Pre-Release Qradar Backend

[nNipsx-Sec]

Hi @thomaspatzke,

I have pre-release Qradar Backend with new module for generate extensions for easier deploy rules in this SIEM. Can you check it in this link https://github.com/nNipsx-Sec/pySigma-backend-qradar

With pipeline of Qradar, now i can't list and mapping all field so i'll try update full field in near future

With new feature for Qradar is Extensions:

• I have build base on offense with create 1 Building block (corresponding with 1 sigma rules) and 1 rules contain this building block for easier manage and add whitelist when tuning rules.
• I have build some mapping with QID and Log Source instead of using full AQL => Increase performance Qradar when working

This backend i build base on Splunk Backend and maybe it's have some issue please tell me so i'll fix soon ASP

Thanks,
Hope so it's helpful for Community.

[thomaspatzke]

Hi! At a first glance this already looks very good! Will look more deeply into later and start to integrate it into Sigma CLI. I'm sure this will be very useful for Sigma QRadar users!

[nNipsx-Sec]

Waiting for good news :D, so in this backend i forgot comment process timespan field and pytest will be update soon.

Please let me know if issue in this backend thanks !

[nasbench]

Already integrated in sigma cli - See https://github.com/SigmaHQ/pySigma-plugin-directory/blob/main/pySigma-plugins-v1.json#L88-L96