Correlation - chaining

[arkadczio]

Hi,
I am trying to use pySigma on "Failed Logins Followed by Successful Login" from site Sigma correlation bruteforce to translate it to splunk SPL language.

I am using following command:
sigma convert -t splunk -p splunk_windows sigma_rules\brute_force_detection.yml

also trying with:
sigma convert -t splunk --without-pipeline sigma_rules\brute_force_detection.yml

an exception occur:
Error while conversion: Conversion result not available in rule SigmaCorrelationRule(applied_processing_items=set(), title='Multiple failed logons', id=UUID('a8418a5a-5fc4-46b5-b23b-6c73beb19d41'), name='multiple_failed_login', related=None, status=None, description='Detects multiple failed logins within a certain amount of time', references=[], tags=[], author=None, date=None, modified=None, fields=[], falsepositives=[], level=None, errors=[], source=SigmaRuleLocation(path=WindowsPath('sigma_rules/brute_force_detection.yml'), line=None, char=None), custom_attributes={'correlation': {'type': 'event_count', 'rules': ['failed_login'], 'group-by': ['User'], 'timespan': '10m', 'condition': {'gte': 10}}}, type=<SigmaCorrelationType.EVENT_COUNT: 1>, rules=[SigmaRuleReference(reference='failed_login')], generate=False, timespan=SigmaCorrelationTimespan(spec='10m', seconds=600, count=10, unit='m'), group_by=['User'], aliases=SigmaCorrelationFieldAliases(aliases={}), condition=SigmaCorrelationCondition(op=<SigmaCorrelationConditionOperator.GTE: 4>, count=10, fieldref=None, source=SigmaRuleLocation(path=WindowsPath('sigma_rules/brute_force_detection.yml'), line=None, char=None)))

When I remove first correlation from file "title: Correlation - Multiple Failed Logins Followed by Successful Login" then everything goes well with output:
Parsing Sigma rules [####################################] 100%
source="WinEventLog:Security" EventCode IN (529, 4625)
| bin _time span=10m
| stats count as event_count by _time User
| search event_count >= 10
source="WinEventLog:Security" EventCode IN (528, 4624)

The same error occur when I do it in python script using pySigma:

import os.path
from sigma.collection import SigmaCollection
from sigma.backends.splunk import SplunkBackend
from sigma.pipelines.splunk import splunk_windows_pipeline

brute_force = '''
<correlation string yml>
'''
pipeline = splunk_windows_pipeline()
backend = SplunkBackend(pipeline)

rule = SigmaCollection.from_yaml(brute_force)
print("Result: " + "\n".join(backend.convert(rule)))

raise sigma_exceptions.SigmaConversionError(
sigma.exceptions.SigmaConversionError: Conversion result not available in rule SigmaCorrelationRule(applied_processing_items=set(), title='Correlation - Many failed logon', id=UUID('a8418a5a-5fc4-46b5-b23b-6c73beb19d41'), name='multiple_failed_login', related=None, status=None, description='Detects multiple failed logins within a certain amount of time', references=[], tags=[], author=None, date=None, modified=None, fields=[], falsepositives=[], level=None, errors=[], source=None, custom_attributes={'correlation': {'type': 'event_count', 'rules': ['failed_login'], 'group-by': ['User'], 'timespan': '10m', 'condition': {'gte': 10}}}, type=<SigmaCorrelationType.EVENT_COUNT: 1>, rules=[SigmaRuleReference(reference='failed_login')], generate=False, timespan=SigmaCorrelationTimespan(spec='10m', seconds=600, count=10, unit='m'), group_by=['User'], aliases=SigmaCorrelationFieldAliases(aliases={}), condition=SigmaCorrelationCondition(op=<SigmaCorrelationConditionOperator.GTE: 4>, count=10, fieldref=None, source=None))

Is there some issue with chaining correlation or I did something wrong?
I will be appreciate for help.

[thomaspatzke]

The temporal_ordered correlation type is currently not supported by the Splunk backend, therefore the conversion would fail anyways, but should fail with a different error.