From f8436f938fe1732b81581f3db223170ab51b2720 Mon Sep 17 00:00:00 2001
From: "dmytro.tarnopolskyi" <dmytro.tarnopolskyi@socprime.com>
Date: Mon, 4 Dec 2023 12:46:37 +0100
Subject: [PATCH] fix null field when translate to sigma

---
 .../app/converter/platforms/sigma/renders/sigma.py        | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/siem-converter/app/converter/platforms/sigma/renders/sigma.py b/siem-converter/app/converter/platforms/sigma/renders/sigma.py
index a1dd5c17..3d793f1a 100644
--- a/siem-converter/app/converter/platforms/sigma/renders/sigma.py
+++ b/siem-converter/app/converter/platforms/sigma/renders/sigma.py
@@ -174,12 +174,16 @@ def generate_not(self, data: Any, source_mapping: SourceMapping):
         return not_node
 
     @staticmethod
-    def generate_field(data: Field, source_mapping: SourceMapping):
+    def map_field(source_mapping: SourceMapping, generic_field_name: str) -> str:
+        field_name = source_mapping.fields_mapping.get_platform_field_name(generic_field_name)
+        return field_name or generic_field_name
+
+    def generate_field(self, data: Field, source_mapping: SourceMapping):
         source_id = source_mapping.source_id
         generic_field_name = data.generic_names_map[source_id]
         if not generic_field_name:
             raise StrictPlatformFieldException(field_name=data.source_name, platform_name="Sigma")
-        field_name = source_mapping.fields_mapping.get_platform_field_name(generic_field_name)
+        field_name = self.map_field(source_mapping, generic_field_name)
         if data.operator.token_type != OperatorType.EQ:
             field_name = f"{field_name}|{data.operator.token_type}"
         if isinstance(data.values, list) and len(data.values) == 1 or isinstance(data.values, (str, int)):