This is the Red Canary LinuxEDR pipeline for pySigma. It contains the processing pipeline sigma.pipelines.rclinuxedr for field renames and error handling. The following examples use the default Elasticsearch output but this pipeline can be paired with any backend depending on where the LinuxEDR telemetry is being stored (e.g. Elasticsearch, Splunk, OpenSearch, etc.).
This pipeline is currently maintained by:
This can be installed via pip from PyPI or using pySigma's plugin functionality
pip install pysigma-pipeline-rclinuxedrfrom sigma.plugins import SigmaPluginDirectory
plugins = SigmaPluginDirectory.default_plugin_directory()
plugins.get_plugin_by_id("rclinuxedr").install()sigma convert -t elasticsearch -p rclinuxedr proc_creation_lnx_at_command.ymlfrom sigma.backends.elasticsearch import LuceneBackend
from sigma.pipelines.rclinuxedr import RCLinuxEDR_pipeline
from sigma.rule import SigmaRule
rule = SigmaRule.from_yaml("""
title: Mimikatz CommandLine
status: test
logsource:
category: process_creation
product: linux
detection:
sel:
CommandLine|contains: mimikatz
condition: sel""")
backend = LuceneBackend(RCLinuxEDR_pipeline())
print(backend.convert_rule(rule)[0])- Pipeline uses RC Linux EDR field names
- Pipeline only supports
linuxproduct type - Pipeline supports the following category types for field mappings
process_creationnetwork_connectionfirewall
- Pipeline supports the following fields:
CommandLineCurrentDirectoryDestinationHostnameDestinationIpDestinationgIsIPv6DestinationPortDstIPDstPortInitiatedIpAddressParentImageParentImagePathParentProcessIdProcessIdProtocolSrcIpSrcPortSourceHostnameSourceIpSourceIsIPv6SourcePortUserdst_hostdst_ipdst_portmd5sha256src_hostsrc_ipsrc_port
- Any unsupported fields or categories will throw errors