[v1] Support any for Sigma Filters rule references
#430
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The rules field in Sigma Filters is now optional. When not specified, filters will apply to all rules that match the logsource criteria, rather than requiring explicit rule IDs or titles. Changes: - Modified SigmaGlobalFilter.from_dict() to set rules to empty list when not specified - Updated SigmaFilter._should_apply_on_rule() to apply filters to all matching rules when rules field is empty - Updated test_no_rules_section to verify filters now apply when rules is None - Added test_filter_without_rules_field_applies_to_all_matching_logsource to verify global filter behavior - Removed validation errors for missing rules field from parametrized tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request makes the rules field optional in Sigma filters, enabling filters to apply to all rules with matching logsource when the rules field is not specified. Previously, omitting the rules field would raise a SigmaFilterRuleReferenceError.
Key changes:
- Modified filter logic to treat missing or empty
rulesfield as "apply to all rules with matching logsource" - Updated
_should_apply_on_rulemethod to implement logsource-based matching when no specific rules are listed - Added comprehensive test coverage for the new optional rules behavior including edge cases
- Removed validation error tests for missing
rulesfield since it's now valid
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/test_filters.py | Removed SigmaFilterRuleReferenceError import, updated test_no_rules_section to verify filter application, added 5 new comprehensive tests for optional rules field behavior including logsource matching variations and correlation rule exclusion, removed validation error test cases for missing/None rules field |
| sigma/filters.py | Modified SigmaGlobalFilter.from_dict to return empty list instead of raising error when rules field is missing, refactored _should_apply_on_rule to check correlation rules first, then logsource matching, and return True for logsource matches when no rules specified |
| sigma/modifiers.py | Changed type_check parameter from Type[T] to Type[Any] for flexibility, added cast(list[T], r) when returning list from modify method (appears unrelated to main PR purpose) |
| poetry.lock | Auto-generated dependency updates for development tools (black 25.11.0→25.12.0, coverage 7.12.0→7.13.0, pytest 9.0.1→9.0.2, mypy 1.18.2→1.19.0, and other dev dependencies) |
sifex
changed the title
all and any for Sigma Filters
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…nto feature/optional-filter-rules
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…nto feature/optional-filter-rules
…messages accordingly
sifex
changed the title
all and any for Sigma Filtersany for Sigma Filters rule references
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Reference:
SigmaHQ/sigma-specification#133
This pull request enhances the flexibility and correctness of Sigma filter rule handling, particularly around the
rulesfield in filters. The changes allow therulesfield to explicitly accept the special value"any"or an empty list to indicate the filter should apply to all rules matching the logsource, and ensure robust error handling when the field is missing. The update also adds comprehensive tests for these scenarios, improving overall reliability.Sigma filter rule handling improvements:
SigmaGlobalFilter.rulesfield now accepts either a list of rule references or the string"any", allowing filters to target all rules matching the logsource when"any"or an empty list is provided. [1] [2] [3]rules: "any"(or an empty list) apply to all rules with a matching logsource, and never to correlation rules. [1] [2]Error handling and validation:
rulesfield is missing from a filter, a clear error is now raised, instructing users to specify"any"or a specific rule reference. [1] [2]Testing enhancements:
rules: "any", partial logsource matching, more specific logsource filters, exclusion of correlation rules, empty rules lists, and missingrulesfields. [1] [2]Type safety improvements:
type_checkmethod and ensuring correct casting in theapplymethod. [1] [2]