diff --git a/sigma/processing/transformations.py b/sigma/processing/transformations.py index db953cbb..6f803f52 100644 --- a/sigma/processing/transformations.py +++ b/sigma/processing/transformations.py @@ -1171,8 +1171,12 @@ class NestedProcessingTransformation(Transformation): def __post_init__(self): from sigma.processing.pipeline import ( ProcessingPipeline, + ProcessingItem, ) # TODO: move to top-level after restructuring code + self.items = [ + i if isinstance(i, ProcessingItem) else ProcessingItem.from_dict(i) for i in self.items + ] self._nested_pipeline = ProcessingPipeline(items=self.items) @classmethod diff --git a/tests/test_processing_transformations.py b/tests/test_processing_transformations.py index daabe0c5..8a9fa7d9 100644 --- a/tests/test_processing_transformations.py +++ b/tests/test_processing_transformations.py @@ -47,6 +47,7 @@ IncludeFieldCondition, RuleContainsDetectionItemCondition, RuleProcessingItemAppliedCondition, + rule_conditions, ) from sigma.rule import SigmaLogSource, SigmaRule, SigmaDetection, SigmaDetectionItem from sigma.types import ( @@ -71,7 +72,6 @@ RuleConditionFalse, RuleConditionTrue, TransformationAppend, - inject_test_classes, ) @@ -1752,7 +1752,10 @@ def nested_pipeline_transformation(): ) -def test_nested_pipeline_transformation_from_dict(nested_pipeline_transformation): +def test_nested_pipeline_transformation_from_dict(nested_pipeline_transformation, monkeypatch): + monkeypatch.setitem(transformations, "append", TransformationAppend) + monkeypatch.setitem(rule_conditions, "true", RuleConditionTrue) + monkeypatch.setitem(rule_conditions, "false", RuleConditionFalse) assert ( NestedProcessingTransformation.from_dict( { @@ -1774,6 +1777,37 @@ def test_nested_pipeline_transformation_from_dict(nested_pipeline_transformation ) +def test_nested_pipeline_transformation_from_yaml(nested_pipeline_transformation, monkeypatch): + monkeypatch.setitem(transformations, "append", TransformationAppend) + monkeypatch.setitem(rule_conditions, "true", RuleConditionTrue) + monkeypatch.setitem(rule_conditions, "false", RuleConditionFalse) + assert ( + ProcessingPipeline.from_yaml( + """ + name: Test + priority: 100 + transformations: + - type: nest + items: + - id: test + type: append + s: Test + rule_conditions: + - type: "true" + dummy: test-true + - type: "false" + dummy: test-false + rule_cond_op: or + """ + ) + == ProcessingPipeline( + name="Test", + priority=100, + items=[ProcessingItem(nested_pipeline_transformation)], + ) + ) + + def test_nested_pipeline_transformation_from_dict_apply( dummy_pipeline, sigma_rule, nested_pipeline_transformation ):