sigma
sigma copied to clipboard
SigmaHQ
'ConditionalFieldMapping' object is not iterable
Getting the error 'ConditionalFieldMapping' object is not iterable with 0.20 and master when using the config winlogbeat-modules-enabled.yml with any other config file.
Reproduction
Works
Only using winlogbeat-modules-enabled.yml
./tools/sigmac -t elastalert \
-c ./tools/config/winlogbeat-modules-enabled.yml \
rules/windows/process_creation/win_malware_wannacry.yml
This works with all version I tested (0.17 and higher)
Works
Using winlogbeat.yml and an extra config file custom.yml
./tools/sigmac -t elastalert \
-c tools/config/winlogbeat.yml \
-c custom.yml \
rules/windows/process_creation/win_malware_wannacry.yml
This works with all version I tested (0.17 and higher)
Fails
Using winlogbeat-modules-enabled.yml and an extra config file custom.yml
./tools/sigmac -t elastalert \
-c ./tools/config/winlogbeat-modules-enabled.yml \
-c custom.yml \
rules/windows/process_creation/win_malware_wannacry.yml
This works with 0.17 to 0.19.1 inclusive, but fails with 0.20 and higher with the error message:
An unsupported feature is required for this Sigma rule (rules/windows/process_creation/win_malware_wannacry.yml): 'ConditionalFieldMapping' object is not iterable
The contents of custom.yml can be as complex or simple as you like, currently testing with just:
title: Some custom mappings
order: 1000
Python version 3.9.5.
