As already discussed in #120, Chainsaw does not support "lists" (i.e., keyless search identifiers) in the detection part of Sigma rules, as defined by the Sigma specification [1]. When running Chainsaw in hunt mode, such lists in Sigma rules are silently ignored and events matching these lists will not trigger the respective rule.

IMHO, this behavior is unfavorable since users probably assume that if there is no warning/error while loading Sigma rules, these rules will work as intended. This could lead, e.g., to missed evidence in forensic analysis. I therefore propose to print a warning while loading Sigma rules if they contain lists, which assures that users are aware that these (parts of) rules will be ignored by Chainsaw.

[1] https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#lists

Yep this is a bug, it should be failing to load rules that it does not support and keyless ones fall into that category.

Ah right okay, I slightly misunderstood this are you basically asking for more verbose output for the loaded rules line? or requesting that it should be a warning [!] when it cannot load all rules?

Sorry, my description above isn't quite correct. Sigma rules containing lists are indeed not loaded, just as intended, and this is also correctly printed ("... not loaded)". However, I find this easy to overlook, so I'd propose to either print one warning line per non-loaded rule, including the reason why it was not loaded or (at least) print a warning that not all rules could be loaded. The former could look like this:

[!] Ignoring rule foo.yml. Reason: Keyless search identifiers are currently not supported.

I am a tad reluctant to do a warning per rule as this could massively bloat out the output and is what the lint command is designed for, but happy to see what the wider community feel on that.

As an alternative for now as it is not a breaking change, would this be sufficient?

Yes, I think this is already much less prone to being overlooked!

Awesome, will get that done.