chg: update supported modifier

Yamato-Security · Dec 21, 2024 · 3b0665e · 3b0665e
1 parent 487e96d
commit 3b0665e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 18 deletions.
diff --git a/doc/SupportedSigmaFieldModifiers.md b/doc/SupportedSigmaFieldModifiers.md
@@ -9,13 +9,15 @@
 | containsǀall                  |           978 |                0 |
 | containsǀallǀwindash          |             4 |                0 |
 | containsǀcased                |             0 |                0 |
+| containsǀexpand               |             1 |                0 |
 | containsǀwindash              |            78 |                0 |
 | endswith                      |          2927 |              271 |
 | endswithfield                 |             0 |                0 |
 | endswithǀcased                |             0 |                0 |
 | endswithǀwindash              |             2 |                0 |
 | equalsfield                   |             0 |                0 |
 | exists                        |             0 |                0 |
+| expand                        |             9 |                0 |
 | fieldref                      |             1 |                1 |
 | fieldrefǀcontains             |             0 |                0 |
 | fieldrefǀendswith             |             0 |                2 |
@@ -36,25 +38,25 @@
 | wideǀbase64offsetǀcontains    |             0 |                0 |
 
 # Hayabusa unsupported field modifiers
-| Field Modifier   |   Sigma Count |   Hayabusa Count |
-|:-----------------|--------------:|-----------------:|
-| containsǀexpand  |             1 |                0 |
-| expand           |             9 |                0 |
+| Field Modifier   | Sigma Count   | Hayabusa Count   |
+|------------------|---------------|------------------|
 
 # Hayabusa supported correlation rules
-| Correlation Rule            |   Sigma Count |   Hayabusa Count |
-|:----------------------------|--------------:|-----------------:|
-| event_count                 |             0 |                0 |
-| event_count (with group-by) |             0 |                1 |
-| value_count                 |             0 |                0 |
-| value_count (with group-by) |             0 |                2 |
+| Correlation Rule                 |   Sigma Count |   Hayabusa Count |
+|:---------------------------------|--------------:|-----------------:|
+| event_count                      |             0 |                0 |
+| event_count (with group-by)      |             0 |                1 |
+| temporal                         |             0 |                0 |
+| temporal (with group-by)         |             0 |                0 |
+| temporal_ordered                 |             0 |                0 |
+| temporal_ordered (with group-by) |             0 |                0 |
+| value_count                      |             0 |                0 |
+| value_count (with group-by)      |             0 |                2 |
 
 # Hayabusa un-supported correlations rules
-| Correlation Rule               |   Sigma Count |   Hayabusa Count |
-|:-------------------------------|--------------:|-----------------:|
-| temporal_count                 |             0 |                0 |
-| temporal_count (with group-by) |             0 |                0 |
+| Correlation Rule   | Sigma Count   | Hayabusa Count   |
+|--------------------|---------------|------------------|
 
 This document is being dynamically updated based on the latest rules.  
-Last Update: 2024/12/19  
+Last Update: 2024/12/21  
 Author: Fukusuke Takahashi
diff --git a/scripts/supported_modifiers_check/supported-modifier.py b/scripts/supported_modifiers_check/supported-modifier.py
@@ -68,7 +68,7 @@ def get_yml_detection_counts(dir_path: str) -> (Counter, Counter):
     ]
     sigma_correlations = [
         "value_count", "value_count (with group-by)", "event_count", "event_count (with group-by)",
-        "temporal_count", "temporal_count (with group-by)"
+        "temporal", "temporal (with group-by)", "temporal_ordered", "temporal_ordered (with group-by)"
     ]
     mod = count_modifiers(Counter(sorted(yml_detection_keys)), sigma_modifiers)
     cor = count_modifiers(Counter(sorted(yml_correlation_keys)), sigma_correlations)
@@ -103,10 +103,10 @@ def categorize_modifiers(sigma_key_counter, hayabusa_key_counter, hayabusa_suppo
     sigma_mod_counter, sigma_col_counter = get_yml_detection_counts(args.sigma_path)
     hayabusa_mod_counter, hayabusa_col_counter = get_yml_detection_counts(args.hayabusa_path)
 
-    hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref', 'gt', 'gte', 'lt', 'lte', 'utf16', 'utf16be', 'utf16le', 'wide'}
+    hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "expand", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref', 'gt', 'gte', 'lt', 'lte', 'utf16', 'utf16be', 'utf16le', 'wide'}
     mod_supported, mod_unsupported = categorize_modifiers(sigma_mod_counter, hayabusa_mod_counter, hayabusa_supported_modifiers)
 
-    hayabusa_supported_modifiers = {"event_count", "event_count (with group-by)", "value_count", "value_count (with group-by)"}
+    hayabusa_supported_modifiers = {"event_count", "event_count (with group-by)", "value_count", "value_count (with group-by)", "temporal", "temporal (with group-by)", "temporal_ordered", "temporal_ordered (with group-by)"}
     col_supported, col_unsupported = categorize_modifiers(sigma_col_counter, hayabusa_col_counter, hayabusa_supported_modifiers)
 
     markdown_str = "# Hayabusa supported field modifiers\n"