From c8a66e48b6e701edef831bf00b5c32aaa6a3f5ea Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 16 Sep 2017 00:37:16 +0200 Subject: [PATCH] sigmac: improved Kibana backend * added fields from rules * default index if none is matching --- tools/backends.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/tools/backends.py b/tools/backends.py index 22d247667..d08ee8daa 100644 --- a/tools/backends.py +++ b/tools/backends.py @@ -274,9 +274,23 @@ class KibanaBackend(ElasticsearchQuerystringBackend): description = sigmaparser.parsedyaml["description"] except KeyError: description = "" - + + columns = list() + try: + for field in sigmaparser.parsedyaml["fields"]: + mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field) + if type(mapped) == str: + columns.append(mapped) + elif type(mapped) == list: + columns.extend(mapped) + else: + raise TypeError("Field mapping must return string or list") + except KeyError: # no 'fields' attribute + pass indices = sigmaparser.get_logsource().index + if len(indices) == 0: + indices = ["logstash-*"] for index in indices: if len(indices) > 1: # add index names if rule must be replicated because of ambigiuous index patterns rulename += "-" + indexname @@ -290,7 +304,7 @@ class KibanaBackend(ElasticsearchQuerystringBackend): "title": title, "description": description, "hits": 0, - "columns": [], # TODO: add columns used in search + "columns": columns, "sort": ["@timestamp", "desc"], "version": 1, "kibanaSavedObjectMeta": {