pySigma NetWitness Backend

December 1, 2025 ยท View on GitHub

Test status Test coverage Package version Supported Python versions Release status

pySigma NetWitness Backend

This is the NetWitness backend for pySigma. It provides the package sigma.backends.netwitness with the NetWitnessBackend class. Further, it contains the following processing pipelines in sigma.pipelines.netwitness:

  • netwitness_windows_pipeline: NetWitness mapping and conversions for Windows

This backend is currently maintained by:

Requirements

Installation

pip install pysigma-backend-netwitness

Example

  • Create a file main.py with:
from sigma.collection import SigmaCollection
from sigma.backends.netwitness.netwitness import NetWitnessBackend
from sigma.pipelines.netwitness.windows import netwitness_windows_pipeline

netwitness_backend = NetWitnessBackend(processing_pipeline=netwitness_windows_pipeline())

conversion_result: list[str] = netwitness_backend.convert(
    SigmaCollection.from_yaml(
        """
        title: Test
        status: test
        logsource:
            product: windows
            category: process_creation
        detection:
            sel:
                CommandLine: test
            condition: sel
        """
    )
)

print(conversion_result[0])

Run the example with:

$ python main.py

reference.id = '4688' && param = 'test'