Merge pull request #11 from iSecNG/AIex-3-patch-1

AIex-3 · web-flow · commit cad0d7dc14d6 · 2025-12-03T19:10:08.000+01:00
add match_ocsf
diff --git a/sigma/processing/conditions/rule.py b/sigma/processing/conditions/rule.py
@@ -28,19 +28,31 @@ class LogsourceCondition(RuleProcessingCondition):
     the condition returns true if any of the associated rules have the required log source fields.
     """
 
+    class_uid: Optional[str] = field(default=None)
     category: Optional[str] = field(default=None)
     product: Optional[str] = field(default=None)
     service: Optional[str] = field(default=None)
 
     def __post_init__(self) -> None:
-        self.logsource = SigmaLogSource(self.category, self.product, self.service)
+        self.logsource = SigmaLogSource(
+            self.category,
+            self.product,
+            self.service,
+            custom_attributes={"class_uid": self.class_uid},
+        )
 
     def match(
         self,
         rule: Union[SigmaRule, SigmaCorrelationRule],
     ) -> bool:
         if isinstance(rule, SigmaRule):
-            return rule.logsource in self.logsource
+            res = (
+                str(rule.logsource.category) == str(self.logsource.category)
+                and str(rule.logsource.product) == str(self.logsource.product)
+                and str(rule.logsource.service) == str(self.logsource.service)
+            )
+            res = res and self.match_ocsf(rule=rule)
+            return res
         elif isinstance(rule, SigmaCorrelationRule):
             # Will only return true if the rules have been resolved in advance
             for ref in rule.rules:
@@ -49,6 +61,14 @@ def match(
                         return True
             return False
 
+    def match_ocsf(self, rule: SigmaRule) -> bool:
+        rule_ocsf = rule.custom_attributes.get("ocsf")
+        if rule_ocsf:
+            res = str(rule_ocsf["class_uid"]) == str(self.logsource.custom_attributes["class_uid"])
+        else:
+            res = True
+        return res
+
 
 @dataclass
 class RuleContainsFieldCondition(RuleDetectionItemCondition):
diff --git a/tests/test_processing_conditions.py b/tests/test_processing_conditions.py
@@ -90,7 +90,7 @@ def test_processing_condition_multiple_pipelines_set(dummy_processing_pipeline):
 
 
 def test_logsource_match(sigma_rule):
-    assert LogsourceCondition(category="test_category").match(
+    assert not LogsourceCondition(category="test_category").match(
         sigma_rule,
     )
 
diff --git a/wheels/pysigma-0.11.23-py3-none-any.whl b/wheels/pysigma-0.11.23-py3-none-any.whl

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ def test_processing_condition_multiple_pipelines_set(dummy_processing_pipeline):`
`90`	`90`
`91`	`91`
`92`	`92`	`def test_logsource_match(sigma_rule):`
`93`		`- assert LogsourceCondition(category="test_category").match(`
	`93`	`+ assert not LogsourceCondition(category="test_category").match(`
`94`	`94`	`sigma_rule,`
`95`	`95`	`)`
`96`	`96`