rsigma rule condition🔗
Parse a Sigma condition expression and print the AST.
Synopsis🔗
Description🔗
Takes a Sigma condition string (the right-hand side of condition: in a rule) and prints its parsed AST as JSON. Useful for tooling that reasons about condition trees, for sanity-checking a complicated expression before pasting it into a rule, and for understanding precedence on expressions with mixed and, or, not, and 1 of/all of quantifiers.
Flags🔗
| Flag | Description |
|---|---|
<EXPR> | The condition expression to parse. Quote the argument so the shell does not eat the * or ( characters. |
Examples🔗
Simple selection🔗
Combined selections🔗
Quantified expressions🔗
Aggregate (correlation) syntax🔗
Exit codes🔗
| Code | Meaning |
|---|---|
0 | Expression parsed cleanly. |
2 | Parse error. |
See also🔗
- Sigma specification: condition expressions for the official condition grammar.
rule parsefor parsing a full rule (including its condition).- Concepts for the Sigma primer.