Convert correlation in savedsearches mode

[IgorHrkswxryski]

Hi,

I am trying to convert the following correlation rule :

title: Multiple failed logons
id: a8418a5a-5fc4-46b5-b23b-6c73beb19d41
description: Detects multiple failed logins within a certain amount of time
name: multiple_failed_login
correlation:
  type: event_count
  rules:
    - failed_login
  group-by:
    - User
  timespan: 10m
  condition:
    gte: 10
---
title: Single failed login
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
name: failed_login
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 529
      - 4625
  condition: selection

With the following piece of code :

from sigma.collection import SigmaCollection
from sigma.backends.splunk import SplunkBackend
from sigma.pipelines.splunk import (
    splunk_windows_pipeline,
    splunk_windows_sysmon_acceleration_keywords,
    splunk_cim_data_model,
)
from sigma.pipelines.common import windows_logsource_mapping
from sigma.exceptions import SigmaTransformationError

import yaml

stream = open("/home/user/correl_rule/test.yml", "r")
sigma_rule_yaml = yaml.load_all(stream, yaml.FullLoader)

pipeline = splunk_windows_pipeline()
backend = SplunkBackend(pipeline)
rule = SigmaCollection.from_yaml(yaml.dump_all(sigma_rule_yaml))
result = backend.convert(rule, "savedsearches")

print(result)

The result if the following :

[default]
dispatch.earliest_time = -30d
dispatch.latest_time = now

[Single failed login]
description = 
search = source="WinEventLog:Security" EventCode IN (529, 4625)

| bin _time span=10m
| stats count as event_count by _time User

| search event_count >= 10

I would like to know why the stanza name is not the correlation rule name itself but the detection rule one ? same for description, etc. ?

Thank you in advance !

Cheers

[thomaspatzke]

Looks like a bug to me!