# pySigma SQLite Backend
This is the SQLite backend for pySigma. It provides the package `sigma.backends.sqlite` with the `sqliteBackend` class.
This backend also aims to be compatible with [Zircolite](https://github.com/wagga40/Zircolite) which uses **pure SQLite queries** to perform SIGMA-based detection on EVTX, Auditd, Sysmon for linux, XML or JSONL/NDJSON Logs.
It supports the following output formats:
* **default**: plain SQLite queries
* **zircolite** : SQLite queries in JSON format for Zircolite
This backend is currently maintained by:
* [wagga](https://github.com/wagga40/)
## Known issues/limitations
* Full text search support will need some work and is not a priority since it needs virtual tables on SQLite side
* In a future update, changing table name will be handled by a backend option
* Aggregation is not supported since it is deprecated by the sigma specification and there are nearly no rule using it in the official repository
# Quick Start
## Example script (default output) with sysmon pipeline
### Add pipelines
```shell
poetry add pysigma-pipeline-sysmon
poetry add pysigma-pipeline-windows
```
### Convert a rule
```python
from sigma.collection import SigmaCollection
from sigma.backends.sqlite import sqlite
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.pipelines.windows import windows_logsource_pipeline
from sigma.processing.resolver import ProcessingPipelineResolver
# Create the pipeline resolver
piperesolver = ProcessingPipelineResolver()
# Add pipelines
piperesolver.add_pipeline_class(sysmon_pipeline()) # Syssmon
piperesolver.add_pipeline_class(windows_logsource_pipeline()) # Windows
# Create a combined pipeline
combined_pipeline = piperesolver.resolve(piperesolver.pipelines)
# Instantiate backend using the combined pipeline
sqlite_backend = sqlite.sqliteBackend(combined_pipeline)
rule = SigmaCollection.from_yaml(
r"""
title: Test
status: test
logsource:
category: test_category
product: test_product
detection:
sel:
fieldA: valueA
fieldB: valueB
condition: sel
""")
print(sqlite_backend.convert(rule)[0])
```
## Running
```shell
poetry run python3 example.py
```
Raw data
{
"_id": null,
"home_page": "https://github.com/SigmaHQ/pySigma-backend-sqlite",
"name": "pySigma-backend-sqlite",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.9",
"maintainer_email": null,
"keywords": null,
"author": "wagga",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/72/63/e618d84f770f982afa5f8e99a93c99c48bd87992d1ba4cc961aab6ba15e9/pysigma_backend_sqlite-0.2.0.tar.gz",
"platform": null,
"description": "\n\n\n\n# pySigma SQLite Backend\n\nThis is the SQLite backend for pySigma. It provides the package `sigma.backends.sqlite` with the `sqliteBackend` class.\n\nThis backend also aims to be compatible with [Zircolite](https://github.com/wagga40/Zircolite) which uses **pure SQLite queries** to perform SIGMA-based detection on EVTX, Auditd, Sysmon for linux, XML or JSONL/NDJSON Logs.\n\nIt supports the following output formats:\n\n* **default**: plain SQLite queries\n* **zircolite** : SQLite queries in JSON format for Zircolite\n\nThis backend is currently maintained by:\n\n* [wagga](https://github.com/wagga40/)\n\n## Known issues/limitations\n\n* Full text search support will need some work and is not a priority since it needs virtual tables on SQLite side\n* In a future update, changing table name will be handled by a backend option\n* Aggregation is not supported since it is deprecated by the sigma specification and there are nearly no rule using it in the official repository\n\n# Quick Start \n\n## Example script (default output) with sysmon pipeline\n\n### Add pipelines \n\n```shell\npoetry add pysigma-pipeline-sysmon\npoetry add pysigma-pipeline-windows\n```\n\n### Convert a rule\n\n```python \nfrom sigma.collection import SigmaCollection\nfrom sigma.backends.sqlite import sqlite\nfrom sigma.pipelines.sysmon import sysmon_pipeline\nfrom sigma.pipelines.windows import windows_logsource_pipeline\n\nfrom sigma.processing.resolver import ProcessingPipelineResolver\n\n# Create the pipeline resolver\npiperesolver = ProcessingPipelineResolver()\n# Add pipelines\npiperesolver.add_pipeline_class(sysmon_pipeline()) # Syssmon \npiperesolver.add_pipeline_class(windows_logsource_pipeline()) # Windows\n# Create a combined pipeline\ncombined_pipeline = piperesolver.resolve(piperesolver.pipelines)\n# Instantiate backend using the combined pipeline\nsqlite_backend = sqlite.sqliteBackend(combined_pipeline)\n\nrule = SigmaCollection.from_yaml(\nr\"\"\"\n title: Test\n status: test\n logsource:\n category: test_category\n product: test_product\n detection:\n sel:\n fieldA: valueA\n fieldB: valueB\n condition: sel\n\"\"\")\n\nprint(sqlite_backend.convert(rule)[0])\n\n```\n\n## Running\n\n```shell\npoetry run python3 example.py\n```\n\n",
"bugtrack_url": null,
"license": "LGPL-3.0-only",
"summary": "pySigma sqlite backend",
"version": "0.2.0",
"project_urls": {
"Homepage": "https://github.com/SigmaHQ/pySigma-backend-sqlite",
"Repository": "https://github.com/SigmaHQ/pySigma-backend-sqlite"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1f666d16797efaf51501057ae936079c36072b1ce0e65729dfd01734b3418db2",
"md5": "e0c1a7f32a17ac066a1f51770c61cc22",
"sha256": "a081638c31299808a051f586f04d080fa2a2bc2fa77ad859223c1a35e8fdeb8e"
},
"downloads": -1,
"filename": "pysigma_backend_sqlite-0.2.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "e0c1a7f32a17ac066a1f51770c61cc22",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.9",
"size": 10414,
"upload_time": "2024-10-23T15:40:03",
"upload_time_iso_8601": "2024-10-23T15:40:03.545529Z",
"url": "https://files.pythonhosted.org/packages/1f/66/6d16797efaf51501057ae936079c36072b1ce0e65729dfd01734b3418db2/pysigma_backend_sqlite-0.2.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "7263e618d84f770f982afa5f8e99a93c99c48bd87992d1ba4cc961aab6ba15e9",
"md5": "869ad2f88389b1ae44ffda912fbbe1b9",
"sha256": "0ff1bbb0165477e938e2951808ba348bd29803fd3fae5c4cbcd117532e622217"
},
"downloads": -1,
"filename": "pysigma_backend_sqlite-0.2.0.tar.gz",
"has_sig": false,
"md5_digest": "869ad2f88389b1ae44ffda912fbbe1b9",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.9",
"size": 9750,
"upload_time": "2024-10-23T15:40:04",
"upload_time_iso_8601": "2024-10-23T15:40:04.626369Z",
"url": "https://files.pythonhosted.org/packages/72/63/e618d84f770f982afa5f8e99a93c99c48bd87992d1ba4cc961aab6ba15e9/pysigma_backend_sqlite-0.2.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-23 15:40:04",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "SigmaHQ",
"github_project": "pySigma-backend-sqlite",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "pysigma-backend-sqlite"
}
JSON
