Merge pull request #5 from frack113/poetry

Update Poetry dep
SigmaHQ · Feb 9, 2024 · b785432 · b785432
2 parents c5f353f + e987e0a
commit b785432
Show file tree

Hide file tree

Showing 6 changed files with 971 additions and 650 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/print-coverage.py b/print-coverage.py
@@ -1,7 +1,7 @@
 # Prints code testing coverage as percentage for badge generation.
-import xml.etree.ElementTree as et
+from defusedxml.ElementTree import parse
 
-tree = et.parse("cov.xml")
+tree = parse("cov.xml")
 root = tree.getroot()
 coverage = float(root.attrib["line-rate"]) * 100
 print(f"COVERAGE={coverage:3.4}%")
@@ -12,4 +12,4 @@
 elif coverage >= 85.0:
     print("COVERAGE_COLOR=orange")
 else:
-    print("COVERAGE_COLOR=red")
+    print("COVERAGE_COLOR=red")
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysigma-pipeline-sysmon"
-version = "1.0.3"
+version = "1.0.4"
 description = "pySigma Sysmon processing pipelines"
 readme = "README.md"
 authors = ["Thomas Patzke <[email protected]>"]
@@ -12,12 +12,14 @@ packages = [
 
 [tool.poetry.dependencies]
 python = "^3.8"
-pysigma = "^0.10.2"
+pysigma = "^0.11"
 
 [tool.poetry.dev-dependencies]
-pytest = "^6.2.2"
-pytest-cov = "^2.11.1"
+black = "^24.1"
+pytest = "^8.0"
+pytest-cov = "^4.1"
+defusedxml = "^0.7"
 
 [build-system]
-requires = ["poetry-core>=1.0.0"]
+requires = ["poetry-core>=1.8.1"]
 build-backend = "poetry.core.masonry.api"
diff --git a/sigma/pipelines/sysmon/__init__.py b/sigma/pipelines/sysmon/__init__.py
@@ -1,3 +1,3 @@
 from typing import Callable, Dict
 from .sysmon import sysmon_pipeline
-from sigma.processing.pipeline import ProcessingPipeline
+from sigma.processing.pipeline import ProcessingPipeline
diff --git a/sigma/pipelines/sysmon/sysmon.py b/sigma/pipelines/sysmon/sysmon.py
@@ -1,34 +1,40 @@
-from sigma.processing.transformations import AddConditionTransformation, ChangeLogsourceTransformation
+from sigma.processing.transformations import (
+    AddConditionTransformation,
+    ChangeLogsourceTransformation,
+)
 from sigma.processing.conditions import LogsourceCondition
 from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline
 from sigma.pipelines.base import Pipeline
 
-sysmon_generic_logsource_eventid_mapping = {    # map generic Sigma log sources to Sysmon event ids
-    "process_creation": 1,
-    "file_change": 2,
-    "network_connection": 3,
-    "process_termination": 5,
-    "sysmon_status": [4,16],
-    "driver_load": 6,
-    "image_load": 7,
-    "create_remote_thread": 8,
-    "raw_access_thread": 9,
-    "process_access": 10,
-    "file_event": 11,
-    "registry_add": 12,
-    "registry_delete": 12,
-    "registry_set": 13,
-    "registry_rename": 14,
-    "registry_event": [12,13,14],
-    "create_stream_hash": 15,
-    "pipe_created": [17,18],
-    "wmi_event": [19,20,21],
-    "dns_query": 22,
-    "file_delete": [23,26],
-    "clipboard_capture": 24,
-    "process_tampering": 25,
-    "sysmon_error": 255,
-}
+sysmon_generic_logsource_eventid_mapping = (
+    {  # map generic Sigma log sources to Sysmon event ids
+        "process_creation": 1,
+        "file_change": 2,
+        "network_connection": 3,
+        "process_termination": 5,
+        "sysmon_status": [4, 16],
+        "driver_load": 6,
+        "image_load": 7,
+        "create_remote_thread": 8,
+        "raw_access_thread": 9,
+        "process_access": 10,
+        "file_event": 11,
+        "registry_add": 12,
+        "registry_delete": 12,
+        "registry_set": 13,
+        "registry_rename": 14,
+        "registry_event": [12, 13, 14],
+        "create_stream_hash": 15,
+        "pipe_created": [17, 18],
+        "wmi_event": [19, 20, 21],
+        "dns_query": 22,
+        "file_delete": [23, 26],
+        "clipboard_capture": 24,
+        "process_tampering": 25,
+        "sysmon_error": 255,
+    }
+)
+
 
 @Pipeline
 def sysmon_pipeline() -> ProcessingPipeline:
@@ -41,15 +47,14 @@ def sysmon_pipeline() -> ProcessingPipeline:
             for processing_item in (
                 ProcessingItem(
                     identifier=f"sysmon_{log_source}_eventid",
-                    transformation=AddConditionTransformation({
-                        "EventID": event_id,
-                    }),
+                    transformation=AddConditionTransformation(
+                        {
+                            "EventID": event_id,
+                        }
+                    ),
                     rule_conditions=[
-                        LogsourceCondition(
-                            category=log_source,
-                            product="windows"
-                        )
-                    ]
+                        LogsourceCondition(category=log_source, product="windows")
+                    ],
                 ),
                 ProcessingItem(
                     identifier=f"sysmon_{log_source}_logsource",
@@ -59,12 +64,9 @@ def sysmon_pipeline() -> ProcessingPipeline:
                         category=log_source,
                     ),
                     rule_conditions=[
-                        LogsourceCondition(
-                            category=log_source,
-                            product="windows"
-                        )
-                    ]
-                )
+                        LogsourceCondition(category=log_source, product="windows")
+                    ],
+                ),
             )
-        ]
+        ],
     )