You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Within the Sigma specification, conditions can be both a string or a list of string which is fine.
However, pySigma-backend-loki does not exhibit consistent behaviour with other backends breaking out a list of strings into multiple queries, instead pysigma-backend-loki creates multiple queries but groups all of the query terms into the first query.
This appears to be to do with the handling of lists within the backend as a dict will work as expected. The issue is likely that the lists are being pulled up to the top query rather than residing in their own query.
Within the Sigma specification, conditions can be both a
string
or alist
ofstring
which is fine.However, pySigma-backend-loki does not exhibit consistent behaviour with other backends breaking out a list of strings into multiple queries, instead pysigma-backend-loki creates multiple queries but groups all of the query terms into the first query.
Taking this Sigma Rule for example:
With a Splunk SPL backend we get the following result:
Whilst the Loki backend produces the following queries
The text was updated successfully, but these errors were encountered: