Merge pull request #197 from nzedler/main

Fix missing fields in to_dict() methods
SigmaHQ · Mar 17, 2024 · 1e2f076 · 1e2f076
2 parents 4965899 + 32b7e9e
commit 1e2f076
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 2 deletions.
diff --git a/sigma/correlations.py b/sigma/correlations.py
@@ -106,7 +106,9 @@ def from_dict(
         return cls(op=cond_op, count=cond_count, fieldref=cond_field, source=source)
 
     def to_dict(self) -> dict:
-        return {self.op.name.lower(): self.count}
+        if not self.fieldref:
+            return {self.op.name.lower(): self.count}
+        return {self.op.name.lower(): self.count, "field": self.fieldref}
 
 
 @dataclass

diff --git a/sigma/rule.py b/sigma/rule.py
@@ -1011,7 +1011,7 @@ def to_dict(self) -> dict:
             "title": self.title,
         }
         # Convert to string where possible
-        for field in ("id", "status", "level", "author", "description"):
+        for field in ("id", "status", "level", "author", "description", "name"):
             if (s := self.__getattribute__(field)) is not None:
                 d[field] = str(s)
 

diff --git a/tests/test_correlations.py b/tests/test_correlations.py
@@ -430,6 +430,12 @@ def test_correlation_condition_with_field():
     assert cond.fieldref == "test"
 
 
+def test_correlation_condition_with_field_to_dict():
+    assert SigmaCorrelationCondition(
+        op=SigmaCorrelationConditionOperator.GTE, count=10, fieldref="test"
+    ).to_dict() == {"field": "test", "gte": 10}
+
+
 def test_correlation_condition_invalid_multicond():
     with pytest.raises(
         SigmaCorrelationConditionError,

diff --git a/tests/test_rule.py b/tests/test_rule.py
@@ -1188,6 +1188,7 @@ def test_sigmarule_to_dict(sigma_rule: SigmaRule):
     assert sigma_rule.to_dict() == {
         "title": "Test",
         "id": "9a6cafa7-1481-4e64-89a1-1f69ed08618c",
+        "name": "test",
         "status": "test",
         "description": "This is a test",
         "references": [