From 2fb7dd5e99e0e8f41bb3f37c2c62ffe91c58de7d Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Fri, 23 Oct 2020 15:31:00 +0200
Subject: [PATCH] Fixes

* Removed Splunk regex query
* Added test for sumologic-cse backend
---
 Makefile                       |  1 +
 tools/sigma/backends/splunk.py | 14 +++-----------
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/Makefile b/Makefile
index 8439b5dd7..1bd3a4698 100644
--- a/Makefile
+++ b/Makefile
@@ -59,6 +59,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness-epl -c netwitness-epl rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic-cse -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py
index c537cb6c4..c2bfb96b5 100644
--- a/tools/sigma/backends/splunk.py
+++ b/tools/sigma/backends/splunk.py
@@ -18,8 +18,6 @@ import re
 import sigma
 from .base import SingleTextQueryBackend
 from .mixins import MultiRuleOutputMixin
-from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
-
 
 class SplunkBackend(SingleTextQueryBackend):
     """Converts Sigma rule into Splunk Search Processing Language (SPL)."""
@@ -70,7 +68,7 @@ class SplunkBackend(SingleTextQueryBackend):
                     agg.aggfunc_notrans = 'dc'
             return " | eventstats %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield or "", agg.groupfield or "", agg.cond_op, agg.condition)
 
-        
+
     def generate(self, sigmaparser):
         """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
         columns = list()
@@ -108,7 +106,7 @@ class SplunkBackend(SingleTextQueryBackend):
                 result += fields
 
             return result
-    
+
 class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
     """Converts Sigma rule into XML used for Splunk Dashboard Panels"""
     identifier = "splunkxml"
@@ -177,9 +175,6 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
 class CrowdStrikeBackend(SplunkBackend):
     """Converts Sigma rule into CrowdStrike Search Processing Language (SPL)."""
     identifier = "crowdstrike"
-    typedValueExpression = {
-        SigmaRegularExpressionModifier: 'regex field=%s "%s"'
-    }
 
     def generate(self, sigmaparser):
         lgs = sigmaparser.parsedyaml.get("logsource")
@@ -215,7 +210,4 @@ class CrowdStrikeBackend(SplunkBackend):
             raise NotImplementedError("Not supported logsources!")
 
     def generateMapItemTypedNode(self, fieldname, value):
-        if isinstance(value, SigmaRegularExpressionModifier):
-            return self.typedValueExpression.get(type(value)) % (fieldname, value)
-        else:
-            return super().generateMapItemTypedNode(fieldname=fieldname, value=value)
\ No newline at end of file
+        return super().generateMapItemTypedNode(fieldname=fieldname, value=value)
\ No newline at end of file