Merge pull request #278 from m4dh4t:issue-277

Fix Correlation rules finalization
SigmaHQ · Sep 17, 2024 · ba25155 · ba25155
2 parents 85bb1d1 + 7a80a2e
commit ba25155
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 19 deletions.
diff --git a/sigma/conversion/base.py b/sigma/conversion/base.py
@@ -200,16 +200,21 @@ def convert_rule(self, rule: SigmaRule, output_format: Optional[str] = None) ->
             ]
 
             error_state = "finalizing query for"
-            finalized_queries = [  # 3. Postprocess generated query
-                self.finalize_query(
-                    rule,
-                    query,
-                    index,
-                    states[index],
-                    output_format or self.default_format,
-                )
-                for index, query in enumerate(queries)
-            ]
+            # 3. Postprocess generated query if not part of a correlation rule
+            finalized_queries = (
+                [
+                    self.finalize_query(
+                        rule,
+                        query,
+                        index,
+                        states[index],
+                        output_format or self.default_format,
+                    )
+                    for index, query in enumerate(queries)
+                ]
+                if not rule._backreferences
+                else queries
+            )
             rule.set_conversion_result(finalized_queries)
             rule.set_conversion_states(states)
             if rule._output:
@@ -552,19 +557,39 @@ def convert_correlation_rule(
                 f"Correlation method '{method}' is not supported by backend '{self.name}'."
             )
         self.last_processing_pipeline.apply(rule)
-        if rule.type == SigmaCorrelationType.EVENT_COUNT:
-            return self.convert_correlation_event_count_rule(rule, output_format, method)
-        elif rule.type == SigmaCorrelationType.VALUE_COUNT:
-            return self.convert_correlation_value_count_rule(rule, output_format, method)
-        elif rule.type == SigmaCorrelationType.TEMPORAL:
-            return self.convert_correlation_temporal_rule(rule, output_format, method)
-        elif rule.type == SigmaCorrelationType.TEMPORAL_ORDERED:
-            return self.convert_correlation_temporal_ordered_rule(rule, output_format, method)
-        else:
+        correlation_methods = {
+            SigmaCorrelationType.EVENT_COUNT: self.convert_correlation_event_count_rule,
+            SigmaCorrelationType.VALUE_COUNT: self.convert_correlation_value_count_rule,
+            SigmaCorrelationType.TEMPORAL: self.convert_correlation_temporal_rule,
+            SigmaCorrelationType.TEMPORAL_ORDERED: self.convert_correlation_temporal_ordered_rule,
+        }
+        if rule.type not in correlation_methods:
             raise NotImplementedError(
                 f"Conversion of correlation rule type {rule.type} is not implemented."
             )
 
+        # Convert the correlation rule depending on its type
+        queries = correlation_methods[rule.type](rule, output_format, method)
+
+        states = [
+            ConversionState(processing_state=dict(self.last_processing_pipeline.state))
+            for _ in queries
+        ]
+
+        # Apply the finalization step
+        finalized_query = [
+            self.finalize_query(
+                rule,
+                query,
+                index,
+                states[index],
+                output_format or self.default_format,
+            )
+            for index, query in enumerate(queries)
+        ]
+
+        return finalized_query
+
     @abstractmethod
     def convert_correlation_event_count_rule(
         self,

diff --git a/tests/test_conversion_correlations.py b/tests/test_conversion_correlations.py
@@ -2,6 +2,8 @@
 from sigma.backends.test import TextQueryTestBackend
 from sigma.collection import SigmaCollection
 from sigma.exceptions import SigmaBackendError, SigmaConversionError
+from sigma.processing.pipeline import ProcessingPipeline, QueryPostprocessingItem
+from sigma.processing.postprocessing import EmbedQueryTransformation
 from .test_conversion_base import test_backend
 
 
@@ -385,3 +387,18 @@ def test_correlation_normalization_not_supported(
         NotImplementedError, match="Correlation field normalization is not supported"
     ):
         test_backend.convert(temporal_ordered_correlation_rule)
+
+
+def test_correlation_query_postprocessing(event_count_correlation_rule):
+    test_backend = TextQueryTestBackend(
+        ProcessingPipeline(
+            postprocessing_items=[
+                QueryPostprocessingItem(EmbedQueryTransformation(prefix="[ ", suffix=" ]"))
+            ]
+        )
+    )
+    assert test_backend.convert(event_count_correlation_rule) == [
+        """[ EventID=4625
+| aggregate window=5min count() as event_count by TargetUserName, TargetDomainName, fieldB
+| where event_count >= 10 ]"""
+    ]