From ad75a9a5bf77fe2e75e35a6cde7935c1906f380e Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 23 Nov 2021 16:57:43 +0000
Subject: [PATCH] updating hawk backend to provide additional tag enrichment.
 helps manage the state of each sigma rule, if experimental or not

---
 tools/sigma/backends/hawk.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py
index a44336b2b..4c4a37c5f 100644
--- a/tools/sigma/backends/hawk.py
+++ b/tools/sigma/backends/hawk.py
@@ -638,13 +638,16 @@ class HAWKBackend(SingleTextQueryBackend):
             "public" : True,
             "references" : ref,
             "group_name" : ".",
+            "tags" : [ "sigma" ],
             "hawk_id" : sigmaparser.parsedyaml['id']
         }
         if 'tags' in sigmaparser.parsedyaml:
-            record["tags"] = [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags']]
+            record["tags"] = record['tags'] + [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags']]
 
         if not 'status' in self.sigmaparser.parsedyaml or 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] != 'experimental':
             record['correlation_action'] += 10.0;
+        elif 'status' in self.sigmaparser.parsedyaml and self.sigmaparser.parsedyaml['status'] == 'experimental':
+            record["tags"].append("qa")
         if 'falsepositives' in self.sigmaparser.parsedyaml and len(self.sigmaparser.parsedyaml['falsepositives']) > 1:
             record['correlation_action'] -= (2.0 * len(self.sigmaparser.parsedyaml['falsepositives']) )