pySigma Google Secops Beta Release
๐ Release Notes: v0.1.0
๐ Summary
This release marks a significant milestone for the pySigma Google SecOps (Chronicle) Backend, introducing major improvements in event type determination, field mappings, and output formats. We've enhanced the backend's ability to generate more accurate and flexible queries, while also introducing support for YARA-L 2.0 output.
๐ New Features
๐ง Advanced Event Type Determination
- Implemented
SetRuleEventTypeFromLogsourceTransformationandSetRuleEventTypeFromEventIDTransformation - Improved logic to determine event types based on logsource categories and EventIDs
๐บ๏ธ Dynamic Field Mapping
- Introduced
get_field_mappings_by_event_typefunction for more flexible field mappings - Added support for various event types including process, network, file, authentication, and registry events
๐ค YARA-L 2.0 Output Support
- Added new
yara_l_pipeline()for generating YARA-L 2.0 format output - Implemented
YaraLPostprocessingTransformationfor formatting YARA-L rules
๐ Enum Value Conversion
- New
ConvertEnumValueTransformationto map enum values to their UDM equivalents
๐ง Improvements
๐ Pipeline Enhancements
- Added
PrependMetadataPostprocessingTransformationfor more flexible query generation - Implemented
SetPrependMetadataTransformationto control metadata prepending - New
RemoveHashAlgoFromValueTransformationfor cleaning up hash fields
๐งน Code Cleanup and Optimization
- Refactored and optimized various utility functions
- Improved overall code structure and readability
๐ Error Handling
- Enhanced error reporting for invalid UDM fields
๐งช Testing
- Added comprehensive test suite for the SecOps pipeline
- Expanded backend tests to cover new functionalities, including YARA-L output
๐ Documentation
- Updated README with new features and usage examples
- Added more detailed comments and docstrings throughout the codebase
๐ฎ Coming Soon
- More robust field mapping logic
- Enhanced YARA-L output with improved readability and structure