feat: add validator for modified date order (#55)

swachchhanda000 · phantinuss · web-flow · commit acf2959267b3 · 2025-11-10T19:34:00.000+01:00
* feat: add validator for modified date order

* fix: poetry black reformatting issues

* remove redundant test

* Apply suggestions from code review

Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;

* reformatting

---------

Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;
diff --git a/sigma/validators/sigmahq/metadata.py b/sigma/validators/sigmahq/metadata.py
@@ -77,6 +77,41 @@ def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
             return []
 
 
+@dataclass
+class SigmahqModifiedDateOrderIssue(SigmaValidationIssue):
+    description: ClassVar[str] = (
+        "Rule has a modified field whose value is older than that of the date field. The modified date has always to be newer than date."
+    )
+    severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.MEDIUM
+
+
+class SigmahqModifiedDateOrderValidator(SigmaRuleValidator):
+    """Checks if a rule has a modified field that has value older than the date field."""
+
+    def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
+        if rule.date is not None and rule.modified is not None:
+            if rule.modified < rule.date:
+                return [SigmahqModifiedDateOrderIssue([rule])]
+        return []
+
+
+@dataclass
+class SigmahqModifiedWithoutDateIssue(SigmaValidationIssue):
+    description: ClassVar[str] = (
+        "Rule has a modified field without a date field. New rules should only have a date field."
+    )
+    severity: ClassVar[SigmaValidationIssueSeverity] = SigmaValidationIssueSeverity.HIGH
+
+
+class SigmahqModifiedWithoutDateValidator(SigmaRuleValidator):
+    """Checks if a rule has a modified field without a date field."""
+
+    def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
+        if rule.modified is not None and rule.date is None:
+            return [SigmahqModifiedWithoutDateIssue([rule])]
+        return []
+
+
 @dataclass
 class SigmahqDescriptionExistenceIssue(SigmaValidationIssue):
     description: ClassVar[str] = "Rule is missing the description field"
diff --git a/tests/test_metadata.py b/tests/test_metadata.py
@@ -13,6 +13,10 @@
     SigmahqStatusValidator,
     SigmahqDateExistenceIssue,
     SigmahqDateExistenceValidator,
+    SigmahqModifiedDateOrderIssue,
+    SigmahqModifiedDateOrderValidator,
+    SigmahqModifiedWithoutDateIssue,
+    SigmahqModifiedWithoutDateValidator,
     SigmahqDescriptionExistenceIssue,
     SigmahqDescriptionExistenceValidator,
     SigmahqDescriptionLengthIssue,
@@ -126,6 +130,81 @@ def test_validator_SigmahqDateExistence_valid():
     assert validator.validate(rule) == []
 
 
+def test_validator_SigmahqModifiedDateOrder_older():
+    validator = SigmahqModifiedDateOrderValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: test
+    status: stable
+    date: 2023-12-10
+    modified: 2023-12-05
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: path\\*something
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [SigmahqModifiedDateOrderIssue([rule])]
+
+
+def test_validator_SigmahqModifiedDateOrder_valid():
+    validator = SigmahqModifiedDateOrderValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: test
+    status: stable
+    date: 2023-12-10
+    modified: 2023-12-15
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: path\\*something
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == []
+
+
+def test_validator_SigmahqModifiedWithoutDate():
+    validator = SigmahqModifiedWithoutDateValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: test
+    status: stable
+    modified: 2023-12-05
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: path\\*something
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == [SigmahqModifiedWithoutDateIssue([rule])]
+
+
+def test_validator_SigmahqModifiedWithoutDate_valid():
+    validator = SigmahqModifiedWithoutDateValidator()
+    rule = SigmaRule.from_yaml(
+        """
+    title: test
+    status: stable
+    date: 2023-12-10
+    modified: 2023-12-15
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: path\\*something
+        condition: sel
+    """
+    )
+    assert validator.validate(rule) == []
+
+
 def test_validator_SigmahqStatusExistence():
     validator = SigmahqStatusExistenceValidator()
     rule = SigmaRule.from_yaml(
