Marshaling Back to YAML

[pquerna]

Curious if Marshaling back into YAML is in scope for sigmalite. I think the main gap would be being able to construct the Expressions without Parse() being involed, and then handling JSON/YAML Marshaler tags or functions as needed? [mostly there, but private structs]?

[abraithwaite]

I think marshaling a rule back to YAML a reasonable thing to consider. Can you elaborate with a concrete example of what you mean by the gap though? Do you already have expressions that you're now trying to convert into a Sigma rule without a source rule?

[pquerna]

Yes, basically I am programmatically building Sigma rules based on my code that generates events, what I've done right now is build the struct with YAML struct tags myself generally like this:

dt := Detection{
	Selectors: map[string]any{
		"selection": map[string]any{
			"category_uid":  int32(appEnums.API_ACTIVITY_CATEGORY_UID_API_ACTIVITY_CATEGORY_UID_APPLICATION_ACTIVITY.Number()),
			"class_uid":     int32(appEnums.API_ACTIVITY_CLASS_UID_API_ACTIVITY_CLASS_UID_API_ACTIVITY.Number()),
			"api.operation": methodFullName,
		},
	},
	Condition: "selection",
}

Then I serialize these to YAML... and then Parse them with Sigmalite [which is fine as a round trip test case]. Was mostly wondering if I could pure "construct" the Sigma Rule "AST" in sigmalite code.