Splunk backend allegedly doesn't support or conditions in regex, but fails to detect them (and for some reason creates a newline before | regex)

[joshnck]

sigma convert --target 'splunk' --pipeline /home/jump/git/win_evt_pipeline.yml /home/jump/git/sigma/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml --skip-unsupported
Parsing Sigma rules  [####################################]  100%
[default]
dispatch.earliest_time = -30d
dispatch.latest_time = now
enableSched = 1
cron_schedule = */15 * * * *
allow_skew = 5m
[9ac8b09b-45de-4a07-9da1-0de8c09304a3]
search = index="winevent"
| regex Payload=".*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"" | eval rule="9ac8b09b-45de-4a07-9da1-0de8c09304a3", title="Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" | collect index=notable_events
description = Detects Obfuscated use of stdin to execute PowerShell

This is the output after using the .yml template:

# Global win eventlog index
transformations:
  - id: index_condition
    type: add_condition
    conditions:
      index: winevent
    rule_conditions:
      - type: logsource
        product: windows


postprocessing:
- type: template
  template: |+
    [{{ rule.id }}]
    search = {{ query }} | eval rule="{{ rule.id }}", title="{{ rule.title }}" | collect index=notable_events
    description = {{ rule.description }}

finalizers:
- type: concat
  prefix: |
    [default]
    dispatch.earliest_time = -30d
    dispatch.latest_time = now
    enableSched = 1
    cron_schedule = */15 * * * *
    allow_skew = 5m

This is mostly a copy from your blog post - so I would expect the results to work fine. Unfortunately, when applying this to the entire /windows/ folder of Sigma rules, it fails to properly format many of the savedsearches resulting in bad searches of index=winevent without the |regex section properly appended.

So there are two problems:

1. The backend says it does not support an OR in a regex statement but when encountering them under some scenarios, it doesn't drop the failure code ORing regular expressions is not yet supported by Splunk backend in...
2. The postprocessing insists on adding an extra newline before the |. I have not tested this with a non-yml pipeline

EDIT
If I modify the yaml to be search = {{ query | replace("\n"," ") }} this works, but only when processing one rule at a time. When I attempt to run this against the entire /windows/ folder, it still fails in the same way.

[joshnck]

This is an adjacent issue (and a less important one) but when the Sigma rule has newlines in the description, they are kept via the postprocessing even though savedsearch format does not appreciate them.