## Imports

Install the required libraries using the following command: 


!pip install -r requirements.txt

In [None]:
import json
import pandas as pd
import numpy as np

## Prerequisites

In [None]:
df = pd.read_csv("EID1.csv")

### Extract EID1 Fields from Message(If you're getting data from Elastic)

In [None]:
#df = data

def extract_fields(message):
    fields = {
        'Image': None,
        'OriginalFileName': None,
        'CommandLine': None,
        'CurrentDirectory': None,
        'User': None,
        'ParentImage': None,
        'ParentCommandLine': None
    }
    
    if isinstance(message, str):
        for line in message.split('\n'):
            if line.startswith('Image: '):
                fields['Image'] = line.split('Image: ')[1]
            elif line.startswith('OriginalFileName: '):
                fields['OriginalFileName'] = line.split('OriginalFileName: ')[1]
            elif line.startswith('CommandLine: '):
                fields['CommandLine'] = line.split('CommandLine: ')[1]
            elif line.startswith('CurrentDirectory: '):
                fields['CurrentDirectory'] = line.split('CurrentDirectory: ')[1]
            elif line.startswith('User: '):
                fields['User'] = line.split('User: ')[1]
            elif line.startswith('ParentImage: '):
                fields['ParentImage'] = line.split('ParentImage: ')[1]
            elif line.startswith('ParentCommandLine: '):
                fields['ParentCommandLine'] = line.split('ParentCommandLine: ')[1]
    
    return pd.Series(fields)

extracted_df = df['message'].apply(extract_fields)

df = pd.concat([df, extracted_df], axis=1)

df.drop(columns=['message'], inplace=True)

df 

### Extract EID3 Fields from Message(If you're getting data from Elastic)

In [None]:

def extract_fields(message):
    fields = {
        'Image': None,
        'SourceIp': None,
        'SourceHostname': None,
        'SourcePort': None,
        'User': None,
        'DestinationIp': None,
        'DestinationHostname': None,
        'DestinationPort': None
    }
    
    if isinstance(message, str):
        for line in message.split('\n'):
            if line.startswith('Image: '):
                fields['Image'] = line.split('Image: ')[1]
            elif line.startswith('SourceIp: '):
                fields['SourceIp'] = line.split('SourceIp: ')[1]
            elif line.startswith('SourceHostname: '):
                fields['SourceHostname'] = line.split('SourceHostname: ')[1]
            elif line.startswith('SourcePort: '):
                fields['SourcePort'] = line.split('SourcePort: ')[1]
            elif line.startswith('User: '):
                fields['User'] = line.split('User: ')[1]
            elif line.startswith('DestinationIp: '):
                fields['DestinationIp'] = line.split('DestinationIp: ')[1]
            elif line.startswith('DestinationHostname: '):
                fields['DestinationHostname'] = line.split('DestinationHostname: ')[1]
            elif line.startswith('DestinationPort: '):
                fields['DestinationPort'] = line.split('DestinationPort: ')[1]
    
    return pd.Series(fields)

extracted_df = df['message'].apply(extract_fields)

df = pd.concat([df, extracted_df], axis=1)

df.drop(columns=['message'], inplace=True)

df 

### Extract EID11 Fields from Message(If you're getting data from Elastic)

In [None]:

def extract_fields(message):
    fields = {
        'Image': None,
        'TargetFilename': None,
        'User': None
    }
    
    if isinstance(message, str):
        for line in message.split('\n'):
            if line.startswith('Image: '):
                fields['Image'] = line.split('Image: ')[1]
            elif line.startswith('TargetFilename: '):
                fields['TargetFilename'] = line.split('TargetFilename: ')[1]
            elif line.startswith('User: '):
                fields['User'] = line.split('User: ')[1]
    
    return pd.Series(fields)

extracted_df = df['message'].apply(extract_fields)

df = pd.concat([df, extracted_df], axis=1)

df.drop(columns=['message'], inplace=True)

df 

## Credential Dumping

In [6]:
# Define the lists
credential_dumping_cmd = ['crypto::certificates', 'kerberos::golden', 'kerberos::list', 'kerberos::ptt', 'lsadump::dcsync', 'lsadump::lsa', 'lsadump::sam', 'lsadump::secrets', 'mimidrv.sys', 'mimikatz', 'mimilib', 'sekurlsa::logonpasswords', 'token::elevate', 'token::list']

credential_dumping_cmds_combo = [
    ['procdump', '-ma'],
    ['rdrleakdiag.exe', 'fullmemdmp'],
    ['tttracer.exe', '-dumpfull']
]


# Check if any of the commands in credential_dumping_cmd exist
cmds_exist = df['CommandLine'].apply(lambda x: any(cmd in str(x) for cmd in credential_dumping_cmd) if x is not None else False)
#print(df[cmds_exist])


# Check if all elements of any combo exist in a row
def check_combos(command, combo_list):

    if command is None:
        return False
    command = str(command)

    for combo in combo_list:
        if all(keyword in command for keyword in combo):
            return True
    return False

combo_cmds_exist = df['CommandLine'].apply(lambda x: check_combos(x, credential_dumping_cmds_combo))


## print the alerts(if any)
df[cmds_exist]
#df[combo_cmds_exist]

Unnamed: 0,computer_name,event_id,Image,OriginalFileName,CommandLine,CurrentDirectory,User,ParentImage,ParentCommandLine
56,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\po...",C:\Users\JOHNNY~1.DOU\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
90,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\cmd.exe,Cmd.Exe,"""C:\Windows\system32\cmd.exe"" /c echo %%tmp%%\...",C:\Users\johnny.douche\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
163,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\po...",C:\Users\JOHNNY~1.DOU\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
164,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\cmd.exe,Cmd.Exe,"""C:\Windows\system32\cmd.exe"" /c echo C:\Atomi...",C:\Users\johnny.douche\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
428,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\cmd.exe,Cmd.Exe,"""C:\Windows\system32\cmd.exe"" /c echo %%tmp%%\...",C:\Users\johnny.douche\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
446,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\po...",C:\Users\JOHNNY~1.DOU\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
821,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\po...",C:\Users\JOHNNY~1.DOU\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
866,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\cmd.exe,Cmd.Exe,"""C:\Windows\system32\cmd.exe"" /c echo %%tmp%%\...",C:\Users\johnny.douche\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
941,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\po...",C:\Users\JOHNNY~1.DOU\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."
979,MY-CAL-WIN10.my-caldera.local,1,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,PowerShell.EXE,"""C:\Windows\System32\WindowsPowerShell\v1.0\po...",C:\Users\JOHNNY~1.DOU\AppData\Local\Temp\,MY-CALDERA\johnny.douche,C:\Windows\System32\WindowsPowerShell\v1.0\pow...,"""C:\Windows\System32\WindowsPowerShell\v1.0\po..."


## Abusing Windows Telemetry For Persistence
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

In [None]:
import pandas as pd

# Load the data
df = pd.read_csv('EID1_extracted.csv')

# Apply filters
filtered_df = df[
    #(df['source_name'] == 'Microsoft-Windows-Sysmon') &
    (df['event_id'] == 1) &
    (
        df['CommandLine'].str.lower().str.contains('schtasks') |
        df['CommandLine'].str.lower().str.contains(r'\\application experience\\microsoft compatibility appraiser')
    ) &
    ~(
        df['User'].str.lower().str.contains('authori') |
        df['User'].str.lower().str.contains('autori')
    )
]

result_df = filtered_df[['computer_name', 'ParentImage', 'ParentCommandLine', 'Image', 'CommandLine', 'OriginalFileName', 'CurrentDirectory', 'User']]

result_df

## EID1 to Sigma Converter

In [2]:
import yaml

def sigma_to_python(sigma_rule_path, log_file='EID1_extracted.csv', output_file='generated_code.py'):
    # Load the Sigma rule from a YAML file
    with open(sigma_rule_path, 'r') as f:
        sigma_rule = yaml.safe_load(f)

    detection = sigma_rule.get('detection', {})
    conditions = detection.get('condition', '')

    # Start generating Python code
    python_code = f"""
import pandas as pd

# Load the logs from the CSV file
log_file = '{log_file}'
df = pd.read_csv(log_file)

# Applying Sigma Rule: {sigma_rule.get('title', 'Unnamed Rule')}
"""

    # Process selection criteria
    selections = {key: val for key, val in detection.items() if key.startswith('selection')}
    
    # Process each selection
    for key, value in selections.items():
        python_code += f"\n# Applying {key} conditions\n"
        for field, conditions in value.items():
            if isinstance(conditions, list):
                # Handles conditions with a list, such as endswith or contains
                if field.endswith('|endswith'):
                    field_name = field.replace('|endswith', '')
                    python_code += f"df = df[df['{field_name}'].str.endswith({conditions}, na=False)]\n"
                elif field.endswith('|contains'):
                    field_name = field.replace('|contains', '')
                    python_code += f"df = df[df['{field_name}'].str.contains('|'.join({conditions}), case=False, na=False)]\n"
            elif isinstance(conditions, dict):
                # Handles nested conditions like 'CommandLine|contains'
                for sub_field, sub_conditions in conditions.items():
                    if isinstance(sub_conditions, list):
                        python_code += f"df = df[df['{sub_field}'].str.contains('|'.join({sub_conditions}), case=False, na=False)]\n"
    
    # Final output for filtered data based on conditions
    python_code += """
# Display the suspicious activities
if not df.empty:
    print("Suspicious activities found:")
    print(df[['Image', 'OriginalFileName', 'CommandLine', 'UtcTime', 'UserName']])
else:
    print("No suspicious activities found.")
"""

    # Save the generated Python code into a file
    with open(output_file, 'w') as f:
        f.write(python_code)

    print(f"Python code saved to {output_file}")

# Example usage
sigma_rule_file = 'dotnet exec.yaml'
sigma_to_python(sigma_rule_file)

Python code saved to generated_code.py


## EID3 to Sigma Converter

In [3]:
import pandas as pd
import yaml


def sigma_to_python(sigma_rule_path, log_file='EID3.csv', output_file='EID3 Detector.py'):
    # Load the Sigma rule from a YAML file
    with open(sigma_rule_path, 'r') as f:
        sigma_rule = yaml.safe_load(f)

    detection = sigma_rule.get('detection', {})
    
    # Start generating Python code
    python_code = f"""
import pandas as pd

# Load the logs from the CSV file
log_file = '{log_file}'
df = pd.read_csv(log_file)

# Applying Sigma Rule: {sigma_rule.get('title', 'Unnamed Rule')}
"""

    # Process selection criteria
    selection = detection.get('selection', {})
    filter_main_local_ip = detection.get('filter_main_local_ip', {})
    filter_main_msrange = detection.get('filter_main_msrange', {})

    # Apply selection conditions
    python_code += f"\n# Applying selection conditions\n"
    
    # Check for PowerShell or pwsh process in 'Image' column
    if 'Image|endswith' in selection:
        power_shell_processes = selection['Image|endswith']
        python_code += f"df = df[df['Image'].str.lower().str.endswith(tuple({power_shell_processes}), na=False)]\n"

    # Apply filter criteria to exclude local IP ranges (filter_main_local_ip)
    python_code += "\n# Exclude local IP ranges\n"
    if 'DestinationIp|cidr' in filter_main_local_ip:
        local_ip_ranges = filter_main_local_ip['DestinationIp|cidr']
        python_code += f"""
local_ip_ranges = {local_ip_ranges}
def ip_not_in_range(ip, ranges):
    from ipaddress import ip_network, ip_address
    for ip_range in ranges:
        if ip_address(ip) in ip_network(ip_range):
            return False
    return True

df['is_valid_ip'] = df['DestinationIp'].apply(lambda x: ip_not_in_range(x, local_ip_ranges))
df = df[df['is_valid_ip']]
"""

    # Apply filter for Microsoft IP ranges (filter_main_msrange)
    python_code += "\n# Exclude Microsoft IP ranges\n"
    if 'DestinationIp|cidr' in filter_main_msrange:
        ms_ip_ranges = filter_main_msrange['DestinationIp|cidr']
        python_code += f"""
ms_ip_ranges = {ms_ip_ranges}
df['is_valid_ip'] = df['DestinationIp'].apply(lambda x: ip_not_in_range(x, ms_ip_ranges))
df = df[df['is_valid_ip']]
"""

    # Exclude rows where the user contains certain keywords (like 'AUTHORI' or 'AUTORI')
    if 'User|contains' in filter_main_local_ip:
        excluded_users = filter_main_local_ip['User|contains']
        python_code += f"""
df = df[~df['User'].str.contains('|'.join({excluded_users}), case=False, na=False)]
"""

    # Final output for filtered data based on conditions
    python_code += """
# Display the suspicious activities
if not df.empty:
    print("Suspicious network connections initiated by PowerShell found:")
    print(df[['Image', 'SourceIp', 'SourceHostname', 'SourcePort', 'User', 'DestinationIp', 'DestinationHostname', 'DestinationPort']])
else:
    print("No suspicious activities found.")
"""

    # Save the generated Python code into a file
    with open(output_file, 'w') as f:
        f.write(python_code)

    print(f"Python code saved to {output_file}")

# Example usage
sigma_rule_file = 'powershell netconn.yaml'
sigma_to_python(sigma_rule_file)


Python code saved to EID3 Detector.py


## Extras

In [17]:
import yaml

def sigma_to_python(sigma_rule_path, log_file='EID1_extracted.csv', output_file='generated_code88.py'):
    # Load the Sigma rule from a YAML file
    with open(sigma_rule_path, 'r') as f:
        sigma_rule = yaml.safe_load(f)

    detection = sigma_rule.get('detection', {})
    conditions = detection.get('condition', '')

    # Start generating Python code
    python_code = f"""
import pandas as pd

# Load the logs from the CSV file
log_file = '{log_file}'
df = pd.read_csv(log_file)

# Applying Sigma Rule: {sigma_rule.get('title', 'Unnamed Rule')}
"""

    # Process selection criteria
    selection = detection.get('selection', [])

    # Print the selection criteria for debugging
    print("Selection criteria:", selection)

    # Apply selection conditions
    python_code += f"\n# Applying selection conditions\n"

    # Loop through each condition in selection
    for condition in selection:
        if 'Image|endswith' in condition:
            jsc_process = condition['Image|endswith']
            python_code += f"df = df[df['Image'].str.lower().str.endswith('{jsc_process}', na=False)]\n"

        if 'OriginalFileName' in condition:
            original_file_name = condition['OriginalFileName']
            python_code += f"df = df[df['OriginalFileName'].str.lower() == '{original_file_name.lower()}']\n"

    # Final output for filtered data based on conditions
    python_code += """
# Display the suspicious activities
if not df.empty:
    print("Suspicious JScript Compiler (jsc.exe) execution found:")
    print(df[['Image', 'OriginalFileName', 'CommandLine', 'User']])
else:
    print("No suspicious activities found.")
"""

    # Save the generated Python code into a file
    with open(output_file, 'w') as f:
        f.write(python_code)

    print(f"Python code saved to {output_file}")

# Example usage
sigma_rule_file = 'jsc exec.yaml'
sigma_to_python(sigma_rule_file)

Selection criteria: [{'Image|endswith': '\\jsc.exe'}, {'OriginalFileName': 'jsc.exe'}]
Python code saved to generated_code88.py


In [10]:
import yaml

def sigma_to_python(sigma_rule_path, log_file='EID1_extracted.csv', output_file='generated_code.py'):
    # Load the Sigma rule from a YAML file
    with open(sigma_rule_path, 'r') as f:
        sigma_rule = yaml.safe_load(f)

    detection = sigma_rule.get('detection', {})
    conditions = detection.get('condition', '')

    # Start generating Python code
    python_code = f"""
import pandas as pd

# Load the logs from the CSV file
log_file = '{log_file}'
df = pd.read_csv(log_file)

# Applying Sigma Rule: {sigma_rule.get('title', 'Unnamed Rule')}
"""

    # Process selection criteria
    selections = {key: val for key, val in detection.items() if key.startswith('selection')}
    
    # Process each selection
    for key, value in selections.items():
        python_code += f"\n# Applying {key} conditions\n"
        for field, condition in value.items():
            # Handle 'contains' conditions with lists
            if isinstance(condition, list) and field.endswith('|contains'):
                field_name = field.replace('|contains', '')
                # Escape backslashes properly in the condition list
                condition_escaped = [cond.replace("\\", "\\\\") for cond in condition]
                python_code += f"df = df[df['{field_name}'].str.contains('|'.join({condition_escaped}), case=False, na=False)]\n"
            # Handle 'endswith' conditions
            elif field.endswith('|endswith'):
                field_name = field.replace('|endswith', '')
                # Escape backslashes properly
                condition_escaped = condition.replace("\\", "\\\\")
                python_code += f"df = df[df['{field_name}'].str.endswith(r'{condition_escaped}', na=False)]\n"
            # Handle 'contains|all' conditions
            elif field.endswith('|contains|all') and isinstance(condition, list):
                field_name = field.replace('|contains|all', '')
                # Escape backslashes in each condition and concatenate with logical AND
                condition_escaped = [cond.replace("\\", "\\\\") for cond in condition]
                conditions_str = " & ".join([f"df['{field_name}'].str.contains(r'{val}', case=False, na=False)" for val in condition_escaped])
                python_code += f"df = df[{conditions_str}]\n"

    # Handle condition logic like '1 of selection_*'
    if 'condition' in detection:
        condition = detection['condition']
        if '1 of selection_' in condition:
            python_code += f"\n# Applying condition: {condition}\n"
            python_code += "df_filtered = pd.concat([\n"
            for key in selections.keys():
                python_code += f"    df,  # Filtered {key} condition\n"
            python_code += "]).drop_duplicates()\n"
            python_code += "df = df_filtered\n"

    # Final output for filtered data based on conditions
    python_code += """
# Display the suspicious activities
if not df.empty:
    print("Suspicious activities found:")
    print(df[['Image', 'CommandLine', 'Hashes', 'UtcTime', 'UserName']])
else:
    print("No suspicious activities found.")
"""

    # Save the generated Python code into a file
    with open(output_file, 'w') as f:
        f.write(python_code)

    print(f"Python code saved to {output_file}")

# Example usage
sigma_rule_file = 'forest_blizzard_sigma.yaml'
sigma_to_python(sigma_rule_file)


Python code saved to generated_code.py


In [25]:
import yaml

def sigma_to_python(sigma_rule_path, log_file='EID1_extracted.csv', output_file='generated_code.py'):
    # Load the Sigma rule from a YAML file
    with open(sigma_rule_path, 'r') as f:
        sigma_rule = yaml.safe_load(f)

    detection = sigma_rule.get('detection', {})
    conditions = detection.get('condition', '')

    # Start generating Python code
    python_code = f"""
import pandas as pd

# Load the logs from the CSV file
log_file = '{log_file}'
df = pd.read_csv(log_file)

# Applying Sigma Rule: {sigma_rule.get('title', 'Unnamed Rule')}
"""

    # Process selection criteria
    selections = {key: val for key, val in detection.items() if key.startswith('selection')}
    
    # Process each selection
    for key, value in selections.items():
        python_code += f"\n# Applying {key} conditions\n"

        # Check if value is a list (in your case, 'selection' is a list of dictionaries)
        if isinstance(value, list):
            for condition in value:
                for field, condition_value in condition.items():
                    # Handle 'endswith' conditions
                    if field.endswith('|endswith'):
                        field_name = field.replace('|endswith', '')
                        condition_escaped = condition_value.replace("\\", "\\\\")
                        python_code += f"df = df[df['{field_name}'].str.endswith(r'{condition_escaped}', na=False)]\n"
                    # Handle exact match conditions
                    elif isinstance(condition_value, str):
                        condition_escaped = condition_value.replace("\\", "\\\\")
                        python_code += f"df = df[df['{field}'].str.lower() == '{condition_escaped.lower()}']\n"
        else:
            # Handle the case where the value is a dictionary
            for field, condition_value in value.items():
                # Handle 'contains' conditions with lists
                if isinstance(condition_value, list) and field.endswith('|contains'):
                    field_name = field.replace('|contains', '')
                    condition_escaped = [cond.replace("\\", "\\\\") for cond in condition_value]
                    python_code += f"df = df[df['{field_name}'].str.contains('|'.join({condition_escaped}), case=False, na=False)]\n"
                
                # Handle 'endswith' conditions
                elif field.endswith('|endswith'):
                    field_name = field.replace('|endswith', '')
                    condition_escaped = condition_value.replace("\\", "\\\\")
                    python_code += f"df = df[df['{field_name}'].str.endswith(r'{condition_escaped}', na=False)]\n"
                
                # Handle 'contains|all' conditions
                elif field.endswith('|contains|all') and isinstance(condition_value, list):
                    field_name = field.replace('|contains|all', '')
                    condition_escaped = [cond.replace("\\", "\\\\") for cond in condition_value]
                    conditions_str = " & ".join([f"df['{field_name}'].str.contains(r'{val}', case=False, na=False)" for val in condition_escaped])
                    python_code += f"df = df[{conditions_str}]\n"
                
                # Handle exact match conditions
                elif isinstance(condition_value, str):
                    condition_escaped = condition_value.replace("\\", "\\\\")
                    python_code += f"df = df[df['{field}'].str.lower() == '{condition_escaped.lower()}']\n"

    # Handle condition logic (like '1 of selection_*' or boolean combinations)
    if 'condition' in detection:
        condition = detection['condition']
        if '1 of selection_' in condition:
            python_code += f"\n# Applying condition: {condition}\n"
            python_code += "df_filtered = pd.concat([\n"
            for key in selections.keys():
                python_code += f"    df[df[{key}]],\n"
            python_code += "]).drop_duplicates()\n"
            python_code += "df = df_filtered\n"
        else:
            # Implement more complex conditions if necessary
            python_code += f"\n# Applying complex condition logic: {condition}\n"

    # Final output for filtered data based on conditions
    python_code += """
# Display the suspicious activities
if not df.empty:
    print("Suspicious activities found:")
    print(df[['Image', 'CommandLine', 'Hashes', 'UtcTime', 'User']])
else:
    print("No suspicious activities found.")
"""

    # Save the generated Python code into a file
    with open(output_file, 'w') as f:
        f.write(python_code)

    print(f"Python code saved to {output_file}")

# Example usage
sigma_rule_file = 'forest_blizzard_sigma.yaml'
sigma_to_python(sigma_rule_file)

Python code saved to generated_code.py


## References

- https://github.com/SigmaHQ/sigma