v1.1.0

What's Changed

• New: Support any for Sigma Filters rule references by @sifex in #430
• Fix: replace parseString by parse_string by @FlorianBracq in #432
• Fix: to avoid re-parsing SigmaString entries in values by @vl43den in #433

New Contributors

• @vl43den made their first contribution in #433

Full Changelog: v1.0.2...v1.1.0

v1.0.2

What's Changed

• Fix query finishing for correlation rules and add tests by @thomaspatzke in #429
• Fix: extract correct D3FEND version by @thomaspatzke in #428

Full Changelog: v1.0.1...v1.0.2

v1.0.1

What's Changed

• Add PyPI-based pySigma version dependency detection for plugins by @Copilot in #426
• Plugin compatibility check uses PyPI dependency information by @thomaspatzke in #427

Full Changelog: v1.0.0...v1.0.1

v1.0.0

BREAKING CHANGES

Check the breaking changes documentation for a full list of changes that might break existing code.

What's Changed

• Implemented a better date conversion for 'date:' and 'modified:' fields. by @aviaconstructor in #297
• Deal with empty string for ignore_case_brackets by @frack113 in #302
• Not Equals (!=) Expressions by @slincoln-systemtwo in #301
• Improve SigmaTransformationError by @r0ot in #300
• Return a SigmaString if the regex is empty by @frack113 in #303
• Fix NestedProcessingTransformation by @r0ot in #298
• Check invalid pipeline keys by @frack113 in #307
• Proposal for fieldref wildcard support by @kelnage in #305
• Add CaseTransformation by @frack113 in #306
• Integration of fieldref into base backend by @thomaspatzke in #308
• #309 Support for snake_case transformation on a field. by @suryamajhi in #310
• Add MatchValueCondition for exact value matching by @thomaspatzke in #312
• Enhance equality comparison for SigmaNumber and SigmaBool by @thomaspatzke in #313
• Implement timestamp part modifiers for use in backends. by @Res260 in #315
• Fix: Handle None case in field_name_prefix_mapping by @kid0604 in #314
• Test time modifiers by @Res260 in #316
• feat: support poetry 2.0 by @chenrui333 in #318
• Add Panther Sigma backend in Related Projects by @le4ker in #320
• Prepare Pysigma for EQL Correlations by @Mat0vu in #324
• Prepare for EQL Correlations by @Mat0vu in #325
• feat(placeholders): allow regex valuelist transformation by @m4dh4t in #322
• Update mitre_attack to 16.1 by @frack113 in #326
• Fixed the type transformation when the given value is a SigmaExpansion by @marcelkwaschny in #329
• Add neq operator by @frack113 in #330
• Fix some linting issues by @andurin in #331
• Typechecking hb by @andurin in #332
• Update jinja2 to at least 3.1.6 by @nikstuckenbrock in #333
• Finalize all rules, including those which are part of correlation rules by @arblade in #336
• Add condition existence check in post-init method by @thomaspatzke in #344
• Add correlation fields to query by @arblade in #347
• fix(SigmaRegularExpression): invalid escapements by @m4dh4t in #356
• build: 📦 Update to MITRE V17.0 by @frack113 in #357
• resolver: resolve alphabetically if pipelines have same priority by @ariel-anieli in #360
• Fix the sigmadetections to dict test case by @emmanuel-ferdman in #366
• Update to MITRE V17.1 by @frack113 in #367
• Adds "StrictFieldMappingFailure" to the available transformations. by @sifex in #365
• build: 📦 Update pyproject.toml by @frack113 in #369
• chore: 🧹 Add missing FieldnameLogsourceValidator information by @frack113 in #368
• Fix Exclude fields error in yaml by @frack113 in #371
• Fixed typing issues by @thomaspatzke in #372
• Fix timestamp handling when paired with |gt |gte |lt and |lte… by @Res260 in #375
• Include rule scope in SigmaRule.to_dict() by @nsmithuk in #376
• Switch to pyYAML CSafeLoader by @thomaspatzke in #383
• Add support for custom expressions in empty AND/OR conditions by @thomaspatzke in #386
• Support multiple condition fields in correlation rules mapping by @vruello in #384
• Preserve type when slicing SigmaCasedString by @nsmithuk in #385
• Refactor type hints to use built-in list and dict instead of List and Dict from typing module by @thomaspatzke in #387
• Resolve rule references in SigmaCollection initialization by default. by @thomaspatzke in #388
• Split query finalization in conversion process by @thomaspatzke in #389
• replace setParseAction by set_parse_action to fix deprecation warning by @vx3r in #392
• Add backend name and output format to processing pipeline variables by @thomaspatzke in #390
• Fixed conversion of SigmaDetection to plain by @thomaspatzke in #397
• Use _future.annotations for type hinting by @FlorianBracq in #391
• Add support for importing Python helper functions into Jinja2 templates by @Copilot in #399
• Add Windash Validator by @nasbench in #401
• Add GitHub Copilot instructions for repository by @Copilot in #403
• Add support for Python 3.14 by @otetard in #400
• Add support for Sigma Spec 2.1.0 correlation types: value_sum, value_avg, value_percentile, value_median by @Copilot in #398
• Update black version in pre-commit config to match poetry.lock by @Copilot in #408
• Fix SigmaStatus and SigmaLevel equality operators to return False instead of raising exceptions by @Copilot in #413
• Update typing to use type Self by @FlorianBracq in #410
• Fix AddConditionTransformation to handle empty conditions by @Copilot in #405
• Replace static MITRE data with on-demand API loading by @Copilot in #415
• Fix keyword search semantics loss when mapping None to field name by @Copilot in #406
• Enhance MITRE data loading: add support for custom URLs and local file paths by @thomaspatzke in #417
• Support list-type attributes in RuleAttributeCondition by @Copilot in #416
• Fix/Improvement of MITRE data download by @thomaspatzke in #420
• Updated dependencies by @thomaspatzke in #421

New Contributors

• @aviaconstructor made their first contribution in #297
• @r0ot made their first contribution in #300
• @suryamajhi made their first contribution in #310
• @kid0604 made their first contribution in #314
• @chenrui333 made their first contribution in #318
• @le4ker made their first contribution in #320
• @arblade made their first contribution in #336
• @ariel-anieli made their first contribution in #360
• @emmanuel-ferdman made their first contribution in #366
• @nsmithuk made their first contribution in #376
• @vruello made their first contribution in #384
• @vx3r made their first contribution in #392
• @FlorianBracq made their first contribution in #391
• @Copilot made their first contribution in #399
• @otetard made their first contribution in #400

Full Changelog: v0.11.23...v1.0.0

v1.0.0rc2

Release candidate for the stable 1.0 version of pySigma.

What's Changed

• Implemented a better date conversion for 'date:' and 'modified:' fields. by @aviaconstructor in #297
• Deal with empty string for ignore_case_brackets by @frack113 in #302
• Not Equals (!=) Expressions by @slincoln-systemtwo in #301
• Improve SigmaTransformationError by @r0ot in #300
• Return a SigmaString if the regex is empty by @frack113 in #303
• Fix NestedProcessingTransformation by @r0ot in #298
• Check invalid pipeline keys by @frack113 in #307
• Proposal for fieldref wildcard support by @kelnage in #305
• Add CaseTransformation by @frack113 in #306
• Integration of fieldref into base backend by @thomaspatzke in #308
• #309 Support for snake_case transformation on a field. by @suryamajhi in #310
• Add MatchValueCondition for exact value matching by @thomaspatzke in #312
• Enhance equality comparison for SigmaNumber and SigmaBool by @thomaspatzke in #313
• Implement timestamp part modifiers for use in backends. by @Res260 in #315
• Fix: Handle None case in field_name_prefix_mapping by @kid0604 in #314
• Test time modifiers by @Res260 in #316
• feat: support poetry 2.0 by @chenrui333 in #318
• Add Panther Sigma backend in Related Projects by @le4ker in #320
• Prepare Pysigma for EQL Correlations by @Mat0vu in #324
• Prepare for EQL Correlations by @Mat0vu in #325
• feat(placeholders): allow regex valuelist transformation by @m4dh4t in #322
• Update mitre_attack to 16.1 by @frack113 in #326
• Fixed the type transformation when the given value is a SigmaExpansion by @marcelkwaschny in #329
• Add neq operator by @frack113 in #330
• Fix some linting issues by @andurin in #331
• Typechecking hb by @andurin in #332
• Update jinja2 to at least 3.1.6 by @nikstuckenbrock in #333
• Finalize all rules, including those which are part of correlation rules by @arblade in #336
• Add condition existence check in post-init method by @thomaspatzke in #344
• Add correlation fields to query by @arblade in #347
• fix(SigmaRegularExpression): invalid escapements by @m4dh4t in #356
• build: 📦 Update to MITRE V17.0 by @frack113 in #357
• resolver: resolve alphabetically if pipelines have same priority by @ariel-anieli in #360
• Fix the sigmadetections to dict test case by @emmanuel-ferdman in #366
• Update to MITRE V17.1 by @frack113 in #367
• Adds "StrictFieldMappingFailure" to the available transformations. by @sifex in #365
• build: 📦 Update pyproject.toml by @frack113 in #369
• chore: 🧹 Add missing FieldnameLogsourceValidator information by @frack113 in #368
• Fix Exclude fields error in yaml by @frack113 in #371
• Fixed typing issues by @thomaspatzke in #372
• Fix timestamp handling when paired with |gt |gte |lt and |lte… by @Res260 in #375

Breaking Changes

Due to refactoring of the code, the behavior of pySigma changed in some locations:

• Initialization of a SigmaDetectionItem doesn't convert plain types to SigmaType objects anymore and expects a list as value. Use SigmaDetectionItem.from_mapping() or .from_value() instead.
• Deprecation of SigmaCompareExpression.CompareOperators. Use CompareOperators from sigma.types package directly.
• SigmaCollection.from_yaml(), .from_dicts() — new parameter collect_filters introduced at position after collect_errors.
• SigmaCollection() constructor — new parameter collect_filters introduced at position after errors.
• SigmaPipelineConditionError: parameter ordering changed, expression and location are now optional.
• QueryPostprocessingTransformation introduces apply_query() method for clear distinction of methods for different processing stages.
• Functionality of inherited classes was consolidated into FieldMappingTransformationBase. The method get_mapping from FieldMappingTransformation and all classes inherited from it was consolidated into apply_field_name.
• Validator config now uses identifier (filename_length) instead of class name (FilenameLengthValidator) to establish consistency with remaining config.
• SigmaValueValidator.validated_types was removed. Instead the type has to be checked in the validate_value method.
• The validation logic of a class inherited by SigmaStringValueValidator is now implemented in a validate_string method instead of validate_value.
• The ProcessingPipeline is only initialized once per backend instantiation instead of once per converted rule. The state dict is reset for each call to apply().
• The references to the using pipeline of objects derived from classess inheriting from ProcessingItem, Transformation, RuleCondition, DetectionItemCondition and FieldNameCondition can only be set once. Further attempts will raise an exception. This implies that such objects can't be re-used in a pipeline (e.g. as variable), but have to be instantiated again for each usage (e.g. via factory).
• The type parameter of IncludeFieldCondition and ExcludeFieldCondition was renamed to mode.

New Contributors

• @aviaconstructor made their first contribution in #297
• @r0ot made their first contribution in #300
• @suryamajhi made their first contribution in #310
• @kid0604 made their first contribution in #314
• @chenrui333 made their first contribution in #318
• @le4ker made their first contribution in #320
• @arblade made their first contribution in #336
• @ariel-anieli made their first contribution in #360
• @emmanuel-ferdman made their first contribution in #366

Full Changelog: v0.11.23...v1.0.0rc1

v1.0.0rc1

First release candidate for the stable 1.0 version of pySigma.

What's Changed

• Implemented a better date conversion for 'date:' and 'modified:' fields. by @aviaconstructor in #297
• Deal with empty string for ignore_case_brackets by @frack113 in #302
• Not Equals (!=) Expressions by @slincoln-systemtwo in #301
• Improve SigmaTransformationError by @r0ot in #300
• Return a SigmaString if the regex is empty by @frack113 in #303
• Fix NestedProcessingTransformation by @r0ot in #298
• Check invalid pipeline keys by @frack113 in #307
• Proposal for fieldref wildcard support by @kelnage in #305
• Add CaseTransformation by @frack113 in #306
• Integration of fieldref into base backend by @thomaspatzke in #308
• #309 Support for snake_case transformation on a field. by @suryamajhi in #310
• Add MatchValueCondition for exact value matching by @thomaspatzke in #312
• Enhance equality comparison for SigmaNumber and SigmaBool by @thomaspatzke in #313
• Implement timestamp part modifiers for use in backends. by @Res260 in #315
• Fix: Handle None case in field_name_prefix_mapping by @kid0604 in #314
• Test time modifiers by @Res260 in #316
• feat: support poetry 2.0 by @chenrui333 in #318
• Add Panther Sigma backend in Related Projects by @le4ker in #320
• Prepare Pysigma for EQL Correlations by @Mat0vu in #324
• Prepare for EQL Correlations by @Mat0vu in #325
• feat(placeholders): allow regex valuelist transformation by @m4dh4t in #322
• Update mitre_attack to 16.1 by @frack113 in #326
• Fixed the type transformation when the given value is a SigmaExpansion by @marcelkwaschny in #329
• Add neq operator by @frack113 in #330
• Fix some linting issues by @andurin in #331
• Typechecking hb by @andurin in #332
• Update jinja2 to at least 3.1.6 by @nikstuckenbrock in #333
• Finalize all rules, including those which are part of correlation rules by @arblade in #336
• Add condition existence check in post-init method by @thomaspatzke in #344
• Add correlation fields to query by @arblade in #347
• fix(SigmaRegularExpression): invalid escapements by @m4dh4t in #356
• build: 📦 Update to MITRE V17.0 by @frack113 in #357
• resolver: resolve alphabetically if pipelines have same priority by @ariel-anieli in #360
• Fix the sigmadetections to dict test case by @emmanuel-ferdman in #366
• Update to MITRE V17.1 by @frack113 in #367
• Adds "StrictFieldMappingFailure" to the available transformations. by @sifex in #365
• build: 📦 Update pyproject.toml by @frack113 in #369
• chore: 🧹 Add missing FieldnameLogsourceValidator information by @frack113 in #368
• Fix Exclude fields error in yaml by @frack113 in #371
• Fixed typing issues by @thomaspatzke in #372
• Fix timestamp handling when paired with |gt |gte |lt and |lte… by @Res260 in #375

Breaking Changes

Due to refactoring of the code, the behavior of pySigma changed in some locations:

• Initialization of a SigmaDetectionItem doesn't convert plain types to SigmaType objects anymore and expects a list as value. Use SigmaDetectionItem.from_mapping() or .from_value() instead.
• Deprecation of SigmaCompareExpression.CompareOperators. Use CompareOperators from sigma.types package directly.
• SigmaCollection.from_yaml(), .from_dicts() — new parameter collect_filters introduced at position after collect_errors.
• SigmaCollection() constructor — new parameter collect_filters introduced at position after errors.
• SigmaPipelineConditionError: parameter ordering changed, expression and location are now optional.
• QueryPostprocessingTransformation introduces apply_query() method for clear distinction of methods for different processing stages.
• Functionality of inherited classes was consolidated into FieldMappingTransformationBase. The method get_mapping from FieldMappingTransformation and all classes inherited from it was consolidated into apply_field_name.
• Validator config now uses identifier (filename_length) instead of class name (FilenameLengthValidator) to establish consistency with remaining config.
• SigmaValueValidator.validated_types was removed. Instead the type has to be checked in the validate_value method.
• The validation logic of a class inherited by SigmaStringValueValidator is now implemented in a validate_string method instead of validate_value.
• The ProcessingPipeline is only initialized once per backend instantiation instead of once per converted rule. The state dict is reset for each call to apply().

New Contributors

• @aviaconstructor made their first contribution in #297
• @r0ot made their first contribution in #300
• @suryamajhi made their first contribution in #310
• @kid0604 made their first contribution in #314
• @chenrui333 made their first contribution in #318
• @le4ker made their first contribution in #320
• @arblade made their first contribution in #336
• @ariel-anieli made their first contribution in #360
• @emmanuel-ferdman made their first contribution in #366

Full Changelog: v0.11.23...v1.0.0rc1

v0.11.23

What's Changed

• Add flatten_rules method to SigmaCorrelationRule by @thomaspatzke in #361
• MITRE ATT&CK v17

Full Changelog: v0.11.22...v0.11.23

v0.11.22

What's Changed

• Backport: Implemented a better date conversion for 'date:' and 'modified:' fields. Backported by @thomaspatzke in #351

Full Changelog: v0.11.21...v0.11.22

v0.11.21

What's Changed

• Propagate errors from SigmaRule to SigmaCollection by @thomaspatzke in #348
• Updated dependencies

Full Changelog: v0.11.20...v0.11.21

v0.11.20

What's Changed

• [Sigma Filters] Fixes a bug in condition matching logic by @sifex in #323
• Backport of time modifiers by @thomaspatzke in #337

Full Changelog: v0.11.19...v0.11.20