Uncoder_IO icon indicating copy to clipboard operation
Uncoder_IO copied to clipboard
verified publisher icon UncoderIO

Placeholder value modifier `expand` not recognized

Open r0ot opened this issue 1 year ago • 0 comments

The sigma language supports a value modifier called expand that allows dynamic, environment-specific values to be populated through a translation pipeline. See the blog.sigmahq.io writeup here.

When a sigma rule with this logic is attempted to be translated by uncoder the following error message is received: Unexpected error. Unexpected token type: expand. (Example sigma rule file: https://github.com/SigmaHQ/sigma/blob/master/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml)

It doesn't seem to matter what output format uncoder is instructed.

Does uncoder currently support this and I'm just doing it wrong? If so, is there documentation for it that I can't find? If not, are there plans to implement it?

r0ot avatar Jun 26 '24 15:06 r0ot