diff --git a/sigma/conversion/base.py b/sigma/conversion/base.py index 7d18597..04eefab 100644 --- a/sigma/conversion/base.py +++ b/sigma/conversion/base.py @@ -133,6 +133,9 @@ class Backend(ABC): collect_errors: bool = False errors: List[Tuple[SigmaRule, SigmaError]] + # Perform finalization on all queries used in a correl + finalize_correlation_subqueries = False + # in-expressions convert_or_as_in: ClassVar[bool] = False # Convert OR as in-expression convert_and_as_in: ClassVar[bool] = False # Convert AND as in-expression @@ -223,7 +226,7 @@ def convert_rule(self, rule: SigmaRule, output_format: Optional[str] = None) -> ) for index, query in enumerate(queries) ] - if not rule._backreferences + if self.finalize_correlation_subqueries or not rule._backreferences else queries ) rule.set_conversion_result(finalized_queries) diff --git a/tests/test_conversion_correlations.py b/tests/test_conversion_correlations.py index 03b9c52..5ea91dd 100644 --- a/tests/test_conversion_correlations.py +++ b/tests/test_conversion_correlations.py @@ -469,3 +469,19 @@ def test_correlation_query_postprocessing(event_count_correlation_rule): | aggregate window=5min count() as event_count by TargetUserName, TargetDomainName, fieldB | where event_count >= 10 ]""" ] + + +def test_correlation_subqueries_finalization(monkeypatch, event_count_correlation_rule): + test_backend = TextQueryTestBackend( + ProcessingPipeline( + postprocessing_items=[ + QueryPostprocessingItem(EmbedQueryTransformation(prefix="[ ", suffix=" ]")) + ] + ) + ) + monkeypatch.setattr(test_backend, "finalize_correlation_subqueries", True) + assert test_backend.convert(event_count_correlation_rule) == [ + """[ [ EventID=4625 ] +| aggregate window=5min count() as event_count by TargetUserName, TargetDomainName, fieldB +| where event_count >= 10 ]""" + ]