Pysigma-backend-kusto

🏷️ Repository Rename
We've renamed the repository from `pySigma-backend-microsoft365defender` to `pySigma-backend-kusto`. This change reflects our expanded focus on supporting the Kusto Query Language (KQL) as a backend for various platforms.

🆕 New Features

📊 Sentinel ASIM Pipeline
- Introduced the `sentinel_asim` pipeline, providing initial beta support for the Sentinel Advanced Security Information Model (ASIM) tables. (Thanks adonm!)

🛠️ Backend Enhancements
- Renamed `Microsoft365DefenderBackend` to `KustoBackend` for clarity and broader applicability.
- The `microsoft_365_defender_pipeline` is no longer automatically applied by the backend, allowing for more flexible configurations.

🔧 Microsoft 365 Defender Pipeline Improvements
- Table renaming is now performed within the pipeline rather than the backend.
- Added the ability to override Sigma Rule category -> table name mappings with a custom `query_table` parameter.

📘 Usage Example
For details on using custom table names, see the [README](https://github.com/AttackIQ/pySigma-backend-kusto?tab=readme-ov-file#%EF%B8%8F-custom-table-names-new-in-030-experimental).

🔮 Future Plans
We're actively working on expanding support for additional KQL-based platforms. Stay tuned for updates on Microsoft XDR and other integrations!

🙏 Acknowledgements
Special thanks to the SigmaHQ Discord community for their valuable input on the repository direction.

What's Changed
* Update microsoft365defender.py by adonm in https://github.com/AttackIQ/pySigma-backend-microsoft365defender/pull/19
* Ignores the "Initiated" field in network connections as for endpoints almost all events are outbound
* Increased pinned `certifi` dependency version

New Contributors
* adonm made their first contribution in https://github.com/AttackIQ/pySigma-backend-microsoft365defender/pull/19

**Full Changelog**: https://github.com/AttackIQ/pySigma-backend-microsoft365defender/compare/v0.2.4...v0.2.5

- Fixed issue 13 where '*' character was being escaped incorrectly CommandLine strings
- Fixed issue 14 where Sigma schema wildcards ('*', '?') in the middle of a string would create nonsense queries
- Since KQL does not use wildcards, anytime a wildcard value is seen inside a string (not at the beginning or end) from the Sigma Rule, we now split it by the wildcard and use a `contains` for each substring.
- Example: a CommandLine field with a value of `advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any` will be converted to `(ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any")`

- Fixed issue 11 by adding more verbose error handling and hash algorithm parsing in 'Hashes' field
- Loosened pySigma pinned version to allow compatibility with pySigma >= 0.11.0

- Increased supported pySigma version to `>= 0.9.0, <= 0.10.6`

- Pinned `certifi` version to `2023.07.22` to fix [CVE-2023-37920](https://github.com/advisories/GHSA-xqr8-7jwr-rhp7/dependabot)