Replies: 1 comment
-
|
Sounds valid to me! I think this fits better into pySigma than CLI. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
This was an idea that was crafted at a BSides somewhere in 2024.
A "strict mode" would entail ensuring that the
sigma convertcommand would return a failure, unless there was a field mapping in place for that field.This is designed to be enabled on CI / CD pipelines to catch errors in conversion, where the field does not map correctly to the SIEM field name, likely because someone introduced a new rule without first checking that the Field Mapping had previously been completed.
As such this can be optionally enabled by using the the flag
--strict(or similar) flag, and would return a non-zero return code upon a field mapping not appearing in a pipeline.There might be other things that can be added under the "strict" mode, but this is all I can think of now. Perhaps this can be shoe-horned as all validation checks required to pass before conversion is completed.
Beta Was this translation helpful? Give feedback.
All reactions