Merge pull request #31 from frack113/Updat_dependencies

build: 📦 Update dependencies version

Author: thomaspatzke

.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# Reformatting with black
+cc2e353b04c86a26b0bab1fea3b9ddff6a1568fa

.pre-commit-config.yaml

@@ -1,5 +1,5 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 23.3.0
+    rev: 24.1.1
     hooks:
       - id: black

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysigma-backend-splunk"
-version = "1.0.3"
+version = "1.0.4"
 description = "pySigma Splunk backend"
 readme = "README.md"
 authors = ["Thomas Patzke <[email protected]>"]
@@ -15,10 +15,12 @@ python = "^3.8"
 pysigma = "^0.11.0"
 
 [tool.poetry.dev-dependencies]
-pytest = "^6.2.2"
-pytest-cov = "^2.11.1"
-defusedxml = "^0.7.1"
+black = "^24.1"
+pre-commit = "^3.5"
+pytest = "^8.0"
+pytest-cov = "^4.1"
+defusedxml = "^0.7"
 
 [build-system]
-requires = ["poetry-core>=1.0.0"]
+requires = ["poetry-core>=1.8.1"]
 build-backend = "poetry.core.masonry.api"

pyproject.toml

@@ -2,4 +2,4 @@
 
 backends = {
     "splunk": SplunkBackend,
-}
+}

sigma/backends/splunk/__init__.py

@@ -42,19 +42,19 @@ class SplunkDeferredCIDRExpression(DeferredTextQueryExpression):
 class SplunkBackend(TextQueryBackend):
     """Splunk SPL backend."""
 
-    name: ClassVar[
-        str
-    ] = "Splunk SPL & tstats data model queries"  # A descriptive name of the backend
-    formats: ClassVar[
-        Dict[str, str]
-    ] = {  # Output formats provided by the backend as name -> description mapping. The name should match to finalize_output_<name>.
-        "default": "Plain SPL queries",
-        "savedsearches": "Plain SPL in a savedsearches.conf file",
-        "data_model": "Data model queries with tstats",
-    }
-    requires_pipeline: ClassVar[
-        bool
-    ] = True  # Does the backend requires that a processing pipeline is provided?
+    name: ClassVar[str] = (
+        "Splunk SPL & tstats data model queries"  # A descriptive name of the backend
+    )
+    formats: ClassVar[Dict[str, str]] = (
+        {  # Output formats provided by the backend as name -> description mapping. The name should match to finalize_output_<name>.
+            "default": "Plain SPL queries",
+            "savedsearches": "Plain SPL in a savedsearches.conf file",
+            "data_model": "Data model queries with tstats",
+        }
+    )
+    requires_pipeline: ClassVar[bool] = (
+        True  # Does the backend requires that a processing pipeline is provided?
+    )
 
     precedence: ClassVar[Tuple[ConditionItem, ConditionItem, ConditionItem]] = (
         ConditionNOT,

sigma/backends/splunk/splunk.py

@@ -1,7 +1,11 @@
-from .splunk import splunk_windows_pipeline, splunk_windows_sysmon_acceleration_keywords, splunk_cim_data_model
+from .splunk import (
+    splunk_windows_pipeline,
+    splunk_windows_sysmon_acceleration_keywords,
+    splunk_cim_data_model,
+)
 
 pipelines = {
     "splunk_windows": splunk_windows_pipeline,
     "splunk_sysmon_acceleration": splunk_windows_sysmon_acceleration_keywords,
     "splunk_cim": splunk_cim_data_model,
-}
+}

sigma/pipelines/splunk/__init__.py

@@ -1,20 +1,31 @@
-from sigma.pipelines.common import \
-    logsource_windows, \
-    logsource_windows_process_creation, \
-    logsource_windows_registry_add, \
-    logsource_windows_registry_delete, \
-    logsource_windows_registry_event, \
-    logsource_windows_registry_set, \
-    logsource_windows_file_event, \
-    logsource_linux_process_creation, \
-    generate_windows_logsource_items
-from sigma.processing.transformations import AddConditionTransformation, FieldMappingTransformation, DetectionItemFailureTransformation, RuleFailureTransformation, SetStateTransformation
-from sigma.processing.conditions import LogsourceCondition, ExcludeFieldCondition, RuleProcessingItemAppliedCondition
+from sigma.pipelines.common import (
+    logsource_windows,
+    logsource_windows_process_creation,
+    logsource_windows_registry_add,
+    logsource_windows_registry_delete,
+    logsource_windows_registry_event,
+    logsource_windows_registry_set,
+    logsource_windows_file_event,
+    logsource_linux_process_creation,
+    generate_windows_logsource_items,
+)
+from sigma.processing.transformations import (
+    AddConditionTransformation,
+    FieldMappingTransformation,
+    DetectionItemFailureTransformation,
+    RuleFailureTransformation,
+    SetStateTransformation,
+)
+from sigma.processing.conditions import (
+    LogsourceCondition,
+    ExcludeFieldCondition,
+    RuleProcessingItemAppliedCondition,
+)
 from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline
 
-windows_sysmon_acceleration_keywords = {    # Map Sysmon event sources and keywords that are added to search for Sysmon optimization pipeline
-   "process_creation": "ParentProcessGuid",
-   "file_event": "TargetFilename",
+windows_sysmon_acceleration_keywords = {  # Map Sysmon event sources and keywords that are added to search for Sysmon optimization pipeline
+    "process_creation": "ParentProcessGuid",
+    "file_event": "TargetFilename",
 }
 
 splunk_sysmon_process_creation_cim_mapping = {
@@ -36,7 +47,7 @@
 splunk_windows_registry_cim_mapping = {
     "Computer": "Registry.dest",
     "Details": "Registry.registry_value_data",
-    "EventType": "Registry.action", # EventType: DeleteKey is parsed to action: deleted
+    "EventType": "Registry.action",  # EventType: DeleteKey is parsed to action: deleted
     "Image": "Registry.process_path",
     "ProcessGuid": "Registry.process_guid",
     "ProcessId": "Registry.process_id",
@@ -52,44 +63,52 @@
     "TargetFilename": "Filesystem.file_path",
 }
 
+
 def splunk_windows_pipeline():
     return ProcessingPipeline(
         name="Splunk Windows log source conditions",
         allowed_backends={"splunk"},
         priority=20,
-        items=generate_windows_logsource_items("source", "WinEventLog:{source}") + [
-            ProcessingItem(     # Field mappings
+        items=generate_windows_logsource_items("source", "WinEventLog:{source}")
+        + [
+            ProcessingItem(  # Field mappings
                 identifier="splunk_windows_field_mapping",
-                transformation=FieldMappingTransformation({
-                    "EventID": "EventCode",
-                })
+                transformation=FieldMappingTransformation(
+                    {
+                        "EventID": "EventCode",
+                    }
+                ),
             )
         ],
     )
 
+
 def splunk_windows_sysmon_acceleration_keywords():
     return ProcessingPipeline(
         name="Splunk Windows Sysmon search acceleration keywords",
         allowed_backends={"splunk"},
         priority=25,
         items=[
-            ProcessingItem(     # Some optimizations searching for characteristic keyword for specific log sources
+            ProcessingItem(  # Some optimizations searching for characteristic keyword for specific log sources
                 identifier="splunk_windows_sysmon_process_creation",
-                transformation=AddConditionTransformation({
-                    None: keyword,
-                }),
+                transformation=AddConditionTransformation(
+                    {
+                        None: keyword,
+                    }
+                ),
                 rule_conditions=[
                     LogsourceCondition(
                         category=sysmon_category,
                         product="windows",
                         service="sysmon",
                     )
-                ]
+                ],
             )
             for sysmon_category, keyword in windows_sysmon_acceleration_keywords.items()
-        ]
+        ],
     )
 
+
 def splunk_cim_data_model():
     return ProcessingPipeline(
         name="Splunk CIM Data Model Mapping",
@@ -98,21 +117,26 @@ def splunk_cim_data_model():
         items=[
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_process_creation_unsupported_fields",
-                transformation=DetectionItemFailureTransformation("The Splunk Data Model Sigma backend supports only the following fields for process_creation log source: " + ",".join(splunk_sysmon_process_creation_cim_mapping.keys())),
+                transformation=DetectionItemFailureTransformation(
+                    "The Splunk Data Model Sigma backend supports only the following fields for process_creation log source: "
+                    + ",".join(splunk_sysmon_process_creation_cim_mapping.keys())
+                ),
                 rule_conditions=[
                     logsource_windows_process_creation(),
                     logsource_linux_process_creation(),
                 ],
                 rule_condition_linking=any,
                 field_name_conditions=[
                     ExcludeFieldCondition(
-                        fields = splunk_sysmon_process_creation_cim_mapping.keys()
+                        fields=splunk_sysmon_process_creation_cim_mapping.keys()
                     )
-                ]
+                ],
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_process_creation",
-                transformation=FieldMappingTransformation(splunk_sysmon_process_creation_cim_mapping),
+                transformation=FieldMappingTransformation(
+                    splunk_sysmon_process_creation_cim_mapping
+                ),
                 rule_conditions=[
                     logsource_windows_process_creation(),
                     logsource_linux_process_creation(),
@@ -121,7 +145,9 @@ def splunk_cim_data_model():
             ),
             ProcessingItem(
                 identifier="splunk_dm_fields_sysmon_process_creation",
-                transformation=SetStateTransformation("fields", splunk_sysmon_process_creation_cim_mapping.values()),
+                transformation=SetStateTransformation(
+                    "fields", splunk_sysmon_process_creation_cim_mapping.values()
+                ),
                 rule_conditions=[
                     logsource_windows_process_creation(),
                     logsource_linux_process_creation(),
@@ -130,7 +156,9 @@ def splunk_cim_data_model():
             ),
             ProcessingItem(
                 identifier="splunk_dm_sysmon_process_creation_data_model_set",
-                transformation=SetStateTransformation("data_model_set", "Endpoint.Processes"),
+                transformation=SetStateTransformation(
+                    "data_model_set", "Endpoint.Processes"
+                ),
                 rule_conditions=[
                     logsource_windows_process_creation(),
                     logsource_linux_process_creation(),
@@ -139,7 +167,10 @@ def splunk_cim_data_model():
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_registry_unsupported_fields",
-                transformation=DetectionItemFailureTransformation("The Splunk Data Model Sigma backend supports only the following fields for registry log source: " + ",".join(splunk_windows_registry_cim_mapping.keys())),
+                transformation=DetectionItemFailureTransformation(
+                    "The Splunk Data Model Sigma backend supports only the following fields for registry log source: "
+                    + ",".join(splunk_windows_registry_cim_mapping.keys())
+                ),
                 rule_conditions=[
                     logsource_windows_registry_add(),
                     logsource_windows_registry_delete(),
@@ -149,13 +180,15 @@ def splunk_cim_data_model():
                 rule_condition_linking=any,
                 field_name_conditions=[
                     ExcludeFieldCondition(
-                        fields = splunk_windows_registry_cim_mapping.keys()
+                        fields=splunk_windows_registry_cim_mapping.keys()
                     )
-                ]
+                ],
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_registry",
-                transformation=FieldMappingTransformation(splunk_windows_registry_cim_mapping),
+                transformation=FieldMappingTransformation(
+                    splunk_windows_registry_cim_mapping
+                ),
                 rule_conditions=[
                     logsource_windows_registry_add(),
                     logsource_windows_registry_delete(),
@@ -166,7 +199,9 @@ def splunk_cim_data_model():
             ),
             ProcessingItem(
                 identifier="splunk_dm_fields_sysmon_registry",
-                transformation=SetStateTransformation("fields", splunk_windows_registry_cim_mapping.values()),
+                transformation=SetStateTransformation(
+                    "fields", splunk_windows_registry_cim_mapping.values()
+                ),
                 rule_conditions=[
                     logsource_windows_registry_add(),
                     logsource_windows_registry_delete(),
@@ -177,7 +212,9 @@ def splunk_cim_data_model():
             ),
             ProcessingItem(
                 identifier="splunk_dm_sysmon_registry_data_model_set",
-                transformation=SetStateTransformation("data_model_set", "Endpoint.Registry"),
+                transformation=SetStateTransformation(
+                    "data_model_set", "Endpoint.Registry"
+                ),
                 rule_conditions=[
                     logsource_windows_registry_add(),
                     logsource_windows_registry_delete(),
@@ -188,48 +225,64 @@ def splunk_cim_data_model():
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_file_event_unsupported_fields",
-                transformation=DetectionItemFailureTransformation("The Splunk Data Model Sigma backend supports only the following fields for file_event log source: " + ",".join(splunk_windows_file_event_cim_mapping.keys())),
+                transformation=DetectionItemFailureTransformation(
+                    "The Splunk Data Model Sigma backend supports only the following fields for file_event log source: "
+                    + ",".join(splunk_windows_file_event_cim_mapping.keys())
+                ),
                 rule_conditions=[
                     logsource_windows_file_event(),
                 ],
                 field_name_conditions=[
                     ExcludeFieldCondition(
-                        fields = splunk_windows_file_event_cim_mapping.keys()
+                        fields=splunk_windows_file_event_cim_mapping.keys()
                     )
-                ]
+                ],
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_file_event",
-                transformation=FieldMappingTransformation(splunk_windows_file_event_cim_mapping),
+                transformation=FieldMappingTransformation(
+                    splunk_windows_file_event_cim_mapping
+                ),
                 rule_conditions=[
                     logsource_windows_file_event(),
-                ]
+                ],
             ),
             ProcessingItem(
                 identifier="splunk_dm_fields_sysmon_file_event",
-                transformation=SetStateTransformation("fields", splunk_windows_file_event_cim_mapping.values()),
+                transformation=SetStateTransformation(
+                    "fields", splunk_windows_file_event_cim_mapping.values()
+                ),
                 rule_conditions=[
                     logsource_windows_file_event(),
-                ]
+                ],
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_sysmon_file_event_data_model_set",
-                transformation=SetStateTransformation("data_model_set", "Endpoint.Filesystem"),
+                transformation=SetStateTransformation(
+                    "data_model_set", "Endpoint.Filesystem"
+                ),
                 rule_conditions=[
                     logsource_windows_file_event(),
-                ]
+                ],
             ),
             ProcessingItem(
                 identifier="splunk_dm_mapping_log_source_not_supported",
                 rule_condition_linking=any,
-                transformation=RuleFailureTransformation("Rule type not yet supported by the Splunk data model CIM pipeline!"),
+                transformation=RuleFailureTransformation(
+                    "Rule type not yet supported by the Splunk data model CIM pipeline!"
+                ),
                 rule_condition_negation=True,
                 rule_conditions=[
-                    RuleProcessingItemAppliedCondition("splunk_dm_mapping_sysmon_process_creation"),
-                    RuleProcessingItemAppliedCondition("splunk_dm_mapping_sysmon_registry"),
-                    RuleProcessingItemAppliedCondition("splunk_dm_mapping_sysmon_file_event"),
+                    RuleProcessingItemAppliedCondition(
+                        "splunk_dm_mapping_sysmon_process_creation"
+                    ),
+                    RuleProcessingItemAppliedCondition(
+                        "splunk_dm_mapping_sysmon_registry"
+                    ),
+                    RuleProcessingItemAppliedCondition(
+                        "splunk_dm_mapping_sysmon_file_event"
+                    ),
                 ],
             ),
-        ]
+        ],
     )
-