Updated tests

rules/net_connection_win_wscript.yml

@@ -1,6 +1,6 @@
 logsource:
-  category: network_connection
   product: windows
+  category: network_connection
 detection:
   selection:
     Image|endswith: '\wscript.exe'

sigma/backends/powershell/powershell.py

@@ -53,7 +53,7 @@ class PowerShellBackend(TextQueryBackend):
     escape_char: ClassVar[str] = "\\"    # Escaping character for special characrers inside string
     wildcard_multi: ClassVar[str] = "*"     # Character used as multi-character wildcard
     wildcard_single: ClassVar[str] = "*"     # Character used as single-character wildcard
-    add_escaped: ClassVar[str] = "\\"    # Characters quoted in addition to wildcards and string quote
+    add_escaped: ClassVar[str] = ""    # Characters quoted in addition to wildcards and string quote
     filter_chars: ClassVar[str] = ""      # Characters filtered
     bool_values: ClassVar[Dict[bool, str]] = {   # Values to which boolean values are mapped.
         True: "$true",
@@ -122,7 +122,7 @@ class PowerShellBackend(TextQueryBackend):
     convert_and_as_in: ClassVar[bool] = True                    # Convert AND as in-expression
     in_expressions_allow_wildcards: ClassVar[bool] = False      # Values in list can contain wildcards. If set to False (default) only plain values are converted into in-expressions.
     field_in_list_expression: ClassVar[str] = "{field} {op} ({list})"  # Expression for field in list of values as format string with placeholders {field}, {op} and {list}
-    or_in_operator: ClassVar[str] = "in"               # Operator used to convert OR into in-expressions. Must be set if convert_or_as_in is set
+    or_in_operator: ClassVar[str] = "-in"               # Operator used to convert OR into in-expressions. Must be set if convert_or_as_in is set
     and_in_operator: ClassVar[str] = "contains-all"    # Operator used to convert AND into in-expressions. Must be set if convert_and_as_in is set
     list_separator: ClassVar[str] = ", "               # List element separator
 

sigma/pipelines/powershell/powershell.py

@@ -1,5 +1,5 @@
 from dataclasses import dataclass
-from sigma.pipelines.common import logsource_windows, windows_logsource_mapping
+from sigma.pipelines.common import logsource_windows, logsource_windows_network_connection, windows_logsource_mapping 
 from sigma.processing.conditions import IncludeFieldCondition, LogsourceCondition
 from sigma.processing.pipeline import ProcessingPipeline, ProcessingItem
 from sigma.processing.transformations import AddConditionTransformation, AddFieldnamePrefixTransformation, ChangeLogsourceTransformation, DetectionItemFailureTransformation, DropDetectionItemTransformation, FieldMappingTransformation, RuleFailureTransformation, SetStateTransformation, Transformation
@@ -24,14 +24,19 @@ def powershell_pipeline() -> ProcessingPipeline:
             ProcessingItem(
                 rule_condition_negation = True,
                 rule_conditions = [LogsourceCondition(product = "windows")],
-                transformation = RuleFailureTransformation(message = "Product not supported.")
+                transformation = RuleFailureTransformation(message = "Invalid logsource product.")
             )
         ] + [
             ProcessingItem(
-                rule_conditions = [logsource_windows(logsource)],
-                transformation = ChangeLogsourceTransformation(service = channel)
+                rule_conditions = [logsource_windows(logsource)], # if rule matches what is returned by logsource_windows func (e.g., product = windows, service = security)
+                transformation = ChangeLogsourceTransformation(service = channel) # change service value (e.g., sysmon) to channel value (e.g., Microsoft-Windows-Sysmon/Operational)
+            )
+            for logsource, channel in windows_logsource_mapping.items() # returns multiple kv pairs (service:channel mappings)
+        ] + [
+            ProcessingItem(
+                rule_conditions = [logsource_windows_network_connection()], # TODO: scale this so all sysmon event categories are covered
+                transformation = ChangeLogsourceTransformation(service = windows_logsource_mapping['sysmon']) 
             )
-            for logsource, channel in windows_logsource_mapping.items()
         ] + [
             ProcessingItem(
                 # field name conditions are evaluated against fields in detection items and in the component-level field list of a rule

tests/test_backend_powershell.py

@@ -99,7 +99,7 @@ def test_powershell_in_expression(powershell_backend: PowerShellBackend):
                         - valueC*
                 condition: sel
         """)
-    ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldA -eq "valueA" -or $_.fieldA -eq "valueB" -or $_.fieldA -like "valueC*"}']
+    ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldA -eq "valueA" -or $_.fieldA -eq "valueB" -or $_.fieldA.StartsWith("valueC")}']
     # TODO: 
     # achieve this ($_.fieldA -in ("valueA", "valueB") -or ($_.fieldA -like "valueC*")
     # would also involve re-writing how cidr expressions are converted
@@ -134,7 +134,7 @@ def test_powershell_cidr_query(powershell_backend: PowerShellBackend):
                     SourceAddress|cidr: 10.0.0.0/16
                 condition: sel
         """)
-    ) == ['Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 5156} | Read-WinEvent | Where-Object {$_.SourceAddress -like "10.0.*"}']
+    ) == ['Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 5156} | Read-WinEvent | Where-Object {$_.SourceAddress.StartsWith("10.0.")}']
 
 def test_powershell_field_name_with_whitespace(powershell_backend: PowerShellBackend):
     assert powershell_backend.convert(