From d41d23eeca3c4c637ed2ab235f7ef286298cb3cf Mon Sep 17 00:00:00 2001
From: Nick Moore <nicholas.moore@grafana.com>
Date: Tue, 26 Mar 2024 17:37:30 +0000
Subject: [PATCH 1/2] Enable AddCondition to add negated conditions

The AddConditionTransformation currently allows the addition of rule
conditions that are required to be true to a rule, but cannot be used to
add conditions that are negated (e.g., filters).

This adds a "negated" attribute to the transformation, which, if set,
puts a "not" in front of the condition to enable this functionality.
---
 sigma/processing/transformations.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sigma/processing/transformations.py b/sigma/processing/transformations.py
index 803f4d5a..2ce3121b 100644
--- a/sigma/processing/transformations.py
+++ b/sigma/processing/transformations.py
@@ -611,6 +611,7 @@ class AddConditionTransformation(ConditionTransformation):
     conditions: Dict[str, Union[str, List[str]]] = field(default_factory=dict)
     name: Optional[str] = field(default=None, compare=False)
     template: bool = False
+    negated: bool = False
 
     def __post_init__(self):
         if self.name is None:  # generate random detection item name if none is given
@@ -648,7 +649,7 @@ def apply(
             super().apply(pipeline, rule)
 
     def apply_condition(self, cond: SigmaCondition) -> None:
-        cond.condition = f"{self.name} and ({cond.condition})"
+        cond.condition = ("not " if self.negated else "") + f"{self.name} and ({cond.condition})"
 
 
 @dataclass

From e4ea838ad54f6baf9e89f239f2c2e0bafd62b388 Mon Sep 17 00:00:00 2001
From: Nick Moore <nicholas.moore@grafana.com>
Date: Wed, 27 Mar 2024 09:50:00 +0000
Subject: [PATCH 2/2] Add unit test for negated AddConditionTransform

---
 tests/test_processing_transformations.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tests/test_processing_transformations.py b/tests/test_processing_transformations.py
index 9d6d1ca1..9e778ab5 100644
--- a/tests/test_processing_transformations.py
+++ b/tests/test_processing_transformations.py
@@ -1165,6 +1165,30 @@ def test_addconditiontransformation_random_name():
     assert len(name) > 6 and name.startswith("_cond_")
 
 
+def test_addconditiontransformation_negated(dummy_pipeline, sigma_rule: SigmaRule):
+    transformation = AddConditionTransformation(
+        {
+            "newfield1": "test",
+            "newfield2": 123,
+            "newfield3": "$category",
+            "listfield": ["value1", "value2"],
+        },
+        "additional",
+        negated=True,
+    )
+    transformation.set_processing_item(
+        ProcessingItem(
+            transformation,
+            identifier="test",
+        )
+    )
+    transformation.apply(dummy_pipeline, sigma_rule)
+    assert (
+        sigma_rule.detection.parsed_condition[0].condition
+        == "not additional and (test)"  # negated condition expression was added
+    )
+
+
 ### ChangeLogsourceTransformation ###
 def test_changelogsource(dummy_pipeline, sigma_rule: SigmaRule):
     processing_item = ProcessingItem(