Merge pull request #208 from SigmaHQ:taxonomies

Introduction of rule taxonomy attribute and processing condition

Author: thomaspatzke

sigma/processing/conditions.py

@@ -257,6 +257,22 @@ def match(
         return isinstance(rule, SigmaCorrelationRule)
 
 
+@dataclass
+class TaxonomyCondition(RuleProcessingCondition):
+    """
+    Matches on rule taxonomy.
+    """
+
+    taxonomy: str
+
+    def match(
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: Union[SigmaRule, SigmaCorrelationRule],
+    ) -> bool:
+        return rule.taxonomy == self.taxonomy
+
+
 ### Field Name Condition Classes ###
 @dataclass
 class IncludeFieldCondition(FieldNameProcessingCondition):
@@ -395,6 +411,7 @@ def match_detection_item(
     "processing_item_applied": RuleProcessingItemAppliedCondition,
     "is_sigma_rule": IsSigmaRuleCondition,
     "is_sigma_correlation_rule": IsSigmaCorrelationRuleCondition,
+    "taxonomy": TaxonomyCondition,
 }
 detection_item_conditions: Dict[str, DetectionItemProcessingCondition] = {
     "match_string": MatchStringCondition,

sigma/rule.py

@@ -736,6 +736,7 @@ class SigmaRuleBase:
     title: str = ""
     id: Optional[UUID] = None
     name: Optional[str] = None
+    taxonomy: str = "sigma"
     related: Optional[SigmaRelated] = None
     status: Optional[SigmaStatus] = None
     description: Optional[str] = None
@@ -823,6 +824,25 @@ class instantiation of an object derived from the SigmaRuleBase class and the er
                 else:
                     rule_name = rule_name
 
+        # Rule taxonomy
+        rule_taxonomy = rule.get("taxonomy", "sigma")
+        if rule_taxonomy is not None:
+            if not isinstance(rule_taxonomy, str):
+                errors.append(
+                    sigma_exceptions.SigmaTaxonomyError(
+                        "Sigma rule taxonomy must be a string", source=source
+                    )
+                )
+            else:
+                if rule_taxonomy == "":
+                    errors.append(
+                        sigma_exceptions.SigmaTaxonomyError(
+                            "Sigma rule taxonomy must not be empty", source=source
+                        )
+                    )
+                else:
+                    rule_taxonomy = rule_taxonomy
+
         # Rule related validation
         rule_related = rule.get("related")
         if rule_related is not None:
@@ -985,6 +1005,7 @@ class instantiation of an object derived from the SigmaRuleBase class and the er
                 "title": rule_title,
                 "id": rule_id,
                 "name": rule_name,
+                "taxonomy": rule_taxonomy,
                 "related": rule_related,
                 "level": level,
                 "status": status,

tests/test_processing_conditions.py

@@ -14,6 +14,7 @@
     MatchStringCondition,
     RuleContainsDetectionItemCondition,
     RuleProcessingItemAppliedCondition,
+    TaxonomyCondition,
 )
 from sigma.rule import SigmaDetectionItem, SigmaLogSource, SigmaRule
 from tests.test_processing_pipeline import processing_item
@@ -41,6 +42,7 @@ def sigma_rule():
         """
         title: Test
         status: test
+        taxonomy: test
         logsource:
             category: test_category
             product: test_product
@@ -155,6 +157,10 @@ def test_is_sigma_correlation_rule_with_rule(dummy_processing_pipeline, sigma_ru
     assert not IsSigmaCorrelationRuleCondition().match(dummy_processing_pipeline, sigma_rule)
 
 
+def test_taxonomy_condition_match(dummy_processing_pipeline, sigma_rule):
+    assert TaxonomyCondition("test").match(dummy_processing_pipeline, sigma_rule)
+
+
 def test_include_field_condition_match(dummy_processing_pipeline, detection_item):
     assert IncludeFieldCondition(["field", "otherfield"]).match_field_name(
         dummy_processing_pipeline, "field"

tests/test_rule.py

@@ -1016,6 +1016,7 @@ def sigma_rule():
         title="Test",
         id=UUID("9a6cafa7-1481-4e64-89a1-1f69ed08618c"),
         name="test",
+        taxonomy="test",
         status=SigmaStatus.TEST,
         description="This is a test",
         references=[
@@ -1087,6 +1088,7 @@ def test_sigmarule_fromyaml(sigma_rule):
     title: Test
     id: 9a6cafa7-1481-4e64-89a1-1f69ed08618c
     name: test
+    taxonomy: test
     status: test
     description: This is a test
     references:
@@ -1127,6 +1129,7 @@ def test_sigmarule_fromyaml_with_custom_attribute(sigma_rule):
     title: Test
     id: 9a6cafa7-1481-4e64-89a1-1f69ed08618c
     name: test
+    taxonomy: test
     status: test
     description: This is a test
     references: