Ambiguity in handling multiple fields in correlation condition #190
Description
The current specification allows multiple fields in correlation.condition.field. It seems that it's only supported for the value_count correlation type. The expected behavior in this case is unclear, the specification states that: When you use multiple values in field they are linked by an AND.. It does not clearly define how that should work in correlation logic. This might be a good opportunity to clarify or update the specification.
Specification for value_count correlation
JSON schema correlation condition field definition
Additionally, it appears that pySigma does not support a list in this field and returns an error.
Parsing Sigma rules [####################################] 100%
Traceback (most recent call last):
File "/usr/bin/sigma", line 8, in <module>
sys.exit(main())
~~~~^^
File "/usr/lib/python3.13/site-packages/sigma/cli/main.py", line 81, in main
cli()
~~~^^
File "/usr/lib/python3.13/site-packages/click/core.py", line 1462, in __call__
return self.main(*args, **kwargs)
~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/click/core.py", line 1383, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.13/site-packages/click/core.py", line 1850, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/usr/lib/python3.13/site-packages/click/core.py", line 1246, in invoke
return ctx.invoke(self.callback, **ctx.params)
~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/click/core.py", line 814, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3.13/site-packages/sigma/cli/convert.py", line 297, in convert
result = backend.convert(rule_collection, format, correlation_method)
File "/usr/lib/python3.13/site-packages/sigma/conversion/base.py", line 173, in convert
else self.convert_correlation_rule(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
rule, output_format or self.default_format, correlation_method
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/usr/lib/python3.13/site-packages/sigma/conversion/base.py", line 581, in convert_correlation_rule
self.last_processing_pipeline.apply(rule)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3.13/site-packages/sigma/processing/pipeline.py", line 634, in apply
applied = item.apply(self, rule)
File "/usr/lib/python3.13/site-packages/sigma/processing/pipeline.py", line 395, in apply
self.transformation.apply(pipeline, rule)
~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/sigma/processing/transformations.py", line 207, in apply
mapped_field = _apply_field_name(fieldref)
File "/usr/lib/python3.13/site-packages/sigma/processing/transformations.py", line 164, in _apply_field_name
result = self.apply_field_name(field)
File "/usr/lib/python3.13/site-packages/sigma/processing/transformations.py", line 529, in apply_field_name
mapping = self.get_mapping(field) or field
~~~~~~~~~~~~~~~~^^^^^^^
File "/usr/lib/python3.13/site-packages/sigma/processing/transformations.py", line 508, in get_mapping
return self.mapping.get(field)
~~~~~~~~~~~~~~~~^^^^^^^
TypeError: unhashable type: 'list'