From 1fbd2bba4dcddfa0223a1d34dea893be6d3f9913 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Thu, 8 Sep 2022 17:57:36 +0200
Subject: [PATCH] Wrapped all-modifier result into NodeSubexpression

Fixes sigmac splunk backend: Wrong conversion for |contains|all #3443
---
 tools/sigma/parser/modifiers/transform.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py
index 8a5267999..b66eaf9c9 100644
--- a/tools/sigma/parser/modifiers/transform.py
+++ b/tools/sigma/parser/modifiers/transform.py
@@ -72,7 +72,7 @@ class SigmaAllValuesModifier(SigmaTransformModifier):
         cond = ConditionAND()
         for val in self.value:
             cond.add(val)
-        return cond
+        return NodeSubexpression(cond)
 
 class SigmaBase64Modifier(ListOrStringModifierMixin, SigmaTransformModifier):
     """Encode strings with Base64"""