Convert esql correlation rule fail no attribute get_conversion_states

[frack113]

I get an error every time I try to convert a correlation rule sigma convert -t esql -p sysmon win_susp_failed_hidden_share_mount2.yaml

for state in rule_reference.rule.get_conversion_states()
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'SigmaRule' object has no attribute 'get_conversion_states'. Did you mean: 'get_conversion_result'?

the rule

title: Failed Mounting of Hidden Share
name: sigma_rule_mounting_hidden
logsource:
    product: windows
    service: smbclient-security
detection:
    selection:
        EventID: 31010
        ShareName|endswith: '$'
    condition: selection
---
title: Failed Mounting of Hidden Share
author: Fabian Franz
correlation:
    type: event_count
    rules:
        - sigma_rule_mounting_hidden
    group-by:
        - Computer
    timespan: 1m
    condition:
        gt: 10
level: medium

With splunk

EventID=31010 ShareName="*$"
| bin _time span=1m
| stats count as event_count by _time Computer
| search event_count > 10

[vbrevet]

I have the same issue, I think this is due to an incompability with pySigma version 0.11.3 and the plugin need to be bump with the new version in 0.11.5 to work.

The change has been introduce in this commit -> https://github.com/SigmaHQ/pySigma/commit/8fdbffccc3f36d2e73189e87e5bc7048e4fe78e7

[thomaspatzke]

I've tried it with a fresh Sigma CLI an backend/pipelines installed and it worked:

Parsing Sigma rules  [####################################]  100%
from * | where EventID==31010 and ends_with(ShareName, "$")
| eval timebucket=date_trunc(1minutes, @timestamp) | stats event_count=count() by timebucket, Computer
| where event_count > 10

I guess @vbrevet is on the right track!

[frack113]

I forget I have open it . As It works with sigma-cli 1.0.2 , it can be close.

[vbrevet]

@thomaspatzke thanks for the quick fix