v0.10.0

Added

• Extended processing pipelines by query post-processing and output finalization.

⚠️ Breaking Changes ⚠️

• The order of ProcessingPipeline parameters has changed. New elements postprocessing_items and finalizers were added between items and vars.
• The order of ProcessingItem parameters has changed. The identifier is now located after rule_conditions and before detection item and field name conditions.

Please take care of these changes in own projects that initialize ProcessingPipeline or ProcessingItem objects with positional parameters. For better readability and compatibility with further breaking changes it is recommended to use keyword arguments for initialization of these classes.

What's Changed

• Detect modules automatically by @mostafa in #119
• Fix json serialization of SigmaLogSource by @DenizenB in #123
• Include custom attributes in SigmaRule.to_dict() by @DenizenB in #124
• Distinct condition state by @kelnage in #127
• Experimental pipelines by @mostafa in #130
• Add validator autodiscovery instructions in README.md by @Res260 in #117
• Linting with Black by @mostafa in #132
• Apply backend naming convention by @mostafa in #134
• Fix cidr expansion for backends that use custom wildcard char by @DenizenB in #139
• Unhandled placeholders raise SigmaPlaceholderError while conversion.

New Contributors

• @DenizenB made their first contribution in #123

Full Changelog: v0.9.11...v0.10.0

v0.9.11

Fixed: placeholder value list transformation now allows to use wildcards in replacement values.

v0.9.10

• Case-sensitive matches with cased modifier.
• Backend base class stores last used processing pipeline in last_processing_pipeline object variable for further usage, e.g. checking if particular processing items were applied.

v0.9.9

• Updated MITRE ATT&CK data to version 13.1
• Added ATT&CK technique to tactic mapping

v0.9.8

Fixed issue with installation of plugins in pipx virtual environments (and possibly others)

v0.9.7

Added missing modifier class docstrings.

v0.9.6

Additions

• Field existence check with exists value modifier.
• Added regular expression modifiers i/ignorecase, m/ multiline, s/dotall

Fixes

• Dropping all detection items of a detection caused error with to_plain() (#104)
• Ability to set allowed backends from YAML processing pipeline (#111)
• Merge of errors when SigmaCollection obejcts were merged (#112)

v0.9.5

• IPv6 CIDR support with cidr modifier.
• Fixed corner case of IPv4 CIDR support.
• Integrated pipeline to backend compatibility check into pipeline resolver.

v0.9.4

Removed implicit storage of all keyword arguments from Backend class initialization into config object attribute to enable defined error behavior for unknown parameters instead of silently accepting them.

v0.9.3

Silent plugin installation.