Skip to content

Commit

Permalink
Fixed chaining of correlation rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomaspatzke
thomaspatzke committed Oct 24, 2024
1 parent 4dbedb2 commit 935f976
Showing 1 changed file with 5 additions and 7 deletions.
12 changes: 5 additions & 7 deletions sigma/conversion/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -581,7 +581,7 @@ def convert_correlation_rule(
]

# Apply the finalization step
finalized_query = [
finalized_queries = [
self.finalize_query(
rule,
query,
Expand All @@ -591,8 +591,10 @@ def convert_correlation_rule(
)
for index, query in enumerate(queries)
]
rule.set_conversion_result(finalized_queries)
rule.set_conversion_states(states)

return finalized_query
return finalized_queries

@abstractmethod
def convert_correlation_event_count_rule(
Expand Down Expand Up @@ -1720,11 +1722,7 @@ def convert_correlation_search(
),
)
for rule_reference in rule.rules
for query in (
rule_reference.rule.get_conversion_result()
if not isinstance(rule_reference.rule, SigmaCorrelationRule)
else self.convert_correlation_rule(rule_reference.rule)
)
for query in rule_reference.rule.get_conversion_result()
)
),
**kwargs,
Expand Down

0 comments on commit 935f976

Please sign in to comment.