This PR updates the SQLite backend to support pySigma 1.0 and adds support for Sigma correlation rules, making the backend fully compliant (I hope...) with the Sigma specification.

Changes

Full Correlation Rule Support
- event_count - Count events matching conditions
- value_count - Count distinct field values
- temporal - Events from multiple rules within a timespan
- temporal_ordered - Events in specific order within a timespan
- value_sum / value_avg - Aggregate field value calculations
- Configurable timestamp_field for correlation queries
Complete Sigma Modifier Support
- Timestamp part extraction (hour, minute, day, week, month, year) via strftime()
- fieldref modifier for field-to-field comparisons
- cased modifier using SQLite GLOB for case-sensitive matching
- exists modifier for field existence checks

Updates

Upgraded to pySigma 1.0.2
Updated GitHub Actions workflows

New Contributors

@chenrui333 made their first contribution in #6
@sifex made their first contribution in #8

Full Changelog: v0.2.0...v1.0.0

Contributors

chenrui333 and sifex

Assets 2

23 Oct 15:39

wagga40

v0.2.0

23f5554

v0.2.0

What's Changed

Chore workflow by @frack113 in #5
Add new modifiers support by @wagga40 (fieldref, exists, cased)
Remove Python 3.8 support and update workflow and tests by @wagga40

About Correlation rules support

Correlation rules need a timespan field in order to work correctly. For now, there is no simple and generic way to implement it with SQLite. To be honest, given that there are nearly no correlation rules in the official rules repository, I don't think this is a problem at the moment.