From ea6cff5e77671568ade3068948ab715fc2144210 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Thu, 9 Jan 2025 23:01:04 +0100
Subject: [PATCH] Added test for fix

---
 tests/test_processing_transformations.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tests/test_processing_transformations.py b/tests/test_processing_transformations.py
index 42b26637..0799902e 100644
--- a/tests/test_processing_transformations.py
+++ b/tests/test_processing_transformations.py
@@ -493,6 +493,26 @@ def test_field_prefix_mapping(dummy_pipeline, field_prefix_mapping_transformatio
     }
 
 
+def test_field_prefix_mapping_keyword_detection(
+    dummy_pipeline, keyword_sigma_rule, field_prefix_mapping_transformation
+):
+    field_prefix_mapping_transformation.set_pipeline(dummy_pipeline)
+    field_prefix_mapping_transformation.apply(keyword_sigma_rule)
+    assert keyword_sigma_rule.detection.detections["test"] == SigmaDetection(
+        [
+            SigmaDetectionItem(
+                None,
+                [],
+                [
+                    SigmaString("value1"),
+                    SigmaString("value2"),
+                    SigmaString("value3"),
+                ],
+            ),
+        ]
+    )
+
+
 def test_field_prefix_mapping_correlation_rule(
     dummy_pipeline, sigma_correlation_rule, field_prefix_mapping_transformation
 ):