From 203aa192c7d253d3cc52298a310d3ed374bf25fa Mon Sep 17 00:00:00 2001 From: Brad Kish Date: Thu, 18 Jun 2020 13:01:31 -0400 Subject: [PATCH] Fix multiple references to default field mapping in same rule If there is a default mapping specified for a fieldmapping and that field is referenced multiple times in the rule, the default mapping will be "pop"ped and return the unmapped key on subsequent uses. Don't pop the value. Just return the first entry. --- tools/sigma/config/mapping.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index 7d3374165..28ff28772 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -125,9 +125,9 @@ class ConditionalFieldMapping(SimpleFieldMapping): if len(targets) == 1: # result set contains only one target, return mapped item (like SimpleFieldMapping) if value is None: - return ConditionNULLValue(val=targets.pop()) + return ConditionNULLValue(val=targets[0]) else: - return (targets.pop(), value) + return (targets[0], value) elif len(targets) > 1: # result set contains multiple targets, return all linked as OR condition (like MultiFieldMapping) cond = ConditionOR() for target in targets: