Merge pull request #205 from kelnage/add-negated-condition

Enable AddCondition to add negated conditions

sigma/processing/transformations.py

@@ -611,6 +611,7 @@ class AddConditionTransformation(ConditionTransformation):
     conditions: Dict[str, Union[str, List[str]]] = field(default_factory=dict)
     name: Optional[str] = field(default=None, compare=False)
     template: bool = False
+    negated: bool = False
 
     def __post_init__(self):
         if self.name is None:  # generate random detection item name if none is given
@@ -648,7 +649,7 @@ def apply(
             super().apply(pipeline, rule)
 
     def apply_condition(self, cond: SigmaCondition) -> None:
-        cond.condition = f"{self.name} and ({cond.condition})"
+        cond.condition = ("not " if self.negated else "") + f"{self.name} and ({cond.condition})"
 
 
 @dataclass

tests/test_processing_transformations.py

@@ -1165,6 +1165,30 @@ def test_addconditiontransformation_random_name():
     assert len(name) > 6 and name.startswith("_cond_")
 
 
+def test_addconditiontransformation_negated(dummy_pipeline, sigma_rule: SigmaRule):
+    transformation = AddConditionTransformation(
+        {
+            "newfield1": "test",
+            "newfield2": 123,
+            "newfield3": "$category",
+            "listfield": ["value1", "value2"],
+        },
+        "additional",
+        negated=True,
+    )
+    transformation.set_processing_item(
+        ProcessingItem(
+            transformation,
+            identifier="test",
+        )
+    )
+    transformation.apply(dummy_pipeline, sigma_rule)
+    assert (
+        sigma_rule.detection.parsed_condition[0].condition
+        == "not additional and (test)"  # negated condition expression was added
+    )
+
+
 ### ChangeLogsourceTransformation ###
 def test_changelogsource(dummy_pipeline, sigma_rule: SigmaRule):
     processing_item = ProcessingItem(