Backends

Backends are responsible for conversion of Sigma rules into a target query languages. Mainly, they have to convert the conditions of the Sigma rules with their reference to detection items into equivalent query. Backends should not be used to handle log source types or data models, e.g. field naming or differences in value representation. Use :Processing Pipelines instead.

To implement a conversion for a new query language derive an appropriate backend base class from below and override properties or methods as required.

Use the Cookiecutter template to start a new backend.

Conventions

• Always implement the default output format in a way that the user does get some directly actionable output if she/he doesn’t explicitely chooses a format.

• Don’t do any concatenation of simple queries in the basic default format, the CLI or other tools will take care of this.

• Use backend specific options to control behavior of the backend. Backend options are provided as additional keyword arguments to the __init__ constructor of a backend. They can be passed to the CLI with the -O` option. Numbers are automatically converted to int type. If a backend option is specified multiple times in the CLI, all values are passed as arrays.

• Don’t print any output to the console or create files from the backend. Return text output as string or file output as bytes. The tools using your backend will take care of the proper handling of the result.

Concepts

Conversion Methods

Builtin Processing Pipeline

Output Formats

Rule Finalization

Output Finalization

Classes

Backend

The backend base class is generic and can generate arbitrary output, e.g. Python data structures.

TextQueryBackend

Backend base class for conversion to text based query languages. In many cases the methods doesn’t have to be overridden but string tokens have to be defined as class variable members (tbd).