Removed dependency to Sysmon pipeline

thomaspatzke · thomaspatzke · commit e2ee421513c4 · 2023-02-08T00:17:50.000+01:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -12,12 +12,10 @@ packages = [
 [tool.poetry.dependencies]
 python = "^3.8"
 pysigma = "^0.9.0"
-pysigma-pipeline-sysmon = "^1.0.0"
 
 [tool.poetry.dev-dependencies]
 pytest = "^6.2.2"
 pytest-cov = "^2.11.1"
-pysigma-pipeline-sysmon = "^1.0.0"
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]
diff --git a/tests/test_splunk_pipelines.py b/tests/test_splunk_pipelines.py
@@ -3,7 +3,6 @@
 from sigma.backends.splunk import SplunkBackend
 from sigma.pipelines.splunk import splunk_windows_pipeline, splunk_windows_sysmon_acceleration_keywords, splunk_cim_data_model
 from sigma.pipelines.common import windows_logsource_mapping
-from sigma.pipelines.sysmon import sysmon_pipeline
 from sigma.exceptions import SigmaTransformationError
 
 @pytest.mark.parametrize(
@@ -46,7 +45,7 @@ def test_splunk_windows_pipeline_simple(service, source):
             )) + ") EventCode=123 field=\"value\""]
 
 def test_splunk_sysmon_process_creation_keyword_acceleration():
-    assert SplunkBackend(processing_pipeline=sysmon_pipeline() + splunk_windows_pipeline() + splunk_windows_sysmon_acceleration_keywords()).convert(
+    assert SplunkBackend(processing_pipeline=splunk_windows_pipeline() + splunk_windows_sysmon_acceleration_keywords()).convert(
         SigmaCollection.from_yaml(f"""
             title: Test
             status: test
@@ -59,10 +58,10 @@ def test_splunk_sysmon_process_creation_keyword_acceleration():
                     field: value
                 condition: sel
         """)
-    ) == ['"ParentProcessGuid" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 field="value"']
+    )[0].startswith('"ParentProcessGuid"')
 
 def test_splunk_sysmon_file_creation_keyword_acceleration():
-    assert SplunkBackend(processing_pipeline=sysmon_pipeline() + splunk_windows_pipeline() + splunk_windows_sysmon_acceleration_keywords()).convert(
+    assert SplunkBackend(processing_pipeline=splunk_windows_pipeline() + splunk_windows_sysmon_acceleration_keywords()).convert(
         SigmaCollection.from_yaml(f"""
             title: Test
             status: test
@@ -75,7 +74,7 @@ def test_splunk_sysmon_file_creation_keyword_acceleration():
                     field: value
                 condition: sel
         """)
-    ) == ['"TargetFilename" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 field="value"']
+    )[0].startswith('"TargetFilename"')
 
 def test_splunk_process_creation_dm():
     assert SplunkBackend(processing_pipeline=splunk_cim_data_model()).convert(
