From ba0b9319f8bdab6dc75a3253121e1bb0375eda83 Mon Sep 17 00:00:00 2001
From: Vincent Ruello <5345986+vruello@users.noreply.github.com>
Date: Sun, 8 Dec 2024 10:06:12 +0000
Subject: [PATCH] Allow multiple fields in value_count

---
 json-schema/sigma-correlation-rules-schema.json | 17 ++++++++++++++---
 .../sigma-correlation-rules-specification.md    |  2 ++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/json-schema/sigma-correlation-rules-schema.json b/json-schema/sigma-correlation-rules-schema.json
index bc20682..5dcd5a7 100644
--- a/json-schema/sigma-correlation-rules-schema.json
+++ b/json-schema/sigma-correlation-rules-schema.json
@@ -185,9 +185,20 @@
             },
             {
               "field": {
-                "description": "Name of the field to count values",
-                "type": "string",
-                "maxLength": 256
+                "description": "Name of the field(s) to count values",
+                "anyOf": [
+                  {
+                    "type": "string",
+                    "maxLength": 256
+                  },
+                  {
+                    "type": "array",
+                    "items": {           
+                      "type": "string",
+                      "maxLength": 256
+                    }
+                  }
+                ]                
               }
             }
           ]
diff --git a/specification/sigma-correlation-rules-specification.md b/specification/sigma-correlation-rules-specification.md
index 46c9a9f..abab6a0 100644
--- a/specification/sigma-correlation-rules-specification.md
+++ b/specification/sigma-correlation-rules-specification.md
@@ -386,6 +386,8 @@ Counts values in a field defined by `field`.
 The resulting query must count field values separately for each group specified by group-by.
 The condition finally defines how many values must occur to generate a search hit.
 
+When you use multiple values in `field` they are linked by an **AND**.
+
 Requires:
   - `group-by`
   - `timespan`