pySigma SumoLogic Backend
This is the SumoLogic backend for pySigma,capable of converting Sigma rules into Continuous Intelligence Platform (CIP) log search queries and Cloud SIEM Enterprise (CSE) queries for the SumoLogic platform. It provides the package sigma.backends.sumologic with the sumologicCIPBackend and sumoLogicCSEBackend classes.
Further, it contains the following processing pipelines in sigma.pipelines.sumologic:
sumologic_cip_pipeline: Performs field mapping, value transformations, and triggers rule failures when unsupported fields are present. Field names are mapped for clarity and to support correlation across log sources.sumologic_cse_pipeline: erforms field mapping, value transformations, and triggers rule failures when unsupported fields are present. Field names are mapped to align with CSE mappable fields.
It supports the following output formats:
- CIP Backend
- default: Provides queries for use in CIP log search.
- saved_search: This output format creates properly-formatted JSON which can be imported as a saved search. It will add the proper object type, query text, a default "Last 60 Minutes" time range, and will set the Auto Parse option as explained here.
- CSE Backend
- default: Provides queries for use in CSE rules.
- cse_rule: This format provides JSON which can be imported as a new rule using the SumoLogic GUI or API. It will set the rule name, description, tags, and severity levels based on the source Sigma rule.
Parsing
Additionally, the sigma.backends.sumologic.parsing file contains lookups that support the addition of parsing statements to output CIP queries, which is required to perform the filtering/querying in the rules. Parsing statements may not be necessary if the user has implemented Field Extraction Rules (FERs); however, I added the parsing statements to make the output queries as useful in the near-term as possible. You may remove them if they are not needed.
Maintenance and Support
This backend is currently maintained by: