From 9a53210a7a3457bd7d8a5920b31ab3ad20b0ac2c Mon Sep 17 00:00:00 2001
From: a2tf <53866751+a2tf@users.noreply.github.com>
Date: Wed, 27 Nov 2019 12:06:52 +0000
Subject: [PATCH] 1st Version of collection transforming

---
 classes/DetectionRuleConverter.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/classes/DetectionRuleConverter.py b/classes/DetectionRuleConverter.py
index f20f316..1e02205 100644
--- a/classes/DetectionRuleConverter.py
+++ b/classes/DetectionRuleConverter.py
@@ -39,7 +39,24 @@ def addToSummaryIndex(search, sigma2splunkalertconfig, sigma_rule):
     @staticmethod
     def performSearchTransformation(transformations, search, sigma_rule):
         for trans in transformations:
-
+            # Search Transformation to combine collections with "OR"
+            if trans == "or_collections":
+                collectionsearch = ""
+                splitted = search.split("\n")
+                #search will only get changed if its collection (multiline)
+                if (len(splitted) > 2):
+                    if (len(splitted[-1]) == 0): del splitted[-1] # delete last entry (empty line)
+                    last = splitted[-1]
+                    for line in splitted:
+                        verticalindex = line.find("|")
+                        if (verticalindex != -1):
+                            collectionsearch = collectionsearch + line[:verticalindex]
+                        else:
+                            collectionsearch = collectionsearch + line
+                        #dont "OR" the last line
+                        if (line!=last):collectionsearch = collectionsearch + " OR "
+                    search = collectionsearch + "\n" #readd the deleted new line at the end
+                    
             # Search Transformation to add whitelist in front of table or transforming command (for better whitelisting)
             if trans == "add_whitelist_in_front":
                 file_name = sigma_rule["title"] + "_whitelist.csv"