Pull Request to add a postprocessing template for the siem_rule_ndjson format for the Elasticsearch backend (SigmaHQ/pySigma-backend-elasticsearch#94) I want to propose some minor changes here to enable the QueryTemplateTransformation to access variables that are managed by the backend directly. For this, the backend object is passed to the Jinja render functionality. I´ve seen on Discord that this functionality was also discussed there.
How to use the new Functionality:
In a postprocessing pipeline when using the QueryTemplateTransformation, variables managed by the backend can be accessed for example by {{ backend.variable1 }}.
One unit test was adjusted to check if the access is working correctly.
The backend object is handed over to all postprocessing transformations inside the apply function, however currently only QueryTemplateTransformation uses the backend reference whereas the rest of the transformations do not use it because I thought that this might be the most common use case. Do you think that the other transformations should also implement some handling with this new reference?
Thank you for the great project and feel free to comment and edit :)
Hi! The last days I've done exactly the opposite and removed the pipeline parameter from all conditions, transformations etc 😉 The intention of this long planned change was to make the apply methods function signature more concise and increasing the codes efficiency by avoiding to pass the same object all the way around. Furthermore, the change prevents to switch pipelines while a conversion runs, which could cause inconsistent results. The new way to pass the pipeline is by doing this once with the set_pipeline() method. It also ensures that the pipeline is only set once while the lifetime and raises an exception if this is done twice.
There are also already existing possibilities for this use case:
The backend can inject anything into ProcessingPipeline.state including functions. From there, it is accessible from the template via the pipeline.state variable.
Similarly, the backend can also set SigmaRuleBase.custom_attributes, which is accessible with rule.custom_attributes from the template.
Since there are already possibilities to implement the specific use case and the pull request is conflicting with the recent refactoring, I reject the pull request, sorry for that!
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi everyone,
following my Pull Request to add a postprocessing template for the siem_rule_ndjson format for the Elasticsearch backend (SigmaHQ/pySigma-backend-elasticsearch#94) I want to propose some minor changes here to enable the
QueryTemplateTransformationto access variables that are managed by the backend directly. For this, the backend object is passed to the Jinja render functionality. I´ve seen on Discord that this functionality was also discussed there.How to use the new Functionality:
In a postprocessing pipeline when using the
QueryTemplateTransformation, variables managed by the backend can be accessed for example by{{ backend.variable1 }}.One unit test was adjusted to check if the access is working correctly.
The backend object is handed over to all postprocessing transformations inside the
applyfunction, however currently onlyQueryTemplateTransformationuses the backend reference whereas the rest of the transformations do not use it because I thought that this might be the most common use case. Do you think that the other transformations should also implement some handling with this new reference?Thank you for the great project and feel free to comment and edit :)