Processing RuleTagCondition

SigmaHQ · Apr 8, 2024 · aa9ea69 · aa9ea69
1 parent 9b37d4e
commit aa9ea69
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/docs/Processing_Pipelines.rst b/docs/Processing_Pipelines.rst
@@ -172,13 +172,15 @@ Rule Conditions
    "is_sigma_rule": IsSigmaRuleCondition
    "is_sigma_correlation_rule": IsSigmaCorrelationRuleCondition
    "rule_attribute", "RuleAttributeCondition"
+   "tag", "RuleTagCondition"
 
 .. autoclass:: sigma.processing.conditions.LogsourceCondition
 .. autoclass:: sigma.processing.conditions.RuleContainsDetectionItemCondition
 .. autoclass:: sigma.processing.conditions.RuleProcessingItemAppliedCondition
 .. autoclass:: sigma.processing.conditions.IsSigmaRuleCondition
 .. autoclass:: sigma.processing.conditions.IsSigmaCorrelationRuleCondition
 .. autoclass:: sigma.processing.conditions.RuleAttributeCondition
+.. autoclass:: sigma.processing.conditions.RuleTagCondition
 
 Detection Item Conditions
 =========================

diff --git a/sigma/processing/conditions.py b/sigma/processing/conditions.py
@@ -14,6 +14,7 @@
     SigmaRule,
     SigmaDetectionItem,
     SigmaLogSource,
+    SigmaRuleTag,
     SigmaStatus,
 )
 from sigma.exceptions import SigmaConfigurationError, SigmaRegularExpressionError
@@ -363,6 +364,25 @@ def match(
             return False
 
 
+@dataclass
+class RuleTagCondition(RuleProcessingCondition):
+    """
+    Matches on rule tag.
+    """
+
+    tag: str
+
+    def __post_init__(self):
+        self.match_tag = SigmaRuleTag.from_str(self.tag)
+
+    def match(
+        self,
+        pipeline: "sigma.processing.pipeline.ProcessingPipeline",
+        rule: Union[SigmaRule, SigmaCorrelationRule],
+    ) -> bool:
+        return self.match_tag in rule.tags
+
+
 ### Field Name Condition Classes ###
 @dataclass
 class IncludeFieldCondition(FieldNameProcessingCondition):
@@ -502,6 +522,7 @@ def match_detection_item(
     "is_sigma_rule": IsSigmaRuleCondition,
     "is_sigma_correlation_rule": IsSigmaCorrelationRuleCondition,
     "rule_attribute": RuleAttributeCondition,
+    "tag": RuleTagCondition,
 }
 detection_item_conditions: Dict[str, DetectionItemProcessingCondition] = {
     "match_string": MatchStringCondition,

diff --git a/tests/test_processing_conditions.py b/tests/test_processing_conditions.py
@@ -15,6 +15,7 @@
     RuleContainsDetectionItemCondition,
     RuleProcessingItemAppliedCondition,
     RuleAttributeCondition,
+    RuleTagCondition,
 )
 from sigma.rule import SigmaDetectionItem, SigmaLogSource, SigmaRule
 from tests.test_processing_pipeline import processing_item
@@ -57,6 +58,8 @@ def sigma_rule():
                     - value
                     - 123
             condition: sel
+        tags:
+            - test.tag
         level: medium
         custom: 123
     """
@@ -245,6 +248,14 @@ def test_rule_attribute_condition_invalid_rule_field_type(dummy_processing_pipel
         )
 
 
+def test_rule_tag_condition_match(dummy_processing_pipeline, sigma_rule):
+    assert RuleTagCondition("test.tag").match(dummy_processing_pipeline, sigma_rule)
+
+
+def test_rule_tag_condition_nomatch(dummy_processing_pipeline, sigma_rule):
+    assert not RuleTagCondition("test.notag").match(dummy_processing_pipeline, sigma_rule)
+
+
 def test_include_field_condition_match(dummy_processing_pipeline, detection_item):
     assert IncludeFieldCondition(["field", "otherfield"]).match_field_name(
         dummy_processing_pipeline, "field"