contentctl 4.2.5__tar.gz → 4.3.0__tar.gz

{contentctl-4.2.5 → contentctl-4.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.2.5
+Version: 4.3.0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -19,8 +19,6 @@ Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
 Requires-Dist: pydantic (>=2.7.1,<3.0.0)
 Requires-Dist: pygit2 (>=1.14.1,<2.0.0)
-Requires-Dist: pysigma (>=0.11.5,<0.12.0)
-Requires-Dist: pysigma-backend-splunk (>=1.1.0,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.2,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
@@ -36,8 +34,20 @@ Description-Content-Type: text/markdown
 <p align="center">
 <img src="docs/contentctl_logo_white.png" title="In case you're wondering, it's a capybara" alt="contentctl logo" width="250" height="250"></p>
 
-
-
+# contentctl Quick Start Guide
+If you are already familiar with contentctl, the following common commands may be very useful for basic operations
+
+| Operation | Command |
+|-----------|---------|
+| Create a repository | `contentctl init` |
+| Validate Your Content | `contentctl validate` |
+| Validate Your Content, performing MITRE Enrichments | `contentctl validate –-enrichments`|
+| Build Your App | `contentctl build` |
+| Test All the content in your app, pausing so that you can debug a search if it fails | `contentctl test –-post-test-behavior pause_on_failure mode:all` |
+| Test All the content in your app, pausing after every detection to allow debugging | `contentctl test –-post-test-behavior always_pause mode:all` |
+| Test 1 or more specified detections. If you are testing more than one detection, the paths are space-separated. You may also use shell-expanded regexes | `contentctl test –-post-test-behavior always_pause mode:selected --mode.files detections/endpoint/7zip_commandline_to_smb_share_path.yml detections/cloud/aws_multi_factor_authentication_disabled.yml detections/application/okta*` |
+| Diff your current branch with a target_branch and test detections that have been updated. Your current branch **must be DIFFERENT** than the target_branch | `contentctl test –-post-test-behavior always_pause mode:changes –-mode.target_branch develop` |
+| Perform Integration Testing of all content. Note that Enterprise Security MUST be listed as an app in your contentctl.yml folder, otherwise all tests will subsequently fail | `contentctl test –-enable-integration-testing --post-test-behavior never_pause mode:all` |
 
 # Introduction
 #### Security Is Hard 

{contentctl-4.2.5 → contentctl-4.3.0}/README.md

@@ -3,8 +3,20 @@
 <p align="center">
 <img src="docs/contentctl_logo_white.png" title="In case you're wondering, it's a capybara" alt="contentctl logo" width="250" height="250"></p>
 
-
-
+# contentctl Quick Start Guide
+If you are already familiar with contentctl, the following common commands may be very useful for basic operations
+
+| Operation | Command |
+|-----------|---------|
+| Create a repository | `contentctl init` |
+| Validate Your Content | `contentctl validate` |
+| Validate Your Content, performing MITRE Enrichments | `contentctl validate –-enrichments`|
+| Build Your App | `contentctl build` |
+| Test All the content in your app, pausing so that you can debug a search if it fails | `contentctl test –-post-test-behavior pause_on_failure mode:all` |
+| Test All the content in your app, pausing after every detection to allow debugging | `contentctl test –-post-test-behavior always_pause mode:all` |
+| Test 1 or more specified detections. If you are testing more than one detection, the paths are space-separated. You may also use shell-expanded regexes | `contentctl test –-post-test-behavior always_pause mode:selected --mode.files detections/endpoint/7zip_commandline_to_smb_share_path.yml detections/cloud/aws_multi_factor_authentication_disabled.yml detections/application/okta*` |
+| Diff your current branch with a target_branch and test detections that have been updated. Your current branch **must be DIFFERENT** than the target_branch | `contentctl test –-post-test-behavior always_pause mode:changes –-mode.target_branch develop` |
+| Perform Integration Testing of all content. Note that Enterprise Security MUST be listed as an app in your contentctl.yml folder, otherwise all tests will subsequently fail | `contentctl test –-enable-integration-testing --post-test-behavior never_pause mode:all` |
 
 # Introduction
 #### Security Is Hard 

{contentctl-4.2.5 → contentctl-4.3.0}/contentctl/actions/build.py

@@ -8,7 +8,6 @@ from contentctl.objects.enums import SecurityContentProduct, SecurityContentType
 from contentctl.input.director import Director, DirectorOutputDto
 from contentctl.output.conf_output import ConfOutput
 from contentctl.output.conf_writer import ConfWriter
-from contentctl.output.ba_yml_output import BAYmlOutput
 from contentctl.output.api_json_output import ApiJsonOutput
 from contentctl.output.data_source_writer import DataSourceWriter
 from contentctl.objects.lookup import Lookup
@@ -86,17 +85,4 @@ class Build:
             
             print(f"Build of '{input_dto.config.app.title}' API successful to {input_dto.config.getAPIPath()}")
 
-        if input_dto.config.build_ssa:
-            
-            srs_path = input_dto.config.getSSAPath() / 'srs'
-            complex_path = input_dto.config.getSSAPath() / 'complex'
-            shutil.rmtree(srs_path, ignore_errors=True)
-            shutil.rmtree(complex_path, ignore_errors=True)
-            srs_path.mkdir(parents=True)
-            complex_path.mkdir(parents=True)
-            ba_yml_output = BAYmlOutput()
-            ba_yml_output.writeObjects(input_dto.director_output_dto.ssa_detections, str(input_dto.config.getSSAPath()))
-
-            print(f"Build of 'SSA' successful to {input_dto.config.getSSAPath()}")
-                
         return input_dto.director_output_dto

{contentctl-4.2.5 → contentctl-4.3.0}/contentctl/actions/validate.py

@@ -30,7 +30,6 @@ class Validate:
             [],
             [],
             [],
-            [],
         )
 
         director = Director(director_output_dto)

{contentctl-4.2.5 → contentctl-4.3.0}/contentctl/input/director.py

@@ -28,13 +28,11 @@ from contentctl.enrichments.attack_enrichment import AttackEnrichment
 from contentctl.enrichments.cve_enrichment import CveEnrichment
 
 from contentctl.objects.config import validate
-from contentctl.input.ssa_detection_builder import SSADetectionBuilder
 from contentctl.objects.enums import SecurityContentType
 
 from contentctl.objects.enums import DetectionStatus
 from contentctl.helper.utils import Utils
 
-from contentctl.input.ssa_detection_builder import SSADetectionBuilder
 from contentctl.objects.enums import SecurityContentType
 
 from contentctl.objects.enums import DetectionStatus 
@@ -56,7 +54,6 @@ class DirectorOutputDto:
     macros: list[Macro]
     lookups: list[Lookup]
     deployments: list[Deployment]
-    ssa_detections: list[SSADetection]
     data_sources: list[DataSource]
     name_to_content_map: dict[str, SecurityContentObject] = field(default_factory=dict)
     uuid_to_content_map: dict[UUID, SecurityContentObject] = field(default_factory=dict)
@@ -98,8 +95,6 @@ class DirectorOutputDto:
             self.stories.append(content)
         elif isinstance(content, Detection):
             self.detections.append(content)
-        elif isinstance(content, SSADetection):
-            self.ssa_detections.append(content)
         elif isinstance(content, DataSource):
             self.data_sources.append(content)
         else:
@@ -112,11 +107,9 @@ class DirectorOutputDto:
 class Director():
     input_dto: validate
     output_dto: DirectorOutputDto
-    ssa_detection_builder: SSADetectionBuilder
 
     def __init__(self, output_dto: DirectorOutputDto) -> None:
         self.output_dto = output_dto
-        self.ssa_detection_builder = SSADetectionBuilder()
 
     def execute(self, input_dto: validate) -> None:
         self.input_dto = input_dto
@@ -129,7 +122,6 @@ class Director():
         self.createSecurityContent(SecurityContentType.data_sources)
         self.createSecurityContent(SecurityContentType.playbooks)
         self.createSecurityContent(SecurityContentType.detections)
-        self.createSecurityContent(SecurityContentType.ssa_detections)
 
         
         from contentctl.objects.abstract_security_content_objects.detection_abstract import MISSING_SOURCES
@@ -142,12 +134,7 @@ class Director():
             print("No missing data_sources!")
 
     def createSecurityContent(self, contentType: SecurityContentType) -> None:
-        if contentType == SecurityContentType.ssa_detections:
-            files = Utils.get_all_yml_files_from_directory(
-                os.path.join(self.input_dto.path, "ssa_detections")
-            )
-            security_content_files = [f for f in files if f.name.startswith("ssa___")]
-        elif contentType in [
+        if contentType in [
             SecurityContentType.deployments,
             SecurityContentType.lookups,
             SecurityContentType.macros,
@@ -179,43 +166,37 @@ class Director():
                 modelDict = YmlReader.load_file(file)
 
                 if contentType == SecurityContentType.lookups:
-                    lookup = Lookup.model_validate(modelDict,context={"output_dto":self.output_dto, "config":self.input_dto})
+                    lookup = Lookup.model_validate(modelDict, context={"output_dto":self.output_dto, "config":self.input_dto})
                     self.output_dto.addContentToDictMappings(lookup)
                 
                 elif contentType == SecurityContentType.macros:
-                    macro = Macro.model_validate(modelDict,context={"output_dto":self.output_dto})
+                    macro = Macro.model_validate(modelDict, context={"output_dto":self.output_dto})
                     self.output_dto.addContentToDictMappings(macro)
                 
                 elif contentType == SecurityContentType.deployments:
-                    deployment = Deployment.model_validate(modelDict,context={"output_dto":self.output_dto})
+                    deployment = Deployment.model_validate(modelDict, context={"output_dto":self.output_dto})
                     self.output_dto.addContentToDictMappings(deployment)
 
                 elif contentType == SecurityContentType.playbooks:
-                    playbook = Playbook.model_validate(modelDict,context={"output_dto":self.output_dto})
+                    playbook = Playbook.model_validate(modelDict, context={"output_dto":self.output_dto})
                     self.output_dto.addContentToDictMappings(playbook)                  
                 
                 elif contentType == SecurityContentType.baselines:
-                    baseline = Baseline.model_validate(modelDict,context={"output_dto":self.output_dto})
+                    baseline = Baseline.model_validate(modelDict, context={"output_dto":self.output_dto})
                     self.output_dto.addContentToDictMappings(baseline)
                 
                 elif contentType == SecurityContentType.investigations:
-                    investigation = Investigation.model_validate(modelDict,context={"output_dto":self.output_dto})
+                    investigation = Investigation.model_validate(modelDict, context={"output_dto":self.output_dto})
                     self.output_dto.addContentToDictMappings(investigation)
 
                 elif contentType == SecurityContentType.stories:
-                    story = Story.model_validate(modelDict,context={"output_dto":self.output_dto})
+                    story = Story.model_validate(modelDict, context={"output_dto":self.output_dto})
                     self.output_dto.addContentToDictMappings(story)
             
                 elif contentType == SecurityContentType.detections:
-                    detection = Detection.model_validate(modelDict,context={"output_dto":self.output_dto, "app":self.input_dto.app})
+                    detection = Detection.model_validate(modelDict, context={"output_dto":self.output_dto, "app":self.input_dto.app})
                     self.output_dto.addContentToDictMappings(detection)
 
-                elif contentType == SecurityContentType.ssa_detections:
-                    self.constructSSADetection(self.ssa_detection_builder, self.output_dto,str(file))
-                    ssa_detection = self.ssa_detection_builder.getObject()
-                    if ssa_detection.status in [DetectionStatus.production.value, DetectionStatus.validation.value]:
-                        self.output_dto.addContentToDictMappings(ssa_detection)
-                
                 elif contentType == SecurityContentType.data_sources:
                     data_source = DataSource.model_validate(
                         modelDict, context={"output_dto": self.output_dto}
@@ -262,19 +243,3 @@ class Director():
                 f"The following {len(validation_errors)} error(s) were found during validation:\n\n{errors_string}\n\nVALIDATION FAILED"
             )
 
-    def constructSSADetection(
-        self,
-        builder: SSADetectionBuilder,
-        directorOutput: DirectorOutputDto,
-        file_path: str,
-    ) -> None:
-        builder.reset()
-        builder.setObject(file_path)
-        builder.addMitreAttackEnrichmentNew(directorOutput.attack_enrichment)
-        builder.addKillChainPhase()
-        builder.addCIS()
-        builder.addNist()
-        builder.addAnnotations()
-        builder.addMappings()
-        builder.addUnitTest()
-        builder.addRBA()

{contentctl-4.2.5 → contentctl-4.3.0}/contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -46,7 +46,7 @@ class Detection_Abstract(SecurityContentObject):
     status: DetectionStatus = Field(...)
     data_source: list[str] = []
     tags: DetectionTags = Field(...)
-    search: Union[str, dict[str, Any]] = Field(...)
+    search: str = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
 
@@ -65,11 +65,7 @@ class Detection_Abstract(SecurityContentObject):
 
     @field_validator("search", mode="before")
     @classmethod
-    def validate_presence_of_filter_macro(
-        cls,
-        value: Union[str, dict[str, Any]],
-        info: ValidationInfo
-    ) -> Union[str, dict[str, Any]]:
+    def validate_presence_of_filter_macro(cls, value:str, info:ValidationInfo)->str:
         """
         Validates that, if required to be present, the filter macro is present with the proper name.
         The filter macro MUST be derived from the name of the detection
@@ -83,12 +79,9 @@ class Detection_Abstract(SecurityContentObject):
 
         Returns:
             Union[str, dict[str,Any]]: The search, either in sigma or SPL format.
-        """
-
-        if isinstance(value, dict):
-            # If the search is a dict, then it is in Sigma format so return it
-            return value
-
+        """        
+        
+        
         # Otherwise, the search is SPL.
 
         # In the future, we will may add support that makes the inclusion of the
@@ -155,15 +148,16 @@ class Detection_Abstract(SecurityContentObject):
     @computed_field
     @property
     def datamodel(self) -> List[DataModel]:
-        if isinstance(self.search, str):
-            return [dm for dm in DataModel if dm.value in self.search]
-        else:
-            return []
+        return [dm for dm in DataModel if dm.value in self.search]
+        
+            
+    
 
     @computed_field
     @property
     def source(self) -> str:
         return self.file_path.absolute().parent.name
+        
 
     deployment: Deployment = Field({})
 
@@ -249,12 +243,9 @@ class Detection_Abstract(SecurityContentObject):
     @computed_field
     @property
     def providing_technologies(self) -> List[ProvidingTechnology]:
-        if isinstance(self.search, str):
-            return ProvidingTechnology.getProvidingTechFromSearch(self.search)
-        else:
-            # Dict-formatted searches (sigma) will not have providing technologies
-            return []
-
+        return ProvidingTechnology.getProvidingTechFromSearch(self.search)
+        
+    
     @computed_field
     @property
     def risk(self) -> list[dict[str, Any]]:
@@ -445,18 +436,13 @@ class Detection_Abstract(SecurityContentObject):
 
     @field_validator('lookups', mode="before")
     @classmethod
-    def getDetectionLookups(cls, v: list[str], info: ValidationInfo) -> list[Lookup]:
-        if info.context is None:
-            raise ValueError("ValidationInfo.context unexpectedly null")
-
-        director: DirectorOutputDto = info.context.get("output_dto", None)
-
-        search: Union[str, dict[str, Any], None] = info.data.get("search", None)
-        if not isinstance(search, str):
-            # The search was sigma formatted (or failed other validation and was None), so we will
-            # not validate macros in it
-            return []
-
+    def getDetectionLookups(cls, v:list[str], info:ValidationInfo) -> list[Lookup]:
+        director:DirectorOutputDto = info.context.get("output_dto",None)
+        
+        search:Union[str,None] = info.data.get("search",None)
+        if search is None:
+            raise ValueError("Search was None - is this file missing the search field?")
+        
         lookups = Lookup.get_lookups(search, director)
         return lookups
 
@@ -496,11 +482,9 @@ class Detection_Abstract(SecurityContentObject):
 
         director: DirectorOutputDto = info.context.get("output_dto", None)
 
-        search: str | dict[str, Any] | None = info.data.get("search", None)
-        if not isinstance(search, str):
-            # The search was sigma formatted (or failed other validation and was None), so we will
-            # not validate macros in it
-            return []
+        search: str | None = info.data.get("search", None)
+        if search is None:
+            raise ValueError("Search was None - is this file missing the search field?")
 
         search_name: Union[str, Any] = info.data.get("name", None)
         message = f"Expected 'search_name' to be a string, instead it was [{type(search_name)}]"
@@ -614,45 +598,43 @@ class Detection_Abstract(SecurityContentObject):
 
     @model_validator(mode="after")
     def search_observables_exist_validate(self):
-        if isinstance(self.search, str):
-
-            observable_fields = [ob.name.lower() for ob in self.tags.observable]
+        observable_fields = [ob.name.lower() for ob in self.tags.observable]
 
-            # All $field$ fields from the message must appear in the search
-            field_match_regex = r"\$([^\s.]*)\$"
+        # All $field$ fields from the message must appear in the search
+        field_match_regex = r"\$([^\s.]*)\$"
 
-            missing_fields: set[str]
-            if self.tags.message:
-                matches = re.findall(field_match_regex, self.tags.message.lower())
-                message_fields = [match.replace("$", "").lower() for match in matches]
-                missing_fields = set([field for field in observable_fields if field not in self.search.lower()])
-            else:
-                message_fields = []
-                missing_fields = set()
-
-            error_messages: list[str] = []
-            if len(missing_fields) > 0:
-                error_messages.append(
-                    "The following fields are declared as observables, but do not exist in the "
-                    f"search: {missing_fields}"
-                )
+        missing_fields: set[str]
+        if self.tags.message:
+            matches = re.findall(field_match_regex, self.tags.message.lower())
+            message_fields = [match.replace("$", "").lower() for match in matches]
+            missing_fields = set([field for field in observable_fields if field not in self.search.lower()])
+        else:
+            message_fields = []
+            missing_fields = set()
+
+        error_messages: list[str] = []
+        if len(missing_fields) > 0:
+            error_messages.append(
+                "The following fields are declared as observables, but do not exist in the "
+                f"search: {missing_fields}"
+            )
 
-            missing_fields = set([field for field in message_fields if field not in self.search.lower()])
-            if len(missing_fields) > 0:
-                error_messages.append(
-                    "The following fields are used as fields in the message, but do not exist in "
-                    f"the search: {missing_fields}"
-                )
+        missing_fields = set([field for field in message_fields if field not in self.search.lower()])
+        if len(missing_fields) > 0:
+            error_messages.append(
+                "The following fields are used as fields in the message, but do not exist in "
+                f"the search: {missing_fields}"
+            )
 
-            # NOTE: we ignore the type error around self.status because we are using Pydantic's
-            # use_enum_values configuration
-            # https://docs.pydantic.dev/latest/api/config/#pydantic.config.ConfigDict.populate_by_name
-            if len(error_messages) > 0 and self.status == DetectionStatus.production.value:         # type: ignore
-                msg = (
-                    "Use of fields in observables/messages that do not appear in search:\n\t- "
-                    "\n\t- ".join(error_messages)
-                )
-                raise ValueError(msg)
+        # NOTE: we ignore the type error around self.status because we are using Pydantic's
+        # use_enum_values configuration
+        # https://docs.pydantic.dev/latest/api/config/#pydantic.config.ConfigDict.populate_by_name
+        if len(error_messages) > 0 and self.status == DetectionStatus.production.value:         # type: ignore
+            msg = (
+                "Use of fields in observables/messages that do not appear in search:\n\t- "
+                "\n\t- ".join(error_messages)
+            )
+            raise ValueError(msg)
 
         # Found everything
         return self

{contentctl-4.2.5 → contentctl-4.3.0}/contentctl/objects/config.py

@@ -175,7 +175,6 @@ class validate(Config_Base):
                                                          "be avoided for performance reasons.")
     build_app: bool = Field(default=True, description="Should an app be built and output in the build_path?")
     build_api: bool = Field(default=False, description="Should api objects be built and output in the build_path?")
-    build_ssa: bool = Field(default=False, description="Should ssa objects be built and output in the build_path?")
     data_source_TA_validation: bool = Field(default=False, description="Validate latest TA information from Splunkbase")
 
     def getAtomicRedTeamRepoPath(self, atomic_red_team_repo_name:str = "atomic-red-team"):
@@ -577,7 +576,6 @@ class test_common(build):
         # output to dist. We have already built it!
         self.build_app = False
         self.build_api = False
-        self.build_ssa = False
         self.enrichments = False
         
         self.enable_integration_testing = True

{contentctl-4.2.5 → contentctl-4.3.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "contentctl"
-version = "4.2.5"
+version = "4.3.0"
 description = "Splunk Content Control Tool"
 authors = ["STRT <research@splunk.com>"]
 license = "Apache 2.0"
@@ -24,9 +24,6 @@ splunk-sdk = "^2.0.1"
 semantic-version = "^2.10.0"
 bottle = "^0.12.25"
 tqdm = "^4.66.4"
-#splunk-appinspect = "^2.36.0"
-pysigma = "^0.11.5"
-pysigma-backend-splunk = "^1.1.0"
 pygit2 = "^1.14.1"
 tyro = "^0.8.3"
 gitpython = "^3.1.43"

contentctl-4.2.5/contentctl/actions/convert.py

@@ -1,25 +0,0 @@
-
-import sys
-import shutil
-import os
-
-from dataclasses import dataclass
-
-from contentctl.input.sigma_converter import *
-from contentctl.output.yml_output import YmlOutput
-
-@dataclass(frozen=True)
-class ConvertInputDto:
-    sigma_converter_input_dto: SigmaConverterInputDto
-    output_path : str
-
-
-class Convert:
-
-    def execute(self, input_dto: ConvertInputDto) -> None:
-        sigma_converter_output_dto = SigmaConverterOutputDto([])
-        sigma_converter = SigmaConverter(sigma_converter_output_dto)
-        sigma_converter.execute(input_dto.sigma_converter_input_dto)
-
-        yml_output = YmlOutput()
-        yml_output.writeDetections(sigma_converter_output_dto.detections, input_dto.output_path)

contentctl-4.2.5/contentctl/input/backend_splunk_ba.py

@@ -1,144 +0,0 @@
-import re
-from sigma.conversion.state import ConversionState
-from sigma.rule import SigmaRule
-from sigma.conversion.base import TextQueryBackend
-from sigma.conversion.deferred import DeferredTextQueryExpression
-from sigma.conditions import ConditionFieldEqualsValueExpression, ConditionOR, ConditionAND, ConditionNOT, ConditionItem
-from sigma.types import SigmaCompareExpression
-from sigma.exceptions import SigmaFeatureNotSupportedByBackendError
-from sigma.pipelines.splunk.splunk import splunk_sysmon_process_creation_cim_mapping, splunk_windows_registry_cim_mapping, splunk_windows_file_event_cim_mapping
-
-from contentctl.objects.ssa_detection import SSADetection
-
-from typing import ClassVar, Dict, List, Optional, Pattern, Tuple
-
-
-class SplunkBABackend(TextQueryBackend):
-    """Splunk SPL backend."""
-    precedence: ClassVar[Tuple[ConditionItem, ConditionItem, ConditionItem]] = (ConditionNOT, ConditionOR, ConditionAND)
-    group_expression : ClassVar[str] = "({expr})"
-    parenthesize : bool = True
-
-    or_token : ClassVar[str] = "OR"
-    and_token : ClassVar[str] = "AND"
-    not_token : ClassVar[str] = "NOT"
-    eq_token : ClassVar[str] = "="
-
-    field_quote: ClassVar[str] = '"'
-    field_quote_pattern: ClassVar[Pattern] = re.compile("^[\w.]+$")
-
-    str_quote : ClassVar[str] = '"'
-    escape_char : ClassVar[str] = "\\"
-    wildcard_multi : ClassVar[str] = "%"
-    wildcard_single : ClassVar[str] = "%"
-    add_escaped : ClassVar[str] = "\\"
-
-    re_expression : ClassVar[str] = "match({field}, /(?i){regex}/)=true"
-    re_escape_char : ClassVar[str] = ""
-    re_escape : ClassVar[Tuple[str]] = ('"',)
-
-    cidr_expression : ClassVar[str] = "{value}"
-
-    compare_op_expression : ClassVar[str] = "{field}{operator}{value}"
-    compare_operators : ClassVar[Dict[SigmaCompareExpression.CompareOperators, str]] = {
-        SigmaCompareExpression.CompareOperators.LT  : "<",
-        SigmaCompareExpression.CompareOperators.LTE : "<=",
-        SigmaCompareExpression.CompareOperators.GT  : ">",
-        SigmaCompareExpression.CompareOperators.GTE : ">=",
-    }
-
-    field_null_expression : ClassVar[str] = "{field} IS NOT NULL"
-
-    convert_or_as_in : ClassVar[bool] = True
-    convert_and_as_in : ClassVar[bool] = False
-    in_expressions_allow_wildcards : ClassVar[bool] = False
-    field_in_list_expression : ClassVar[str] = "{field} {op} ({list})"
-    or_in_operator : ClassVar[Optional[str]] = "IN"
-    list_separator : ClassVar[str] = ", "
-
-    unbound_value_str_expression : ClassVar[str] = '{value}'
-    unbound_value_num_expression : ClassVar[str] = '{value}'
-    unbound_value_re_expression : ClassVar[str] = '{value}'
-
-    deferred_start : ClassVar[str] = " "
-    deferred_separator : ClassVar[str] = " OR "
-    deferred_only_query : ClassVar[str] = "*"
-
-    wildcard_match_expression : ClassVar[Optional[str]] = "{field} LIKE {value}"
-
-
-    def __init__(self, processing_pipeline: Optional["sigma.processing.pipeline.ProcessingPipeline"] = None, collect_errors: bool = False, min_time : str = "-30d", max_time : str = "now", detection : SSADetection = None, field_mapping: dict = None, **kwargs):
-        super().__init__(processing_pipeline, collect_errors, **kwargs)
-        self.min_time = min_time or "-30d"
-        self.max_time = max_time or "now"
-        self.detection = detection
-        self.field_mapping = field_mapping
-
-    def finalize_query_data_model(self, rule: SigmaRule, query: str, index: int, state: ConversionState) -> str:
-
-        try:
-            fields = state.processing_state["fields"]
-        except KeyError:
-            raise SigmaFeatureNotSupportedByBackendError("No fields specified by processing pipeline")
-
-        # fields_input_parsing = ''
-        # for count, value in enumerate(fields):
-        #     fields_input_parsing = fields_input_parsing + value + '=ucast(map_get(input_event, "' + value + '"), "string", null)'
-        #     if not count == len(fields) - 1:
-        #         fields_input_parsing = fields_input_parsing + ', '
-
-        detection_str = """
-$main = from source 
-| eval timestamp = time 
-| eval metadata_uid = metadata.uid 
-""".replace("\n", " ")
-
-        parsed_fields = [] 
-
-        for field in self.field_mapping["mapping"].keys():
-            mapped_field = self.field_mapping["mapping"][field]
-            parent = 'parent'
-            i = 1
-            values = mapped_field.split('.')
-            for val in values:
-                if parent == "parent":
-                    parent = val
-                    continue
-                else:
-                    new_val = parent + '_' + val
-                if new_val in parsed_fields:
-                    parent = new_val
-                    i = i + 1
-                    continue
-
-                
-                new_val_equals = new_val + "="
-                new_val_IN = new_val + " IN"
-                if new_val_equals in query or new_val_IN in query:
-                    parser_str = '| eval ' + new_val + ' = ' + 'lower(' + parent + '.' + val + ') '
-                else:
-                    parser_str = '| eval ' + new_val + ' = ' +  parent + '.' + val + ' '
-                detection_str = detection_str + parser_str
-                parsed_fields.append(new_val)
-                parent = new_val
-                i = i + 1
-
-
-        ### Convert sigma values into lower case
-        lower_query = ""
-        in_quotes = False
-        for char in query:
-            if char == '"':
-                in_quotes = not in_quotes
-            if in_quotes:
-                lower_query += char.lower()
-            else:
-                lower_query += char
-
-        detection_str = detection_str + "| where " + lower_query
-
-        detection_str = detection_str.replace("\\\\\\\\", "\\\\")
-        return detection_str
-
-    def finalize_output_data_model(self, queries: List[str]) -> List[str]:
-        return queries