SigmaHQ/tests/mapping-conditional-multi.yml

title: Contional mapping with multiple targets
status: testing
description: Logpoint configuration causes conditional mapping with multiple results
author: Thomas Patzke
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        SubjectAccountName: Test
    condition: selection
fields:
    - EventID
    - SubjectAccountName
Increased test coverage for mapping corner cases 2018-10-16 12:53:12 +00:00			`title: Contional mapping with multiple targets`
Update rules to follow the Sigma state specification The [Sigma specification's status component](https://github.com/Neo23x0/sigma/wiki/Specification#status-optional) states the following: > Declares the status of the rule: > - stable: the rule is considered as stable and may be used in production systems or dashboards. > - test: an almost stable rule that possibly could require some fine tuning. > - experimental: an experimental rule that could lead to false results or be noisy, but could also identify interesting events. However the Sigma Rx YAML specification states the following: > ```yaml > status: > type: //any > of: > - type: //str > value: stable > - type: //str > value: testing > - type: //str > value: experimental > ``` The specification confuses the `test` and `testing` state. This commit changes the `test` state into the `testing` state which is already used in the code-base: - [`sigma/sigma-schema.rx.yml`](https://github.com/Neo23x0/sigma/blob/a805d18bbae60d3e4f291c8a18304104ed2e71c7/sigma-schema.rx.yml#L49) - [`sigma/tools/sigma/filter.py`](https://github.com/Neo23x0/sigma/blob/f3c60a63099f80296c8750aaba667e98ac71a4f7/tools/sigma/filter.py#L26) - [`sigma/tools/sigmac`](https://github.com/Neo23x0/sigma/blob/4e42bebb3480720966a59528cd8482c6271e603c/tools/sigmac#L98) Although not modifyable through a PR, the specification should furthermore be updated to use the `testing` state. 2020-04-24 18:50:31 +00:00			`status: testing`
Increased test coverage for mapping corner cases 2018-10-16 12:53:12 +00:00			`description: Logpoint configuration causes conditional mapping with multiple results`
			`author: Thomas Patzke`
			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 4624`
			`SubjectAccountName: Test`
			`condition: selection`
			`fields:`
			`- EventID`
Added tests 2018-11-04 21:16:20 +00:00			`- SubjectAccountName`