From 951f26114416b6923c8f8c68faa53009d3f43c1a Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Sat, 9 Apr 2022 01:07:15 +0200
Subject: [PATCH] Updated to pySigma 0.5.0

---
 poetry.lock                               |  8 +++----
 pyproject.toml                            |  4 ++--
 tests/test_processing_pipelines_sysmon.py | 28 +++++++++++------------
 3 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index ee28fc3..20e39ff 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -201,7 +201,7 @@ diagrams = ["jinja2", "railroad-diagrams"]
 
 [[package]]
 name = "pysigma"
-version = "0.4.2"
+version = "0.5.0"
 description = "Sigma rule processing and conversion tools"
 category = "main"
 optional = false
@@ -315,7 +315,7 @@ python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7"
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.8"
-content-hash = "f8d29fe351990fa6d8f968657534fcc1d4c5f833894232350b66bd5de672a98c"
+content-hash = "81391944fbaae6d44d3cbdfe24aaa4ede2ed087647ef2d323594cb31cc5016d4"
 
 [metadata.files]
 astroid = [
@@ -486,8 +486,8 @@ pyparsing = [
     {file = "pyparsing-3.0.7.tar.gz", hash = "sha256:18ee9022775d270c55187733956460083db60b37d0d0fb357445f3094eed3eea"},
 ]
 pysigma = [
-    {file = "pySigma-0.4.2-py3-none-any.whl", hash = "sha256:fa52287ff039381374d8fb472a15d3f3e2e12afd18da1cf124e77616b2dd77e7"},
-    {file = "pySigma-0.4.2.tar.gz", hash = "sha256:0f0ac512ea8934491c1fa10b188ea4b2b57d9080f540ce0210889b778a8d95a9"},
+    {file = "pySigma-0.5.0-py3-none-any.whl", hash = "sha256:1311a83e3a8bc32791bac4faad9e0204636eb4874ee392918f7c0ab903bdc487"},
+    {file = "pySigma-0.5.0.tar.gz", hash = "sha256:b77e26fc32a05fbfa7d7e40b536d0be799fa642dc971e0e49b3b781f52e33ffc"},
 ]
 pytest = [
     {file = "pytest-6.2.5-py3-none-any.whl", hash = "sha256:7310f8d27bc79ced999e760ca304d69f6ba6c6649c0b60fb0e04a4a77cacc134"},
diff --git a/pyproject.toml b/pyproject.toml
index fe754cf..302b466 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysigma-pipeline-sysmon"
-version = "0.1.3"
+version = "0.1.4"
 description = "pySigma Sysmon processing pipelines"
 authors = ["Thomas Patzke <thomas@patzke.org>"]
 license = "LGPL-2.1-only"
@@ -10,7 +10,7 @@ packages = [
 
 [tool.poetry.dependencies]
 python = "^3.8"
-pysigma = "^0.4.0"
+pysigma = "^0.5.0"
 
 [tool.poetry.dev-dependencies]
 pytest = "^6.2.2"
diff --git a/tests/test_processing_pipelines_sysmon.py b/tests/test_processing_pipelines_sysmon.py
index e78ac62..0ae6c5a 100644
--- a/tests/test_processing_pipelines_sysmon.py
+++ b/tests/test_processing_pipelines_sysmon.py
@@ -138,7 +138,7 @@ def process_access_sigma_rule():
                 TargetImage: test.exe
             condition: sel
     """)
-    
+
 @pytest.fixture
 def file_event_sigma_rule():
     return SigmaCollection.from_yaml("""
@@ -166,7 +166,7 @@ def registry_event_sigma_rule():
                 Image: test.exe
             condition: sel
     """)
-    
+
 @pytest.fixture
 def registry_add_sigma_rule():
     return SigmaCollection.from_yaml("""
@@ -208,7 +208,7 @@ def registry_set_sigma_rule():
                 Image: test.exe
             condition: sel
     """)
-    
+
 @pytest.fixture
 def registry_rename_sigma_rule():
     return SigmaCollection.from_yaml("""
@@ -222,7 +222,7 @@ def registry_rename_sigma_rule():
                 Image: test.exe
             condition: sel
     """)
-    
+
 @pytest.fixture
 def create_stream_hash_sigma_rule():
     return SigmaCollection.from_yaml("""
@@ -236,7 +236,7 @@ def create_stream_hash_sigma_rule():
                 Image: test.exe
             condition: sel
     """)
-    
+
 @pytest.fixture
 def dns_query_sigma_rule():
     return SigmaCollection.from_yaml("""
@@ -263,7 +263,7 @@ def clipboard_capture_sigma_rule():
             sel:
                 Image: test.exe
             condition: sel
-    """)    
+    """)
 
 @pytest.fixture
 def process_tampering_sigma_rule():
@@ -291,7 +291,7 @@ def sysmon_error_sigma_rule():
             sel:
                 Description: a error is here
             condition: sel
-    """) 
+    """)
 
 def test_sysmon_process_creation(process_creation_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
@@ -311,15 +311,15 @@ def test_sysmon_process_termination(process_termination_sigma_rule):
 
 def test_sysmon_driver_load(driver_load_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
-    assert backend.convert(driver_load_sigma_rule) == ["EventID=6 and ImageLoaded=\"test.exe\""]    
+    assert backend.convert(driver_load_sigma_rule) == ["EventID=6 and ImageLoaded=\"test.exe\""]
 
 def test_sysmon_image_load(image_load_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
-    assert backend.convert(image_load_sigma_rule) == ["EventID=7 and ImageLoaded=\"test.exe\""] 
+    assert backend.convert(image_load_sigma_rule) == ["EventID=7 and ImageLoaded=\"test.exe\""]
 
 def test_sysmon_create_remote_thread(create_remote_thread_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
-    assert backend.convert(create_remote_thread_sigma_rule) == ["EventID=8 and SourceImage=\"test.exe\""] 
+    assert backend.convert(create_remote_thread_sigma_rule) == ["EventID=8 and SourceImage=\"test.exe\""]
 
 def test_sysmon_raw_access_thread(raw_access_thread_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
@@ -335,7 +335,7 @@ def test_sysmon_file_event(file_event_sigma_rule):
 
 def test_sysmon_registry_event(registry_event_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
-    assert backend.convert(registry_event_sigma_rule) == ["EventID in (12, 13, 14) and Image=\"test.exe\""]
+    assert backend.convert(registry_event_sigma_rule) == ["(EventID in (12, 13, 14)) and Image=\"test.exe\""]
 
 def test_sysmon_registry_add(registry_add_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
@@ -363,12 +363,12 @@ def test_sysmon_dns_query(dns_query_sigma_rule):
 
 def test_sysmon_clipboard_capture(clipboard_capture_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
-    assert backend.convert(clipboard_capture_sigma_rule) == ["EventID=24 and Image=\"test.exe\""]  
+    assert backend.convert(clipboard_capture_sigma_rule) == ["EventID=24 and Image=\"test.exe\""]
 
 def test_sysmon_process_tampering(process_tampering_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
-    assert backend.convert(process_tampering_sigma_rule) == ["EventID=25 and Image=\"test.exe\""] 
-    
+    assert backend.convert(process_tampering_sigma_rule) == ["EventID=25 and Image=\"test.exe\""]
+
 def test_sysmon_sysmon_error(sysmon_error_sigma_rule):
     backend = TextQueryTestBackend(sysmon_pipeline())
     assert backend.convert(sysmon_error_sigma_rule) == ["EventID=255 and Description=\"a error is here\""]