Rule Validation

The rule validation framework of pySigma offers functionality to validate rules beyond errors that occur while parsing of rules and the included conditions. It consists of the following components:

  • The validator implemented by the sigma.validation.SigmaValidator class that conducts validation of single rules or a whole ruleset with a defined set of validators and exclusions.

  • Validator checks that implement rule checks that reside in the sigma.validators module. A validator can perform checks on isolated rules or keep a state and conduct additional checks in a finalization step.

Validator

The SigmaValidator class implements the process of validation of Sigma rules. It allows to define a set of validators as well as exclusions of validators for specific rules by rule identifiers. The configuration is passed while a SigmaValidator object is instantiated. Alternatively, the object can be instantiated from a configuration contained in a Python dict or a YAML file.

A single rule can be validated with the sigma.validation.SigmaValidator.validate_rule() method. A set of rules is validated with sigma.validation.SigmaValidator.validate_rules() and in contrast to the single rule validation this method takes care of the finalization of the validation. Finalization of the validation can be explicitely invoked with sigma.validation.SigmaValidator.finalize() and is required for validators that perform checks across different rules like identifier uniqueness.

class sigma.validation.SigmaValidator(validators: Iterable[Type[SigmaRuleValidator]], exclusions: Dict[UUID, Set[SigmaRuleValidator]] = {}, config: Dict[str, Dict[str, str | int | float | bool | tuple]] = {})

A SigmaValidator instantiates the given SigmaRuleValidator classes once at instantiation and uses them to check Sigma rules and collections. The validators can keep a state across the whole lifecycle of the SigmaValidator and can therefore also conduct uniqueness and other checks.

Exclusions can be defined to exclude validators checks for given rule identifiers.

finalize() List[SigmaValidationIssue]

Finalize all rule validators, collect their issues and return them as flat list.

Returns:

a list of all issues emitted by rule validators on finalization.

Return type:

List[SigmaValidationIssue]

classmethod from_dict(d: Dict, validators: Dict[str, SigmaRuleValidator]) SigmaValidator

Instantiate SigmaValidator from dict definition. The dict should have the following elements:

  • validators: a list of validators to use or not to use, if prefixed with -. The name ‘all’ represents all known validators.

  • exclusion: a map between rule ids and lists of validator names or a single validator name to define validation exclusions.

  • config: a map between validator names and configuration dicts that are passed as keyword arguments to the validator constructor.

Parameters:
  • d (Dict) – Definition of the SigmaValidator.

  • validators (Dict[str, SigmaRuleValidator]) – Mapping from string identifiers to validator classes.

Returns:

Instantiated SigmaValidator

Return type:

SigmaValidator

validate_rule(rule: SigmaRule) List[SigmaValidationIssue]

Validate a single rule with all rule validators configured in this SigmaValidator object. A rule validator can keep state information across the validation of multiple rules. Therefore the validation of a single rule is not necessarily isolated to itself but can also influence the result of the validation of other rules or cause that additional issues are emitted on finalization of the validator object.

Parameters:

rule (SigmaRule) – Sigma rule that should be validated.

Returns:

A list of SigmaValidationIssue objects describing potential issues.

Return type:

List[SigmaValidationIssue]

validate_rules(rules: Iterator[SigmaRule]) List[SigmaValidationIssue]

Validate Sigma rules. This method runs all validators on all rules and finalizes the validators at the end.

Parameters:

rules (Iterator[SigmaRule]) – Rule collection that should be validated.

Returns:

A list of SigmaValidationIssue objects describing potential issues.

Return type:

List[SigmaValidationIssue]

Usage

Initialize a SigmaValidator object with the set of validators that should be used. The following code instantiates it with all available validators::

from sigma.validators.core import validators
rule_validator = SigmaValidator(validators.values())

SigmaValidator instantiation can also be made configurable with YAML files. For this purpose create a YAML file such as this one:

validators:
    - all
    - -tlptag
    - -tlpv1_tag
exclusions:
    5013332f-8a70-4e04-bcc1-06a98a2cca2e: wildcards_instead_of_modifiers

The details are discussed in the next section. A SigmaValidator is then instantiated as follows::

with open("config.yml") as validation_config:
    rule_validator = SigmaValidator.from_yaml(validation_config.read())

The validation of a rule set is then run as follows::

issues = rule_validator.validate_rules(sigma_rules)

Where sigma_rules might be an arbitrary iterable of SigmaRule objects, including a SigmaCollection. The resulting issues variable contains a list of sigma.validators.base.SigmaValidationIssue() objects that simply can be printed.

Configuration

The configuration of a validation run can be stored in a dict or in a YAML file.

Validator Checks

The first item that must be contained on the top level is the validators list, that defines which validator checks should be used in the run:

validators:
    - all
    - -tlptag
    - -tlpv1_tag

The list contains the identifiers of validator classes that should be used or deactivated, if the name is prefixed with a minus -. The identifier all has a special role and activates all validator classes. This is useful to maintain a complete set of validator checks including checks that were added after the configuration was written. Particular unwanted checks are disabled with the minus syntax after the initial all declaration.

In the above example, all validator checks are enabled except the validators for TLPv1 and the combined TLP validator because TLPv2 should be used exclusively.

Exclusions

Sometimes it can be necessary to exclude validator checks for particular rules because something detected by the check is desired for this rule. For this purpose, exclusions can be defined by defining a rule identifier as key and one or multiple validator check identifiers that shouldn’t be applied to the rule. Example:

exclusions:
    5013332f-8a70-4e04-bcc1-06a98a2cca2e:
        - wildcards_instead_of_modifiers

This exclusion defines that the wildcards_instead_of_modifiers validator check is disabled for the rule with the identifier 5013332f-8a70-4e04-bcc1-06a98a2cca2e.

Configuration

Validator checks that accept parameters can be configured with a dictionary that is passed as the config parameter. This dictionary maps validator identifiers to dictionaries of parameter-value pairs that are passed as keyword arguments to the validator constructor. Example:

config:
    description_length:
        min_length: 100

Validator Checks

Validator checks implement checks of Sigma rules for particular issues. Issues can be:

  • Bad practices that likely lead to erroneous detection logic.

  • Usage of wrong tags.

  • Missing rule attributes that don’t cause rule parsing errors, but are bad practices.

A check can be conducted against a single rule or it can keep state across multiple rules and conduct a check that is not bound to a particular rule in a finalization step of a validator run.

Validator checks emit issue objects that describe detected issues and rules they appeared in. Details regarding issue objects are described below.

Implementing own Checks

A validator check is implemented by a class inherited from sigma.validators.base.SigmaRuleValidator. The method validate() is called for each rule and can be used to perform a check on the whole rule as well as collecting state information in the validator check object itself for later usage. A common location for such deferred checks is the finalize() method, that is invoked after all rules were checked individually with the validate method.

There exist various convenience classes that can be used for validation of particular parts of a Sigma rule. These classes offer special-purpose methods that are invoked for each appearance of a desired rule part and takes care of the proper iteration of these parts. These classes are:

Parametrization of Checks

If required, checks can be parametrized by passing parameters as keyword arguments to the validator check constructor. for this purpose, the validator check class must be a frozen dataclass. This can be achieved by decorating the class with @dataclass(frozen=True) from the dataclasses module.

The parameters can then be specified as dataclass members. The SigmaValidator instance will pass the parameters to the validator check constructor as keyword arguments.

Base Classes

class sigma.validators.base.SigmaDetectionValidator

A detection validator class implements a check for detection definitions contained in Sigma rules. The method validate_detection() must be implemented and is called for each detection definition contained in the Sigma rule. It can perform isolated checks per detection or collect state across different detections and then conduct checks across multiple detections in the following methods:

  • validate(): all detections across a rule.

  • finalize(): all detections across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

validate(rule: SigmaRule) List[SigmaValidationIssue]

Iterate over all detections and call validate_detection() for each.

abstract validate_detection(name: str, detection: SigmaDetection) List[SigmaValidationIssue]

Implementation of the detection validation. It is invoked for each detection.

Parameters:
  • name – Name of the validated detection.

  • detection (SigmaDetection) – detection definition that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.base.SigmaDetectionItemValidator

A detection item validator iterates over all detection definitions and their detection items and calls the method validate_detection_item() for each of them. It can perform isolated checks per detection item or collect state across different detection items and then conduct checks across multiple of them in the following methods:

  • validate_detection(): all detection items of a detection.

  • validate(): all detection items across a rule.

  • finalize(): all detection items across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

validate_detection(name: str | None, detection: SigmaDetection) List[SigmaValidationIssue]

Iterate over all detection items of a detection definition and call validate_detection_item() method on each detection item or this method itself recursively for nested detection definitions.

abstract validate_detection_item(detection_item: SigmaDetectionItem) List[SigmaValidationIssue]

Implementation of the detection item validation. It is invoked for each detection item.

Parameters:

detection_item (SigmaDetectionItem) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.base.SigmaValueValidator

A value validator iterates over all values contained in a Sigma rules detection items and calls the method validate_value() for each of them if the type is contained in the validated_types set. It can perform isolated checks per value or collect state across different values and then conduct checks across multiple of them in the following methods:

  • validate_detection_item(): all values of a detection item.

  • validate_detection(): all detection items of a detection.

  • validate(): all detection items across a rule.

  • finalize(): all detection items across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

validate_detection_item(detection_item: SigmaDetectionItem) List[SigmaValidationIssue]

Iterate over all values of a detection item and call validate_value() method for each of them if they are contained in the validated_types class attribute.

abstract validate_value(value: SigmaType) List[SigmaValidationIssue]

Implementation of the value validation. It is invoked for each value of a type.

Parameters:

value (SigmaType) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.base.SigmaStringValueValidator

A value validator iterates over all values contained in a Sigma rules detection items and calls the method validate_value() for all strings. It can perform isolated checks per value or collect state across different values and then conduct checks across multiple of them in the following methods:

  • validate_detection_item(): all values of a detection item.

  • validate_detection(): all detection items of a detection.

  • validate(): all detection items across a rule.

  • finalize(): all detection items across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

class sigma.validators.base.SigmaTagValidator

The tag validator iterates over all tags from the rule and calls the method validate_tag() for each tag.

validate(rule: SigmaRuleBase) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

abstract validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

Checks Implemented in pySigma

This section lists all implemented validation check classes including their associated issue classes.

class sigma.validators.core.condition.AllOfThemConditionIssue(rules: List[sigma.rule.base.SigmaRuleBase])
class sigma.validators.core.condition.AllOfThemConditionValidator

Find occurrences of discouraged ‘all of them’ conditions.

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.condition.DanglingConditionIssue(rules: List[sigma.rule.base.SigmaRuleBase], condition_name: str)
class sigma.validators.core.condition.DanglingConditionValidator

Check for non existing detection definitions referenced from the condition.

condition_unknown_referenced_ids(cond: ConditionItem, detections: SigmaDetections) Set[str]

Return set of unknown item identifier referenced by condition.

Parameters:
  • cond (ConditionItem) – Condition to analyze.

  • detections (SigmaDetections) – Detections referenced from condition.

Returns:

Set of unknown referenced detection identifiers.

Return type:

Set[str]

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.condition.DanglingDetectionIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_name: str)
class sigma.validators.core.condition.DanglingDetectionValidator

Check for detection definitions not referenced from condition.

condition_referenced_ids(cond: ConditionItem, detections: SigmaDetections) Set[str]

Return detection item identifier referenced by condition.

Parameters:
  • cond (ConditionItem) – Condition to analyze.

  • detections (SigmaDetections) – Detections referenced from condition.

Returns:

Set of referenced detection identifiers.

Return type:

Set[str]

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.condition.ThemConditionWithSingleDetectionIssue(rules: List[sigma.rule.base.SigmaRuleBase])
class sigma.validators.core.condition.ThemConditionWithSingleDetectionValidator

Detect conditions referring to ‘them’ with only one detection.

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.CustomAttributesIssue(rules: List[sigma.rule.base.SigmaRuleBase], fieldname: str)
class sigma.validators.core.metadata.CustomAttributesValidator

Check if field name is similar to legit one

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.DuplicateFilenameIssue(rules: List[sigma.rule.base.SigmaRuleBase], filename: str)
class sigma.validators.core.metadata.DuplicateFilenameValidator

Check rule filename uniqueness.

finalize() List[SigmaValidationIssue]

Finalize a validation run and return validation issues that apply to multiple rules.

Returns:

List of validation issues.

Return type:

List[SigmaValidationIssue]

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.DuplicateReferencesIssue(rules: List[sigma.rule.base.SigmaRuleBase], reference: str)
class sigma.validators.core.metadata.DuplicateReferencesValidator

Validate rule References uniqueness.

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.DuplicateTitleIssue(rules: List[sigma.rule.base.SigmaRuleBase], title: str)
class sigma.validators.core.metadata.DuplicateTitleValidator

Check rule title uniqueness.

finalize() List[SigmaValidationIssue]

Finalize a validation run and return validation issues that apply to multiple rules.

Returns:

List of validation issues.

Return type:

List[SigmaValidationIssue]

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.FilenameLengthIssue(rules: List[sigma.rule.base.SigmaRuleBase], filename: str)
class sigma.validators.core.metadata.FilenameLengthValidator(min_size: int = 10, max_size: int = 90)

Check rule filename length

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.IdentifierCollisionIssue(rules: List[sigma.rule.base.SigmaRuleBase], identifier: uuid.UUID)
class sigma.validators.core.metadata.IdentifierExistenceIssue(rules: List[sigma.rule.base.SigmaRuleBase])
class sigma.validators.core.metadata.IdentifierExistenceValidator

Checks if rule has identifier.

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.metadata.IdentifierUniquenessValidator

Check rule UUID uniqueness.

finalize() List[SigmaValidationIssue]

Finalize a validation run and return validation issues that apply to multiple rules.

Returns:

List of validation issues.

Return type:

List[SigmaValidationIssue]

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.modifiers.AllWithoutContainsModifierIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_item: sigma.rule.detection.SigmaDetectionItem)
class sigma.validators.core.modifiers.Base64OffsetWithoutContainsModifierIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_item: sigma.rule.detection.SigmaDetectionItem)
class sigma.validators.core.modifiers.InvalidModifierCombinationsValidator

Detects invalid combinations of value modifiers.

validate_detection_item(detection_item: SigmaDetectionItem) List[SigmaValidationIssue]

Implementation of the detection item validation. It is invoked for each detection item.

Parameters:

detection_item (SigmaDetectionItem) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.modifiers.ModifierAppliedMultipleIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_item: sigma.rule.detection.SigmaDetectionItem, modifiers: Set[Type[sigma.modifiers.SigmaModifier]])
class sigma.validators.core.tags.ATTACKTagValidator

Check for usage of valid MITRE ATT&CK tags.

validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

class sigma.validators.core.tags.CARTagValidator

Validate rule CAR tag

class sigma.validators.core.tags.CVETagValidator

Validate rule CVE tag

class sigma.validators.core.tags.D3FENDTagValidator

Check for usage of valid MITRE D3FEND tags.

validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

class sigma.validators.core.tags.DetectionTagValidator

Validate rule detection tag

class sigma.validators.core.tags.DuplicateTagIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.DuplicateTagValidator

Validate rule tag uniqueness.

validate(rule: SigmaRule) List[SigmaValidationIssue]

Implementation of the rule validation.

Parameters:

rule (SigmaRuleBase) – Sigma rule that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.tags.InvalidATTACKTagIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.InvalidD3FENDagIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.InvalidNamespaceTagIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.InvalidPatternTagIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.InvalidTLPTagIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.InvalidTagFormatIssue(rules: List[sigma.rule.base.SigmaRuleBase], tag: sigma.rule.attributes.SigmaRuleTag)
class sigma.validators.core.tags.NamespaceTagValidator

Validate rule tag namespace

validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

class sigma.validators.core.tags.STPTagValidator

Validate rule STP tag

class sigma.validators.core.tags.TLPTagValidator

Validation of TLP tags from all versions of the TLP standard.

class sigma.validators.core.tags.TLPTagValidatorBase

Base class for TLP tag validation

validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

class sigma.validators.core.tags.TLPv1TagValidator

Validation of TLP tags according to old version 1 standard.

class sigma.validators.core.tags.TLPv2TagValidator

Validation of TLP tags according to version 2 standard.

class sigma.validators.core.tags.TagFormatValidator

Validate rule tag namespace and name allowed char

validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

class sigma.validators.core.tags.TagPatternValidatorBase

Base class for tag pattern validation

validate_tag(tag: SigmaRuleTag) List[SigmaValidationIssue]

Validates a tag.

class sigma.validators.core.values.ControlCharacterIssue(rules: List[sigma.rule.base.SigmaRuleBase], string: sigma.types.SigmaString)
class sigma.validators.core.values.ControlCharacterValidator

Check for control characters in string values, which are normally inserted unintentionally by wrong usage of single backslashes, e.g. before a t character, where double backslashes are required.

validate_value(value: SigmaString) List[SigmaValidationIssue]

Implementation of the value validation. It is invoked for each value of a type.

Parameters:

value (SigmaType) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.values.DoubleWildcardIssue(rules: List[sigma.rule.base.SigmaRuleBase], string: sigma.types.SigmaString)
class sigma.validators.core.values.DoubleWildcardValidator

Check strings for consecutive multi-character wildcards.

validate_value(value: SigmaString) List[SigmaValidationIssue]

Implementation of the value validation. It is invoked for each value of a type.

Parameters:

value (SigmaType) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.values.EscapedWildcardIssue(rules: List[sigma.rule.base.SigmaRuleBase], string: sigma.types.SigmaString)
class sigma.validators.core.values.EscapedWildcardValidator

Check for the presence of escaped wildcards.

validate_value(value: SigmaString) List[SigmaValidationIssue]

Implementation of the value validation. It is invoked for each value of a type.

Parameters:

value (SigmaType) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.values.NumberAsStringIssue(rules: List[sigma.rule.base.SigmaRuleBase], string: sigma.types.SigmaString)
class sigma.validators.core.values.NumberAsStringValidator

Check numbers that were expressed as strings.

validate_value(value: SigmaString) List[SigmaValidationIssue]

Implementation of the value validation. It is invoked for each value of a type.

Parameters:

value (SigmaType) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.core.values.WildcardInsteadOfEndswithIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_item: sigma.rule.detection.SigmaDetectionItem)
class sigma.validators.core.values.WildcardInsteadOfStartswithIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_item: sigma.rule.detection.SigmaDetectionItem)
class sigma.validators.core.values.WildcardsInsteadOfContainsModifierIssue(rules: List[sigma.rule.base.SigmaRuleBase], detection_item: sigma.rule.detection.SigmaDetectionItem)
class sigma.validators.core.values.WildcardsInsteadOfModifiersValidator

Check if wildcards were used where usage of startswith, endswith and contains modifiers would be possible.

validate_detection_item(detection_item: SigmaDetectionItem) List[SigmaValidationIssue]

Implementation of the detection item validation. It is invoked for each detection item.

Parameters:

detection_item (SigmaDetectionItem) – detection item that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

Issues

An issue is a class inherited from sigma.validators.base.SigmaValidationIssue:

class sigma.validators.base.SigmaValidationIssue(rules: List[SigmaRuleBase])

Describes an issue of one or multiple Sigma rules. This is a base class that should be overridden with specific issue classes. Description should contain some general issue information defined statically for the class. Additional issue information should be provided by additional fields that are automatically rendered in the representation methods.

It must declare at least the following class attributes:

  • description: a string with a textual description of the issue displayed to the user.

  • severity: a severity as SigmaValidationIssueSeverity object.

Further attributes can be defined optionally and are rendered when the issue object is converted to a string.

Severities are defined as follows:

class sigma.validators.base.SigmaValidationIssueSeverity(value)

Severity of a Sigma rule validation issue:

  • Low: minor improvement suggestion that results in better readability or maintainability of the rule.

  • Medium: issue can cause problems under certain conditions or the meaning of the rule can be different from intended.

  • High: issue will cause problems. It is certain that the intention of the rule author and the rule logic deviate or the rule doesn’t match anything.