Merge pull request SigmaHQ#1476 from wagga40/master

Change to have raw log in rule results with SQL/SQlite Backends
stboissdev · May 14, 2021 · bd81adc · bd81adc
2 parents 30bee72 + 972f7a5
commit bd81adc
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 14 deletions.
diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py
@@ -1,6 +1,7 @@
 # Output backends for sigmac
 # Copyright 2019 Jayden Zheng
 # Copyright 2020 Jonas Hagg
+# Copyright 2021 wagga (https://github.com/wagga40/)
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published by
@@ -169,10 +170,10 @@ def generateAggregation(self, agg, where_clausel):
                 group_by = ""
 
             if agg.aggfield:
-                select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
+                select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
             else:
                 if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
-                    select = "{}(*) AS agg".format(agg.aggfunc_notrans)
+                    select = "*,{}(*) AS agg".format(agg.aggfunc_notrans)
                 else:
                     raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans))
 

diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py
@@ -125,71 +125,71 @@ def test_aggregations(self):
         # count
         detection = {"selection": {"fieldname": "test"},
                      "condition": "selection | count() > 5"}
-        inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
+        inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # min
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | min(fieldname2) > 5"}
-        inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+        inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # max
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | max(fieldname2) > 5"}
-        inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+        inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # avg
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | avg(fieldname2) > 5"}
-        inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+        inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # sum
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | sum(fieldname2) > 5"}
-        inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+        inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # <
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | sum(fieldname2) < 5"}
-        inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+        inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # ==
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | sum(fieldname2) == 5"}
-        inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+        inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # group by
         detection = {"selection": {"fieldname1": "test"},
                      "condition": "selection | sum(fieldname2) by fieldname3 == 5"}
-        inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
+        inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # multiple conditions
         detection = {"selection": {"fieldname1": "test"}, "filter": {
             "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"}
-        inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
+        inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
         self.validate(detection, expected_result)

diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py
@@ -71,22 +71,22 @@ def test_full_text_search_aggregation(self):
         # aggregation with fts
         detection = {"selection": ["test"],
                      "condition": "selection | count() > 5"}
-        inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
+        inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         detection = {"selection": ["test1", "test2"],
                      "condition": "selection | count() > 5"}
-        inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
+        inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)
 
         # aggregation + group by + fts
         detection = {"selection": ["test1", "test2"],
                      "condition": "selection | count() by fieldname > 5"}
-        inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
+        inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
             self.table)
         expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
         self.validate(detection, expected_result)