Proposal: Sigma Filter Rule Expiry

[sifex]

I spoke about this idea at BSides Athens with some great people.

The idea is that Sigma Filter Rules should have an expiry, where a Filter automatically stops excluding matches after a given date. This is in contrast to "disabling" a rule, and forgetting to switch it back on after a given date.

title: Filter Out Okta Service Accounts
description: Filters out Okta service accounts
date: 2024/07/03
modified: 2024/07/04
logsource:
    service: okta
    product: okta
filter:
    rules:
        - okta_user_account_locked_out
    service_accounts:
        actor.alternateId|startswith:
            - svc
    condition: not service_accounts
    expiry: 2w

For this, 2w might apply to date or modified.

The alternative for this is to get the timestamp in 2w and compare timestamp against the event's time, which is also another viable solution.

[frack113]

IF we go that way, why not use timespan like the Meta Rules ?