Generic Filter Support in V2 #133
Description
Currently in the V2 specification for Sigma Meta Filters, there is a requirement to specify rule names or IDs to which the filter will apply as per the example below:
---
title: Test
id: a6a829ba-c27a-4e3b-9244-28a2cd7d994a
name: test_rule
status: test
logsource:
category: test_category
product: test_product
detection:
sel:
fieldA: valueA
condition: sel
---
title: Filter Test
id: 8a876a7d-e281-46d7-9ccc-fcbbd822737b
status: test
logsource:
category: test_category
product: test_product
filter:
rules:
- test_rule
selection:
fieldB: valueB
condition: not selectionBeing able to scope filters to specific rules is really useful for some use cases, but at Grafana and presumably in other SecOps teams, we'd like to be able to apply filters as a more generic transform. A real world example, is that we want to be able to exclude one of our machine-identities from triggering AWS rules, because it will trigger all of them. Rather than specifying each rule individually, I'd like to be able to write a filter more like the below and then apply it at convert time:
---
title: Filter out machine identity
id: 94b03457-03bb-4f10-9a34-eda129608bdd
status: test
logsource:
category: cloud
product: aws
filter:
rules:
- logsource:
product: aws
selection:
userIdentity.arn: arn:aws:iam::ACCOUNT:/user/machine-identity
condition: not selectionI think this will extend the usage of filters and make it easier to create exclusions for rules that are in a similar category.