Transformer to split detection item based on field and value

[barvhaim]

Hi, the goal I am trying to achieve is splitting a detection item via a transformer, based on field and value, for example, given a sigma rule with detection item field: /v1/v2.exe I would to split to two detection items, field1: /v1/ AND field2: v2.exe.

first question, do you suggest doing so in a transformer? or in the backend logic itself? if so with a transformer, how do I build the new nodes? I believe it should use DetectionItemTransformation as base, but wasn't sure how to replace the original node with 2 new nodes with AND in between.

Looking forward for suggestions

[thomaspatzke]

Hi! Yes, this is a use case for the processing pipelines and a DetectionItemTransformation would be the appropriate base class. You can simply return a SigmaDetection containing the SigmaDetectionItems the value was splitted into. Because the SigmaDetectionItems of a SigmaDetection are implicitely AND-linked, nothing further has to be done.

[barvhaim]

@thomaspatzke
I managed to do it, but the difficulty I am facing is on how to return from apply_detection_item multiple SigmaDetections (in case the value has multiple values)

detection:
  filename: 
     - x
     - y
     - z

so each x,y,z I have to split to a separate SigmaDetection and return all linked with OR, but the function allows returning only SigmaDetection, SigmaDetectionItem

[thomaspatzke]

The list is implicitly OR-linked, therefore no split into distinct SigmaDetections is required.