[BUG] Importing a Sigma rule with count() aggregation returns an error

[xeniatup]

What is the bug?
Importing a rule with aggregation throws an error.

It looks like `count()` is not supported, and OpenSearch requires `count(*)`, which is not consistent with Sigma syntax.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Go to 'http://localhost:5601/app/opensearch_security_analytics_dashboards#/import-rule'
2. Click on 'Create rule'
3. Switch to YAML editor
4. Paste the rule
5. Select "Create detection rule"
6. See error

What is the expected behavior?
Ideally OpenSearch should convert Sigma into a valid detection rule behind the scenes when the difference in syntax is known.

[amsiglan]

@sbcd90 Feel free to close this if it's a duplicate

[engechas]

Potentially related to the issue that was fixed by #789

@sbcd90 can you confirm this is the same issue?

[givilleneuve]

Hi everyone, not sure if anyone run into this issue. but when using the clause similar to this one, count(), it still fails on version 2.13. Unless I count by a field. For example, count(source.ip) > 6.

[sbcd90]

hi @givilleneuve , please use count(*)

[givilleneuve]

Thank you @sbcd90 , I was able to create it. I will perform a few more tests. Thank you,

[givilleneuve]

@sbcd90, not sure if you have this answer on top of the head, but using the count and timeframe, would it be based on the detector detection or the timeframe set on the sigma?

For example, for brute force detection: condition: selection1 and selection2 | count (*) by source.ip > 3
selection2:
event.outcome:
- failure
selection1:
event.type|all:
- authentication_failure
timeframe:

• 3m
  Would it look for the events and count in the past 3m or will it rely on the detector that contains this rule?