pySigma icon indicating copy to clipboard operation
pySigma copied to clipboard
verified publisher icon SigmaHQ

Unbond search invalid with field_name_mapping

Open frack113 opened this issue 6 months ago • 0 comments

When use the field_name_mapping to map to a field name the query lose the contrains

title: Example Rule
description: This is an example rule to demonstrate the structure of a YAML rule file.  
logsource:
  product: linux
detection:
    keywords:
      - a
      - b
      - c
    condition: keywords

name: Default field name
transformations:
  - id: field_mapping
    type: field_name_mapping
    mapping:
      null:
        - my_field_name

Test with pysigma 0.11.23 and  sigma-cli-1.0.6

 target Without pipeline With pipeline
pySigma-backend-elasticsearch-1.1.6 lucene *a* OR *b* OR *c* my_field_name:(a OR b OR c)
PySigma-backend-splunk-1.1.3 splunk "a" OR "b" OR "c" my_field_name IN ("a", "b", "c")
Pysigma-backend-sqlite-0.2.0 sqlite Not supported Not Supported
PySigma-backend-golangexpr-0.1.2 golang_expr ""a"" or ""b"" or ""c"" lower(my_field_name) == lower("a") or lower(my_field_name) == lower("b") or lower(my_field_name) == lower("c")

frack113 avatar Jun 18 '25 08:06 frack113