pySigma-backend-splunk icon indicating copy to clipboard operation
pySigma-backend-splunk copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Conditions added by processing pipelines are deferred with OR-ed regex

Open thomaspatzke opened this issue 8 months ago • 2 comments

Problem

Regular expressions logically linked with OR are deferred

Reproduction

Processing pipeline:

name: Example Sigma Pipeline Config
priority: 100
transformations:
  - id: prefix_source_and_index
    type: add_condition
    conditions:
      index: test
      source: test

Rule:

title: Example Sigma Rule
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    EventID: 4688
    CommandLine|re:
      - "suspicious_command"
  selection2:
    Image|re:
      - "suspicious_command"
  condition: selection or selection2

Result:

| rex field=CommandLine "(?<CommandLineMatch>suspicious_command)"
| eval CommandLineCondition=if(isnotnull(CommandLineMatch), "true", "false")
| rex field=Image "(?<ImageMatch>suspicious_command)"
| eval ImageCondition=if(isnotnull(ImageMatch), "true", "false")
| search index="test" source="test" (EventID=4688 CommandLineCondition="true") OR ImageCondition="true"

Expected result:

index="test" source="test"
| rex field=CommandLine "(?<CommandLineMatch>suspicious_command)"
| eval CommandLineCondition=if(isnotnull(CommandLineMatch), "true", "false")
| rex field=Image "(?<ImageMatch>suspicious_command)"
| eval ImageCondition=if(isnotnull(ImageMatch), "true", "false")
| search (EventID=4688 CommandLineCondition="true") OR ImageCondition="true"

thomaspatzke avatar Mar 19 '25 22:03 thomaspatzke