Pysigma-backend-kusto

What's Changed
* add: mapped GrandParentImage with InitiatingProcessParentFileName by 0xFustang in https://github.com/AttackIQ/pySigma-backend-kusto/pull/30
* add: EventID to query_table mappings by slincoln-aiq in https://github.com/AttackIQ/pySigma-backend-kusto/pull/32
* Previously, the `query_table` was selected by `logsource.category`, or provided by the user via a pipeline or pipeline arg. `query_table` is required in order for fieldmappings and valid query tables in the final query. This new feature also allows `query_table` to be set if an EventID is present in any `selection` detection sections and `logsource.category` is missing and the `query_table` is not supplied by the user. This allows for more rules to be translated to KQL queries
* fix: `SigmaNumber` conversion errors when in a grouped as-in expression of mixed types by slincoln-aiq in https://github.com/AttackIQ/pySigma-backend-kusto/pull/32
* This fixes 29
* Minor formatting with black/ruff

New Contributors
* 0xFustang made their first contribution in https://github.com/AttackIQ/pySigma-backend-kusto/pull/30

**Full Changelog**: https://github.com/AttackIQ/pySigma-backend-kusto/compare/v0.4.2...v0.4.3

🚀 Release Notes

🐛 Bug Fixes

- **query_table param fix**: Resolved issue where `query_table` would not persist when provided in another pipeline merged by `sigma-cli`

🚀 Release Notes

🐛 Bug Fixes

- **Keyword Detection Items**: Resolved an issue where "Invalid SigmaDetectionItem field name encountered: None" was incorrectly raised for keyword detection items. (Fixes 27 )

- **Table Name Prepending**: Fixed a bug where table names were only prepended to queries in `SigmaCollection` objects and not `SigmaRule` objects. This was addressed by implementing a postprocessing item on each rule instead of using a finalizer. (Fixes 28 )

🧪 Testing Improvements

- **Comprehensive Test Coverage**: Added tests to cover both SigmaCollection and SigmaRule objects for all pipelines, ensuring more robust functionality across different use cases.

📚 Documentation

- **README Update**: The README file has been updated to reflect recent changes and provide more accurate information.

🛠 Maintenance

- **Code Formatting**: Applied minor formatting updates.

- **Development Dependencies**: Updated the dev dependency group in pyproject.toml.

🚀 Release Notes

🌟 Major Changes

🛡️ Microsoft XDR Pipeline (formerly Microsoft 365 Defender)
- 🔄 Microsoft 365 Defender pipeline renamed to Microsoft XDR
- ⚠️ Users should migrate to the new Microsoft XDR pipeline

🆕 Azure Monitor Pipeline (NEW!)
- 🧪 New Azure Monitor pipeline introduced (alpha status)
- 🗃️ Supports field mappings for SecurityEvents and SigninLogs tables
- 📊 All 698 Azure Monitor tables supported in final queries

🔍 Enhanced Sentinel ASIM Pipeline (Beta)
- 🔑 Additional field mappings added (beta status)

📈 Expanded Table Support
- Microsoft XDR: 38 tables
- Sentinel ASIM: 8 tables
- Azure Monitor: 698 tables

🏗️ Codebase Refactoring
- 🧱 Improved organization and structure
- 🔄 Better sharing of components across pipelines

✨ New Features

🎛️ Custom Table Name Support
- 🆕 Set custom table names with `query_table` parameter
- 🐍 Configurable via YAML or Python

🔀 Flexible Rule Category Handling
- 🚫 "Unsupported rule category" error suppressed when the following conditions are met:
- Rule category is absent or category not in `mappings.py` for each pippeline
- A valid table is supplied via `query_table` param

🛠️ Technical Improvements

📜 Table Generation Scripts
- 🤖 New scripts in `utils` folder
- 🔄 Auto-populate valid tables and field schema in `tables.py` for each pipeline

🗺️ Field Mappings
- 🔨 Ongoing improvements for all pipelines

📊 Rule-to-Table Mapping
- 🚧 Work in progress on advanced mapping methods

📚 Documentation

- 📝 Updated README with `query_table` usage
- 💡 New examples for YAML and Python implementations
- FAQ/Troubleshooting section

⚠️ Deprecation Notices

- 🚫 Microsoft 365 Defender pipeline is deprecated
- 🔜 Users should migrate to Microsoft XDR pipeline

🔮 Future Work

- 🔍 Expanding field mappings across pipelines
- 🧠 Developing sophisticated rule-to-table mapping
- 🔧 Refining Azure Monitor and Sentinel ASIM pipelines

📘 Please refer to the updated README for detailed usage instructions and examples of the new features.

🐛 Bug Fixes

🛡️ Sentinel ASIM Pipeline
- Resolved issues with the `sentinelasim` pipeline, improving its stability and reliability.
- Fixes 25

🧪 Testing Improvements

📊 Sentinel ASIM Pipeline
- Added basic test coverage for the `sentinelasim` pipeline, enhancing our ability to catch potential issues early.

🔮 Ongoing Development

We're actively working on expanding and refining our pipeline support:

- The `sentinelasim` pipeline and other pipelines are under active development.
- We're continuously adding more tables and features to these pipelines.
- We're also working on refactoring the codebase to make it more organized and easier to contribute to
- Your patience and feedback during this process are greatly appreciated!