V2 consideration - add support for datetime values

Question

V2 consideration - add support for datetime values

Closed this issue a year ago · 0 comments

native sigma supports datetime values. It would be nice if we could extend that support to Sigma.

currently the v2 spec supports number values, such as:

detection:
    exp1:
        field|gt: 1
        field|lt: 10
    exp2:
        field2:
        - blah
        - foobar
    condition: exp1 and exp2

I propose it also can do similarly, but with datetime values, such as:

detection:
    exp1:
        field|gt: 2023-01-01T09:00:00Z
        field|lt: 2023-01-01T10:00:00Z
    exp2:
        field2:
        - blah
        - foobar
    condition: exp1 and exp2

running this through pySigma (at the moment) gives a type error: 'datetime.datetime' object is not iterable on line 196 of rule.py