Question: How to avoid processing the fields?

[0xFustang]

Hi!

I am currently using the splunk_windows pipeline and I am looking for a pipeline option to avoid the Splunk table output as the following:

... | table ComputerName,User,SourceImage,TargetImage,CallTrace

The Splunk table is processed thanks to the fact that the author of the Sigma rule issued the fields for the analyst. I would like to have an option to avoid that and have my post-processing handle the | table part, is there any transformation rule for that purpose?

Sigma rule:

title: Load Undocumented Autoelevated COM Interface
id: fb3722e4-1a06-46b6-b772-253e2e7db933
...
fields:
    - ComputerName
    - User
    - SourceImage
    - TargetImage
    - CallTrace
...
level: high

[thomaspatzke]

This would be an extension, query postprocessing is currently not able to remove parts of the generated query. I mark this as enhancement request.

[thomaspatzke]

I've created a new query post-processing transformation replace with the parameters pattern an replacement. The following (untested) should do what you want:

postprocessing:
- type: replace
  pattern: "| table \S+"
  replacement: ""

Keeping the issue open because a dedicated option for this is nicer.