(Yaml) Pipeline enhancement: Concatenation with rule_cond_expr not behaving as expected #422
Description
When concatenating rule condition expressions, it does not seem to be possible to concat more than two conditions with an or. Here as an example my working solution in sigconverter.
So this is my working pipeline:
name: test
priority: 10
transformations:
- id: index_sourcetype
type: add_condition
conditions:
index: 'myindex'
sourcetype: 'mysourcetype'
rule_conditions:
logsource_cond:
type: logsource
category: cat
product: prod
filter_serv:
type: logsource
service: serv
filter_serv1:
type: logsource
service: serv1
filter_serv2:
type: logsource
service: serv2
rule_cond_expr: logsource_cond and not ((filter_serv or filter_serv1) or filter_serv2) I have three options that I want to filter out, but am only able to join those the following way:
rule_cond_expr: logsource_cond and not ((filter_serv or filter_serv1) or filter_serv2) What I expected to work was:
rule_cond_expr: logsource_cond and not (filter_serv or filter_serv1 or filter_serv2) Or maybe even a 1 of filters_* option.
This is more an enhancement than a bug, but I did not found documentation about this behavior and was confused by it first, so maybe it would be a nice UX enhancement.