Add "Plugin" column to sigma list targets and sigma list pipelines

[Copilot]

sigma list targets and sigma list pipelines exposed backend/pipeline identifiers with no way to trace them back to the installed plugin. This made it impossible to programmatically determine which plugin to uninstall (e.g., elasticsearch installs lucene, eql, esql, elastalert — none of which map back to elasticsearch in the list output).

Changes

• sigma/cli/list.py

  • Added _plugin_id_from_module() — extracts the Sigma plugin identifier from a module name by reading the namespace component (e.g. sigma.backends.splunk.backend → splunk)
  • Added _get_backend_plugin_id() and _get_pipeline_plugin_id() — resolve a backend class or pipeline callable/instance to its Sigma plugin identifier; handles @Pipeline-decorated instances via the .func attribute
  • Pre-computes _pipeline_plugin_ids at module load time before the pipeline resolver discards callable/module metadata
  • Added "Plugin" column to both list_targets and list_pipelines table output showing the Sigma plugin identifier (e.g. splunk, elasticsearch, windows)

• tests/test_lists.py

  • Added test_targets_has_plugin_column and test_pipelines_has_plugin_column verifying the column header is present and no n/a values appear when plugins are installed

Example output

$ sigma list targets
+-------------------------+-----------------------+------------------------------+---------------+
| Identifier              | Target Query Language | Processing Pipeline Required | Plugin        |
+-------------------------+-----------------------+------------------------------+---------------+
| lucene                  | Lucene                | No                           | elasticsearch |
| eql                     | EQL                   | No                           | elasticsearch |
+-------------------------+-----------------------+------------------------------+---------------+

$ sigma list pipelines
+-------------------+----------+-------------------------+-------------+---------------+
| Identifier        | Priority | Processing Pipeline     | Backends    | Plugin        |
+-------------------+----------+-------------------------+-------------+---------------+
| ecs_windows       | 20       | ECS Windows             | lucene, eql | elasticsearch |
+-------------------+----------+-------------------------+-------------+---------------+

[thomaspatzke]

@copilot The name shown in the "Package" column is the name of the Python package, not the name of the identifier of the Sigma plugin. The plugin name should be shown instead, e.g. splunk instead of pySigma-backend-splunk.

[Copilot]

@copilot The name shown in the "Package" column is the name of the Python package, not the name of the identifier of the Sigma plugin. The plugin name should be shown instead, e.g. splunk instead of p...

Fixed in be13a27. The "Plugin" column now extracts the plugin identifier directly from the module namespace (sigma.backends.<plugin_id>.* → <plugin_id>), so it shows e.g. splunk instead of pySigma-backend-splunk.