Skip to content

Support Unnormalized Playbooks#1197

Open
defensivedepth wants to merge 5 commits into
3/devfrom
feature/sigma-playbooks
Open

Support Unnormalized Playbooks#1197
defensivedepth wants to merge 5 commits into
3/devfrom
feature/sigma-playbooks

Conversation

@defensivedepth

Copy link
Copy Markdown
Contributor

This PR refactors playbook placeholder resolution.

It replaces the previous way of doing it (pre-conversion {field} string substitution) with a %placeholder% mechanism that resolves values from the triggering alert event at sigma convert time via a per-call vars: pipeline. It now uses native Sigma functionality, so there is no need to maintain a normalized-for-SO Playbook.

The legacy conversion functionality is still retained until we have moved all Playbooks to this new format.

Also, dependency bump — pysigma 0.11.20→1.4.0, sigma-cli 1.0.5→3.0.2, our custom SO backend 0.1.0→1.0.0.

@jertel jertel requested a review from coreyogburn July 2, 2026 14:01
coreyogburn
coreyogburn previously approved these changes Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants