From 41a8ef2fd99561ceff024cea8bb3f5027c1f58cf Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas.patzke2@thyssenkrupp.com>
Date: Thu, 13 Sep 2018 14:56:31 +0200
Subject: [PATCH] Implemented resolve_fieldname in FieldMappingChain

---
 tools/sigma/config/mapping.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py
index a62123acb..97d5a5caf 100644
--- a/tools/sigma/config/mapping.py
+++ b/tools/sigma/config/mapping.py
@@ -190,3 +190,21 @@ class FieldMappingChain(object):
                 elif isinstance(mapping, SimpleFieldMapping):
                     cond.add(mapping.resolve(key, value, sigmaparser))
             return cond
+
+    def resolve_fieldname(self, fieldname):
+        if type(self.fieldmappings) == str:     # one field mapping
+            return self.fieldmappings
+        elif isinstance(self.fieldmappings, SimpleFieldMapping):
+            return self.fieldmappings.resolve_fieldname(fieldname)
+        elif type(self.fieldmappings) == set:
+            mappings = set()
+            for mapping in self.fieldmappings:
+                if type(mapping) == str:
+                    mappings.add(mapping)
+                elif isinstance(mapping, SimpleFieldMapping):
+                    resolved_mapping = mapping.resolve_fieldname(fieldname)
+                    try:
+                        mappings.update(iter(resolved_mapping))
+                    except TypeError:
+                        mappings.add(resolved_mapping)
+            return list(mappings)