Merge branch 'main' of https://github.com/SigmaHQ/pySigma-backend-splunk into main

Author: thomaspatzke

sigma/backends/splunk/splunk.py

@@ -95,9 +95,11 @@ def convert_condition_field_eq_val_cidr(self, cond : ConditionFieldEqualsValueEx
 
     def finalize_query_savedsearches(self, rule: SigmaRule, query: str, index: int, state: ConversionState) -> str:
         clean_title = rule.title.translate({ord(c): None for c in "[]"})      # remove brackets from title
+        escaped_description = "\\\n".join(rule.description.strip().split("\n")) if rule.description else ""      # support multi-line descriptions
         escaped_query = " \\\n".join(query.split("\n"))      # escape line ends for multiline queries
         return f"""
 [{clean_title}]
+description = {escaped_description}
 search = {escaped_query}"""
 
     def finalize_output_savedsearches(self, queries: List[str]) -> str:

tests/test_backend_splunk.py

@@ -220,6 +220,9 @@ def test_splunk_cidr_or(splunk_backend : SplunkBackend):
 def test_splunk_savedsearch_output(splunk_backend : SplunkBackend):
     rules = """
 title: Test 1
+description: |
+  this is a description
+  across two lines
 status: test
 logsource:
     category: test_category
@@ -248,10 +251,13 @@ def test_splunk_savedsearch_output(splunk_backend : SplunkBackend):
 dispatch.latest_time = now
 
 [Test 1]
+description = this is a description\\
+across two lines
 search = fieldB="foo" fieldC="bar" \\
 | regex fieldA="foo.*bar"
 
 [Test 2]
+description = 
 search = fieldA="foo" fieldB="bar\""""
 
 def test_splunk_data_model_process_creation():