clicksiem/pySigma-backend-clickhouse

# pySigma Clickhouse 后端 这是 pySigma 的 Clickhouse 后端。它提供了 `sigma.backends.clickhouse` 包以及其中的 `ClickhouseBackend` 类。 它支持以下 Sigma 规则的输出格式： * `default`：纯 Clickhouse SQL 查询 * `clickdetect`：适用于 [clickdetect](https://github.com/clicksiem/clickdetect) 的规则格式 # 使用说明 ### 将 Sigma 转换为 Clickhouse ``` from sigma.backends.clickhouse.clickhouse import ClickhouseBackend from sigma.collection import SigmaCollection rule = """ title: Run Whoami Showing Privileges id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b status: experimental description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth date: 2021/05/05 modified: 2022/05/13 tags: - attack.privilege_escalation - attack.discovery - attack.t1033 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\whoami.exe' - OriginalFileName: 'whoami.exe' selection_cli: CommandLine|contains: '/priv' condition: all of selection* falsepositives: - Administrative activity (rare lookups on current privileges) level: high """ backend = ClickhouseBackend() rule_sigma = SigmaCollection.from_yaml(rule) print(backend.convert(rule_sigma)[0]) ``` # 维护者 由 `souzo` 创建并维护 - [GitHub主页](https://github.com/souzomain) - [Medium专栏](https://medium.com/@souzo) # 开发 设置您的开发环境 ``` uv sync source .venv/bin/activate ```

标签：ATT&CK框架, clickdetect, Clickhouse数据库, pySigma框架, Python编程, Sigma规则, URL发现, 后端实现, 安全检测, 技术T1033, 查询生成, 目标导入, 规则转换, 逆向工具