pySigma icon indicating copy to clipboard operation
pySigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Does RemoveFieldTransformation work as expected?

Open HenrikWittemeier opened this issue 4 months ago • 0 comments

I tried to use RemoveFieldTransformation to remove a field from a sigma rule: Rule:

[...]
detection:
    selection:
        record_type: 'TXT'
        answer|contains:
            - 'IEX'
            - 'Invoke-Expression'
            - 'cmd.exe'
    condition: selection

Code

ProcessingItem(
                identifier="dns_answer_txt_remove_field",
                transformation=RemoveFieldTransformation("record_type"),
                rule_conditions=[
                    RuleContainsDetectionItemCondition("record_type","TXT")
                ],
            ),

Expected result:

[...]
detection:
    selection:
        answer|contains:
            - 'IEX'
            - 'Invoke-Expression'
            - 'cmd.exe'
    condition: selection

But instead the field was not removed.

While debugging i found, that:

https://github.com/SigmaHQ/pySigma/blob/ba2515542a3e35e00d4bf8979f228e64a5f7dc9b/sigma/processing/transformations.py#L735

rule.fields is just an empty list.

HenrikWittemeier avatar Oct 08 '24 09:10 HenrikWittemeier