Fixing conditions with multiple underscores and adding a working example for reference

README.md

@@ -1,15 +1,22 @@
 # sigma-go ![Build Status](https://github.com/bradleyjkemp/sigma-go/workflows/Go/badge.svg) [![GitHub release](https://img.shields.io/github/release/bradleyjkemp/sigma-go.svg)](https://github.com/bradleyjkemp/sigma-go/releases/latest)
+
 <img src=".github/mascot.png" alt="Mascot" width="150" align="right">
 
 A Go implementation and parser of [Sigma rules](https://github.com/Neo23x0/sigma). Useful for building your own detection pipelines.
 
 Who's using `sigma-go` in production?
-* [Monzo Bank](https://monzo.com/blog/2022/08/05/scaling-our-security-detection-pipeline-with-sigma)
-* [Phish Report](https://phish.report/IOK)
-* [SysFlow](https://github.com/sysflow-telemetry)
 
-## Usage
+- [Monzo Bank](https://monzo.com/blog/2022/08/05/scaling-our-security-detection-pipeline-with-sigma)
+- [Phish Report](https://phish.report/IOK)
+- [SysFlow](https://github.com/sysflow-telemetry)
+
+## Installation
+
+```bash
+go get github.com/bradleyjkemp/sigma-go
+```
 
+## Usage
 This library is designed for you to build your own alert systems.
 It exposes the ability to check whether a rule matches a given event but not much else.
 It's up to you to use this building block in your own detection pipeline.
@@ -21,8 +28,7 @@ var rule, _ = sigma.ParseRule(contents)
 
 // Rules need to be wrapped in an evaluator.
 // This is also where (if needed) you provide functions implementing the count, max, etc. aggregation functions
-e := sigma.Evaluator(rule, options...)
-
+e := evaluator.ForRule(rule)
 // Get a stream of events from somewhere e.g. audit logs
 for event := range events {
     if e.Matches(ctx, event) {
@@ -37,6 +43,7 @@ for event := range events {
 If your Sigma rules make use of the count, max, min, or any other aggregation function in your conditions then you'll need some extra setup.
 
 When creating an evaluator, you can pass in implementations of each of the aggregation functions:
+
 ```go
 sigma.Evaluator(rule, sigma.CountFunc(countImplementation), sigma.MaxFunc(maxImplementation))
 ```

condition_parser.go

@@ -8,8 +8,8 @@ import (
 
 var (
 	searchExprLexer = lexer.Must(lexer.Regexp(`(?P<Keyword>(?i)(1 of them)|(all of them)|(1 of)|(all of))` +
-		`|(?P<SearchIdentifierPattern>\*?[a-zA-Z_]+\*[a-zA-Z0-9_*]*)` +
-		`|(?P<SearchIdentifier>[a-zA-Z_][a-zA-Z0-9_]*)` +
+		`|(?P<SearchIdentifierPattern>\*?[a-zA-Z_]+(?:[a-zA-Z0-9_]*_)*[a-zA-Z0-9]*\*)` + // Adjusted pattern to catch multiple underscores which is present upstream
+		`|(?P<SearchIdentifier>[a-zA-Z_][a-zA-Z0-9_]*)` + 
 		`|(?P<Operator>(?i)and|or|not|[()])` + // TODO: this never actually matches anything because they get matched as a SearchIdentifier instead. However this isn't currently a problem because we don't parse anything in the Grammar as an Operator (we just use string constants which don't care about Operator vs SearchIdentifier)
 		`|(?P<ComparisonOperation>=|!=|<=|>=|<|>)` +
 		`|(?P<ComparisonValue>0|[1-9][0-9]*)` +

evaluator/modifiers/modifiers_test.go

@@ -49,7 +49,7 @@ func Test_compareNumeric(t *testing.T) {
 func BenchmarkContains(b *testing.B) {
 	needle := "abcdefg"
 
-	var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+	letterRunes := []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 	haystack := make([]rune, 1_000_000)
 	for i := range haystack {
 		haystack[i] = letterRunes[rand.Intn(len(letterRunes))]
@@ -67,7 +67,7 @@ func BenchmarkContains(b *testing.B) {
 func BenchmarkContainsCS(b *testing.B) {
 	needle := "abcdefg"
 
-	var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+	letterRunes := []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 	haystack := make([]rune, 1_000_000)
 	for i := range haystack {
 		haystack[i] = letterRunes[rand.Intn(len(letterRunes))]

examples/simple_rule_match/main.go

@@ -0,0 +1,79 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/bradleyjkemp/sigma-go"
+	"github.com/bradleyjkemp/sigma-go/evaluator"
+)
+
+func main() {
+	//
+	// Load the Sigma rule (simplified representation here)
+	sigmaRule := `
+title: Okta Application Modified or Deleted
+id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
+status: test
+description: Detects when an application is modified or deleted.
+references:
+  - https://developer.okta.com/docs/reference/api/system-log/
+  - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+  - attack.impact
+logsource:
+  product: okta
+  service: okta
+detection:
+  selection:
+    eventtype:
+      - application.lifecycle.update
+      - application.lifecycle.delete
+  condition: selection
+falsepositives:
+  - Unknown
+
+level: medium
+
+  `
+	// Parse the Sigma rule
+	rule, err := sigma.ParseRule([]byte(sigmaRule))
+	if err != nil {
+		log.Fatalf("Failed to parse Sigma rule: %v", err)
+	}
+
+	// Query Okta logs (simplified, you'll need to implement actual API querying)
+	oktaEvents := queryOktaLogs()
+
+	// Rules need to be wrapped in an evaluator.
+	// This is also where (if needed) you provide functions implementing the count, max, etc. aggregation functions
+	e := evaluator.ForRule(rule)
+
+	// Evaluate each Okta event against the Sigma rule
+	for _, event := range oktaEvents {
+		matches, err := e.Matches(context.Background(), event)
+		if err != nil {
+			log.Printf("Error evaluating rule: %v", err)
+			continue
+		}
+		if matches.Match {
+			fmt.Println("Detected an application modification or deletion event:", event)
+			// Implement your detection handling logic here (e.g., alerting)
+		}
+	}
+}
+
+// queryOktaLogs simulates querying Okta logs. Replace with actual API calls.
+func queryOktaLogs() []map[string]interface{} {
+	// This is a simplified example. You should replace this function with one
+	// that makes HTTP requests to Okta's system log API and parses the response.
+	// See https://developer.okta.com/docs/reference/api/system-log/ for details.
+	return []map[string]interface{}{
+		{"eventtype": "application.lifecycle.update", "details": "Application updated"},
+		// Add more events as needed
+	}
+}