This is the SQLite backend for pySigma. It provides the package sigma.backends.sqlite with the sqliteBackend class.
This backend also aims to be compatible with Zircolite which uses pure SQLite queries to perform SIGMA-based detection on EVTX, Auditd, Sysmon for linux, XML or JSONL/NDJSON Logs.
It supports the following output formats:
- default: plain SQLite queries
- zircolite : SQLite queries in JSON format for Zircolite
This backend is currently maintained by:
| Modifier | Description | SQLite Implementation |
|---|---|---|
contains |
Substring matching | LIKE '%value%' |
startswith |
Prefix matching | LIKE 'value%' |
endswith |
Suffix matching | LIKE '%value' |
all |
All values must match | Multiple AND conditions |
re |
Regular expressions | REGEXP |
cidr |
CIDR network matching | Expanded to LIKE patterns |
cased |
Case-sensitive matching | GLOB |
fieldref |
Compare two fields | field1=field2 or with LIKE for startswith/endswith/contains |
exists |
Field existence check | field = field |
gt, gte, lt, lte |
Numeric comparisons | >, >=, <, <= |
hour, minute, day, week, month, year |
Timestamp part extraction | strftime() |
The backend supports Sigma correlation rules with the following types:
| Correlation Type | Description |
|---|---|
event_count |
Count events matching conditions |
value_count |
Count distinct field values |
temporal |
Events from multiple rules occurring within a timespan |
temporal_ordered |
Events occurring in a specific order within a timespan |
value_sum |
Sum of field values |
value_avg |
Average of field values |
Correlation rules support group-by for grouping results and timespan for temporal constraints.
For correlation rules to work properly, your SQLite database must meet the following requirements:
| Requirement | Description |
|---|---|
| Timestamp field | Required for temporal correlations. Must be in a format compatible with SQLite's julianday() function (ISO8601, Julian day number, or Unix timestamp) |
Configurable Parameters:
The backend provides configurable parameters for correlation queries:
| Parameter | Default | Description |
|---|---|---|
timestamp_field |
timestamp |
Field name containing the event timestamp |
Example usage with custom parameters:
backend = sqliteBackend(correlation_methods=["default"])
backend.timestamp_field = "event_time"Notes:
- The timestamp field is used with
julianday()for time difference calculations in temporal correlations - For multi-rule correlations (
temporal,temporal_ordered), the backend automatically adds asigma_rule_idcolumn to identify which rule matched each event - Timespan values are converted to seconds internally for comparison
- NULL value handling:
field: null→field IS NULL - Boolean values:
true/falsesupport - Field name quoting: Special characters in field names are quoted with backticks
- Wildcard escaping: Proper escaping of
%and_characters in values
- Full text search support will need some work and is not a priority since it needs virtual tables on SQLite side
poetry add pysigma-pipeline-sysmon
poetry add pysigma-pipeline-windowsfrom sigma.collection import SigmaCollection
from sigma.backends.sqlite import sqlite
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.pipelines.windows import windows_logsource_pipeline
from sigma.processing.resolver import ProcessingPipelineResolver
# Create the pipeline resolver
piperesolver = ProcessingPipelineResolver()
# Add pipelines
piperesolver.add_pipeline_class(sysmon_pipeline()) # Syssmon
piperesolver.add_pipeline_class(windows_logsource_pipeline()) # Windows
# Create a combined pipeline
combined_pipeline = piperesolver.resolve(piperesolver.pipelines)
# Instantiate backend using the combined pipeline
sqlite_backend = sqlite.sqliteBackend(combined_pipeline)
rule = SigmaCollection.from_yaml(
r"""
title: Test
status: test
logsource:
category: test_category
product: test_product
detection:
sel:
fieldA: valueA
fieldB: valueB
condition: sel
""")
print(sqlite_backend.convert(rule)[0])poetry run python3 example.py