Fix missing fields in to_dict() methods

[nzedler]

SigmaCorrelationCondition to_dict() method

The "field" field of a condition is missing in the to_dict() method of SigmaCorrelationCondition.

I found the bug when converting a value_count SigmaCorrelation rule to_dict() and then importing the created dictionary via from_dict(), resulting in a "sigma.exceptions.SigmaCorrelationRuleError: Value count correlation rule without field reference".

Example:

condition:
    field: User
    gte: 99

SigmaCorrelationCondition.to_dict() results in the version with the bug in:

{"gte": 99}

Now it is correctly:

{"field": "User", "gte": 99}

SigmaRuleBase to_dict() method

The rule "name" field is missing in the to_dict() method of SigmaRuleBase.

941     # Convert to string where possible
942     for field in ("id", "status", "level", "author", "description"):
943         if (s := self.__getattribute__(field)) is not None:
944            d[field] = str(s)

The simple fix:

941     # Convert to string where possible
942     for field in ("id", "status", "level", "author", "description", "name"):
943         if (s := self.__getattribute__(field)) is not None:
944            d[field] = str(s)

[thomaspatzke]

Thanks for the fix! Totally forgot about to_dict() when I extended the class.

Can you also fix the test test_sigmarule_to_dict? The name field is missing here in the test result.

[nzedler]

Is done, I fixed the test test_sigmarule_to_dict() and additionaly added the following test_correlation_condition_with_field_to_dict() in tests/test_correlations.py:

def test_correlation_condition_with_field_to_dict():
    assert SigmaCorrelationCondition(
        op=SigmaCorrelationConditionOperator.GTE,
        count=10,
        fieldref="test"
    ).to_dict() == {
        "field": "test",
        "gte": 10
    }

You can close the two issues I created when the pull request is merged.

[thomaspatzke]

The tests failed due to lack of formatting with black. Just committed, now it works.