From b048fec4a56e760508da95d07cb0dd70d06359fb Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 6 Aug 2023 01:30:35 +0200 Subject: [PATCH] Query postprocessing and finalization --- .../{{ cookiecutter.backend_package_name }}.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/{{ cookiecutter.package_name }}/sigma/pipelines/{{ cookiecutter.backend_package_name }}/{{ cookiecutter.backend_package_name }}.py b/{{ cookiecutter.package_name }}/sigma/pipelines/{{ cookiecutter.backend_package_name }}/{{ cookiecutter.backend_package_name }}.py index 6fb982f..4331366 100644 --- a/{{ cookiecutter.package_name }}/sigma/pipelines/{{ cookiecutter.backend_package_name }}/{{ cookiecutter.backend_package_name }}.py +++ b/{{ cookiecutter.package_name }}/sigma/pipelines/{{ cookiecutter.backend_package_name }}/{{ cookiecutter.backend_package_name }}.py @@ -1,7 +1,8 @@ from sigma.pipelines.common import logsource_windows, windows_logsource_mapping from sigma.processing.transformations import AddConditionTransformation, FieldMappingTransformation, DetectionItemFailureTransformation, RuleFailureTransformation, SetStateTransformation +from sigma.processing.postprocessing import EmbedQueryTransformation from sigma.processing.conditions import LogsourceCondition, IncludeFieldCondition, ExcludeFieldCondition, RuleProcessingItemAppliedCondition -from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline +from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline, QueryPostprocessingItem # TODO: the following code is just an example extend/adapt as required. # See https://sigmahq-pysigma.readthedocs.io/en/latest/Processing_Pipelines.html for further documentation. @@ -26,4 +27,14 @@ def {{ cookiecutter.backend_package_name }}_pipeline() -> ProcessingPipeline: }) ) ], + postprocessing_items=[ + QueryPostprocessingItem( + transformation=EmbedQueryTransformation(prefix="...", suffix="..."), + rule_condition_linking=any, + rule_conditions=[ + ], + identifier="example", + ) + ], + finalizers=[ConcatenateQueriesFinalizer()], ) \ No newline at end of file