pySigma
pySigma copied to clipboard
SigmaHQ
Expected behaviour when using `AddConditionTransformation` on a `1 of them`/`any of them` condition?
I encountered the following behaviour when using the AddConditionTransformation on a rule using a 1 of them condition:
Consider the following rule:
detection:
a: ...
b: ...
condition: 1 of them
In our setup we use a AddConditionTransformation to integrate the logsource in the detection to be consumed by the splunk backend. So we instantiate the transformation for example like this: AddConditionTransformation({ "index": ..., "sourcetype": ... })
This transforms the rule into something like this:
detection:
a: ...
b: ...
_cond_blablablaa:
index: ...
sourcetype: ...
condition: _cond_blablablaa and (1 of them)
But here is the catch: The 1 of them now refers to a or b or _cond_blablablaa. This is a problem since the condition is now logically _cond_blablablaa and (a or b or _cond_blablablaa) which is equivalent to just _cond_blablablaa. In other words, this renders the rule useless since it matches any event for this logsource.
This is not the behaviour I expected. I expected 1 of them to be transformed into a or b internally before any transformation to the boolean logic is applied.
If this is indeed the expected behaviour, what is the proper way to AND the logsource into the query?
Thanks in advance!
