Skip to content

v1.0.0

Choose a tag to compare

View all tags
@wagga40 wagga40 released this 08 Jan 15:51
· 11 commits to main since this release
v1.0.0
619135f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

This PR updates the SQLite backend to support pySigma 1.0 and adds support for Sigma correlation rules, making the backend fully compliant (I hope...) with the Sigma specification.

Changes

  • Full Correlation Rule Support

    • event_count - Count events matching conditions
    • value_count - Count distinct field values
    • temporal - Events from multiple rules within a timespan
    • temporal_ordered - Events in specific order within a timespan
    • value_sum / value_avg - Aggregate field value calculations
    • Configurable timestamp_field for correlation queries

  • Complete Sigma Modifier Support

    • Timestamp part extraction (hour, minute, day, week, month, year) via strftime()
    • fieldref modifier for field-to-field comparisons
    • cased modifier using SQLite GLOB for case-sensitive matching
    • exists modifier for field existence checks

Updates

  • Upgraded to pySigma 1.0.2
  • Updated GitHub Actions workflows

New Contributors

Full Changelog: v0.2.0...v1.0.0

Contributors

chenrui333 and sifex
Assets 2
Loading