Check for valid configuration/backend combinations

Makefile

@@ -48,6 +48,7 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml -f 'foo=bar' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c elk-windows -t es-qs rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c elk-windows -t splunk rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null

tools/config/arcsight.yml

@@ -1,5 +1,7 @@
 title: ArcSight
 order: 20
+backends:
+  - arcsight
 logsources:
   linux:
     product: linux

tools/config/elk-defaultindex-filebeat.yml

@@ -1,4 +1,10 @@
 title: Elastic Filebeat default index name
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 defaultindex:
     - filebeat-*

tools/config/elk-defaultindex-logstash.yml

@@ -1,4 +1,10 @@
 title: Generic Logstash index prefix
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 defaultindex:
     - logstash-*

tools/config/elk-defaultindex.yml

@@ -1,5 +1,11 @@
 title: Elastic Logstash and Filebeat default index patterns
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 defaultindex:
     - logstash-*
     - filebeat-*

tools/config/elk-linux.yml

@@ -1,5 +1,11 @@
 title: Logstash Linux project (https://github.com/thomaspatzke/logstash-linux)
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 logsources:
     apache:
         category: webserver

tools/config/elk-windows.yml

@@ -1,5 +1,11 @@
 title: Logstash Windows common log sources
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 logsources:
   windows:
     product: windows

tools/config/elk-winlogbeat.yml

@@ -1,5 +1,11 @@
 title: Elastic Winlogbeat index pattern and field mapping
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 logsources:
   windows:
     product: windows

tools/config/helk.yml

@@ -1,5 +1,11 @@
 title: HELK index patterns and OSSEM field mappings
 order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - kibana
+  - xpack-watcher
+  - elastalert
 logsources:
   windows-application:
     product: windows

tools/config/logpoint-windows-all.yml

@@ -1,5 +1,7 @@
 title: Logpoint
 order: 20
+backends:
+  - logpoint
 logsources:
   windows-security:
     product: windows

tools/config/netwitness.yml

@@ -1,5 +1,7 @@
 title: NetWitness
 order: 20
+backends:
+  - netwitness
 logsources:
   linux:
     product: linux

tools/config/powershell-windows-all.yml

@@ -1,5 +1,7 @@
 title: Logsource to LogName mappings for PowerShell backend
 order: 20
+backends:
+  - powershell
 logsources:
   windows-application:
     product: windows

tools/config/qradar.yml

@@ -1,4 +1,6 @@
 title: QRadar
+backends:
+  - qradar
 order: 20
 logsources:
   apache:

tools/config/qualys.yml

@@ -1,5 +1,7 @@
 title: Qualys
 order: 20
+backends:
+  - qualys
 fieldmappings:
     dst:
         - network.remote.address.ip

tools/config/splunk-windows-all-index.yml

@@ -1,5 +1,8 @@
 title: Splunk Windows index and EventID field mapping
 order: 20
+backends:
+  - splunk
+  - splunkxml
 logsources:
   windows:
     product: windows

tools/config/splunk-windows-all.yml

@@ -1,5 +1,8 @@
 title: Splunk Windows log source conditions
 order: 20
+backends:
+  - splunk
+  - splunkxml
 logsources:
   windows-application:
     product: windows

tools/config/sumologic.yml

@@ -1,5 +1,7 @@
 title: SumoLogic
 order: 20
+backends:
+  - sumologic
 # Sumulogic mapping depends on customer configuration. Adapt to your context!
 # typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
 # supposing existing FER for service, EventChannel, EventID

tools/config/thor.yml

@@ -1,4 +1,7 @@
 title: THOR
+order: 20
+backends:
+  - thor
 # this configuration differs from other configurations and can not be used
 # with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
 logsources:

tools/sigmac

@@ -52,6 +52,7 @@ ERR_NO_TARGET           = 10
 ERR_RULE_FILTER_PARSING = 11
 ERR_CONFIG_REQUIRED     = 20
 ERR_CONFIG_ORDER        = 21
+ERR_CONFIG_BACKEND      = 22
 ERR_NOT_IMPLEMENTED     = 42
 ERR_PARTIAL_FIELD_MATCH = 80
 ERR_FULL_FIELD_MATCH    = 90
@@ -164,6 +165,13 @@ if cmdargs.config:
                     sys.exit(ERR_CONFIG_ORDER)
                 order = sigmaconfig.order
 
+            try:
+                if cmdargs.target not in sigmaconfig.config["backends"]:
+                    print("The configuration '{}' is not valid for backend '{}'. Valid choices are: {}".format(conf_name, cmdargs.target, ", ".join(sigmaconfig.config["backends"])), file=sys.stderr)
+                    sys.exit(ERR_CONFIG_ORDER)
+            except KeyError:
+                pass
+
             sigmaconfigs.append(sigmaconfig)
         except OSError as e:
             print("Failed to open Sigma configuration file %s: %s" % (conf_name, str(e)), file=sys.stderr)