Merge pull request #163 from vruello/multiple_fields_value_count

Allow multiple fields in value_count
SigmaHQ · Mar 4, 2025 · fd5497d · fd5497d
2 parents 69d0eda + ba0b931
commit fd5497d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/json-schema/sigma-correlation-rules-schema.json b/json-schema/sigma-correlation-rules-schema.json
@@ -185,9 +185,20 @@
             },
             {
               "field": {
-                "description": "Name of the field to count values",
-                "type": "string",
-                "maxLength": 256
+                "description": "Name of the field(s) to count values",
+                "anyOf": [
+                  {
+                    "type": "string",
+                    "maxLength": 256
+                  },
+                  {
+                    "type": "array",
+                    "items": {           
+                      "type": "string",
+                      "maxLength": 256
+                    }
+                  }
+                ]                
               }
             }
           ]

diff --git a/specification/sigma-correlation-rules-specification.md b/specification/sigma-correlation-rules-specification.md
@@ -386,6 +386,8 @@ Counts values in a field defined by `field`.
 The resulting query must count field values separately for each group specified by group-by.
 The condition finally defines how many values must occur to generate a search hit.
 
+When you use multiple values in `field` they are linked by an **AND**.
+
 Requires:
   - `group-by`
   - `timespan`