Add --include-tag and --exclude-tag options in pivot-keywords-list command

[hitenkoku]

What Changed

• Added the --include-tag option to pivot-keywords-list command to only load rules with the specified tags field.
• Added the --exclude-tag option to pivot-keywords-list commands to exclude rules with specific tags from being loaded.

I would appreciate it if you could review when you have time.

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (fba5471) 83.52% compared to head (af1af31) 83.50%.

Additional details and impacted files

@@                                           Coverage Diff                                            @@
##           1188-ask-the-user-which-sigma-rules-they-want-to-enable-by-default-1    #1196      +/-   ##
========================================================================================================
- Coverage                                                                 83.52%   83.50%   -0.02%     
========================================================================================================
  Files                                                                        26       26              
  Lines                                                                     23608    23696      +88     
========================================================================================================
+ Hits                                                                      19718    19788      +70     
- Misses                                                                     3890     3908      +18     

Files	Coverage Δ
src/main.rs	67.11% <100.00%> (+0.30%)	⬆️
src/detections/configs.rs	81.72% <71.42%> (-0.02%)	⬇️

... and 10 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[YamatoSecurity]

@hitenkoku When I run ./target/release/hayabusa pivot-keywords-list -d ../hayabusa-sample-evtx --include-tag sysmon -w or ./target/release/hayabusa pivot-keywords-list -d ../hayabusa-sample-evtx --exclude-tag sysmon -w it gives me [ERROR] No rules were loaded. Please download the latest rules with the update-rules command. but there should be rules with and without sysmon tags so both times there should be rules loaded. Can you check this?

[hitenkoku]

@YamatoSecurity Thanks for your review.

I fixed following bug in c940b46.

Could you check it?

@hitenkoku When I run ./target/release/hayabusa pivot-keywords-list -d ../hayabusa-sample-evtx --include-tag sysmon -w or ./target/release/hayabusa pivot-keywords-list -d ../hayabusa-sample-evtx --exclude-tag sysmon -w it gives me [ERROR] No rules were loaded. Please download the latest rules with the update-rules command. but there should be rules with and without sysmon tags so both times there should be rules loaded. Can you check this?

[YamatoSecurity]

@hitenkoku Thanks for fixing this. LGTM!

[hitenkoku]

@YamatoSecurity I appriciate your continuous review.

[fukusuket]

I confirmed following command works! LGTM!!🚀

• % ./hayabusa-new pivot-keywords-list -d ../hayabusa-sample-evtx -o ./new/key -C --debug --exclude-tag sysmon -w -v
• % ./hayabusa-new pivot-keywords-list -d ../hayabusa-sample-evtx -o ./new/key -C --debug --include-tag sysmon -w -v

Also, the following command results have no difference compared to main.

• % ./hayabusa-new csv-timeline -d ../hayabusa-sample-evtx -o new.csv -C -w
• % ./hayabusa-new pivot-keywords-list -d ../hayabusa-sample-evtx -o ./old/key -C -w

[hitenkoku]

@fukusuket thanks for your review.