Split field mappings into per source groups #14
Comments
scudette
added a commit
that referenced
this issue
Mar 10, 2024
Addressing #14 , currently invalid fields can be added to rules, with a rule requiring a field that doesn't exist. This PR will add fields to each log source, so we can find invalid fields during linting. --------- Co-authored-by: Mike Cohen <mike@velocidex.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the configuration file for this compiler takes:
FieldMapingsection outlining a mapping between fields in the sigma rule and fields in the event itselfSourcessection outlining a set of queries (which produce events) for each named log source.A particular sigma rule declares a source and a set of fields in the
detectionsection.For the rule to be valid, the fields that are referenced in the detection section must actually appear in the events delivered by the specific log source.
Currently we check that the fields mentioned are defined at all but they can actually also belong to another source.
We need to update the linter to be able to detect when a rule refers to an invalid field which is does not appear in the declared source, even though the field appears in a different unrelated source.
The text was updated successfully, but these errors were encountered: