Processing pipeline must be merged with another one.

[Koirin3224]

Hello! So, I'm fairly new with SIGMA-rules and PySigma, but slowly getting there.
I want to generate some Elasticsearch queries for the API, based on some SIGMA-rules I have generated.
With PySigma I am using the "elasticsearch" backend, and I have made my own, though very simple, pipeline for field-mapping.
When using one of my generated rules, and the pipeline on the website https://sigconverter.io/, I am able to generate a query I can use.

But right now, I am having trouble with the PySigma module, as I get the following error:
TypeError: Processing pipeline must be merged with another one.

Do I have to use two different pipelines for the queries to be generated properly? Or what exactly does this mean?

[andurin]

Hi,

it's a bit hard to tell where the problem may be, without some sample code.
From my past experiences with pipelines the following code may work:

Hint: the ecs_windows pipeline comes from https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/pipelines/elasticsearch/windows.py#L59. But I guess you get the point.

from sigma.backends.elasticsearch.elasticsearch_lucene import LuceneBackend
from sigma.pipelines.elasticsearch.windows import ecs_windows  #, ecs_windows_old
from sigma.collection import SigmaCollection
from sigma.processing.resolver import ProcessingPipelineResolver

sigma_rule_yaml = """
    title: Test
    status: test
    logsource:
        category: test_category
        product: windows
    detection:
        selection:
            ipfield: 192.168.1.1
        condition: selection
"""

piperesolver = ProcessingPipelineResolver()
piperesolver.add_pipeline_class(ecs_windows())

resolved_pipeline = piperesolver.resolve(piperesolver.pipelines)

backend = LuceneBackend(resolved_pipeline)
rules = SigmaCollection.from_yaml(sigma_rule_yaml)
print("Result: \n" + "\n".join(backend.convert(rules)))