Splunk backend seems to not support correlation rules

[IgorHrkswxryski]

Hi,

First of all thanks for your amazing work !

I tried to convert the following correlation rule with sigma cli and splunk backend :

title: Correlation - Multiple Failed Logins Followed by Successful Login
id: b180ead8-d58f-40b2-ae54-c8940995b9b6
status: experimental
description: Detects multiple failed logins by a single user followed by a successful login of that user
references:
    - https://reference.com
author: Florian Roth (Nextron Systems)
date: 2023/06/16
correlation:
   type: temporal_ordered
   rules:
    - multiple_failed_login
    - successful_login
   group-by:
    - User
   timespan: 10m
falsepositives:
    - Unlikely
level: high
---
title: Multiple failed logons
id: a8418a5a-5fc4-46b5-b23b-6c73beb19d41
description: Detects multiple failed logins within a certain amount of time
name: multiple_failed_login
correlation:
  type: event_count
  rules:
    - failed_login
  group-by:
    - User
  timespan: 10m
  condition:
    gte: 10
---
title: Single failed login
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
name: failed_login
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 529
      - 4625
  condition: selection
---
title: Successful login
id: 4d0a2c83-c62c-4ed4-b475-c7e23a9269b8
description: Detects a successful login
name: successful_login
logsource:
  product: windows
  service: security
detection:
  selection:
      EventID:
        - 528
        - 4624
  condition: selection

With following command :

sigma convert -t splunk correlation_rule.yml -p splunk_cim/...

The returned excpetion is the following :

sigma.exceptions.SigmaLogsourceError: Sigma rule must have a log source in correlation_rule.yaml

Thaks in advance for your return !

Cheers

[thomaspatzke]

Soon this will be possible, there's already a branch with correlation support. I have to sort out some challenges with the CLI until releasing this.