Replies: 1 comment
-
Sounds valid to me! I think this fits better into pySigma than CLI. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This was an idea that was crafted at a BSides somewhere in 2024.
A "strict mode" would entail ensuring that the
sigma convert
command would return a failure, unless there was a field mapping in place for that field.This is designed to be enabled on CI / CD pipelines to catch errors in conversion, where the field does not map correctly to the SIEM field name, likely because someone introduced a new rule without first checking that the Field Mapping had previously been completed.
As such this can be optionally enabled by using the the flag
--strict
(or similar) flag, and would return a non-zero return code upon a field mapping not appearing in a pipeline.There might be other things that can be added under the "strict" mode, but this is all I can think of now. Perhaps this can be shoe-horned as all validation checks required to pass before conversion is completed.
Beta Was this translation helpful? Give feedback.
All reactions