Add operator for DeferredTextQueryExpression

[nNipsx-Sec]

In some case of sigma rules and SIEM product, have multiple field Regex or CIDR and SIEM must have operator to define query example with Qradar:
ELECT UTF8(payload) as search_payload from events where "Commandline"='test' AND INCIDR('fieldA 192.168.0.0/16', "fieldA") OR INCIDR('fieldC 192.168.0.0/24', "fieldC")

But now pysigma can't allow user define expression for that user just define

    deferred_start : ClassVar[str] = ""
    deferred_separator : ClassVar[str] = ""
    deferred_only_query : ClassVar[str] = ""

I think that enough for prepare query.
So my solution it's add deferred_expression or add more field operator for deferred example:

deferred_and
deferred_or
deferred_not

[thomaspatzke]

Unsure if I understood the issue, but the re_expression and cidr_expression properties of the TextQueryBackend should do what you need:

class CustomBackend(TextQueryBackend):
[...]
    cidr_expression = "INCIDR('{field} {value}', "{field}")
[...]

The purpose of deferred expressions is not to integrate them in the main condition vial boolean operators, but to defer them to a later stage of the whole query, after the main search condition. This was necessary in Splunk, because the main search conditions has no possibility to express regular expressions or CIDR as filters. This doesn't seems to be the case for QRadar and therefore the expressions can be defined as above without usage of deferred expressions.

[nNipsx-Sec]

Oh thanks for support. It's helpful for me