Search-Identifier, List and Map's Allowed Types

Search-identifier's spec defined value types allowed in lists and maps, but it may need to be expanded.

Sigma_specification.md

By current definition, 1. a search-identifier can hold (1) a list of strings, (2) a list of maps, or (3) a map.
2. The map, in turn, hold key-value pairs, where each key is a field and each value is (1) a string, (2) an integer, or (3) a null (special field value).

sigma-specification/Sigma_specification.md

Lines 421 to 424 in 066938f

#### Search-Identifier

A definition that can consist of two different data structures - lists and maps.

sigma-specification/Sigma_specification.md

Lines 463 to 469 in 066938f

#### Lists

Lists can contain:

* strings that are applied to the full log message and are linked with a logical 'OR'.

* maps (see below). All map items of a list are logically linked with 'OR'.

sigma-specification/Sigma_specification.md

Lines 490 to 493 in 066938f

#### Maps

Maps (or dictionaries) consist of key/value pairs, in which the key is a field in the log data and the value is a string or integer value. All elements of a map are joined with a logical 'AND'.

sigma-specification/Sigma_specification.md

Lines 555 to 560 in 066938f

#### Special Field Values

There are special field values that can be used.

* An empty value is defined with `''`

* A null value is defined with `null`

In addition, although not mentioned directly, there are examples showing that a map's value list also can store integers. Thus, I'd guess a map's value could also be 2.-(4) a list of strings, integers, or nulls.

sigma-specification/Sigma_specification.md

Lines 500 to 505 in 066938f

selection:

EventLog: Security

EventID:

- 517

- 1102

condition: selection

Real-World Usages

The aforementioned summarization/guessing is extracted from specification alone.
I checked some Sigma rules in SigmaHQ/sigma repo as well, and found another usage.

In rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml#L23-L30 a search-id holds a list which has an integer in it, making an usage of 1.-(4) a list of strings and integers.

    keywords:
        - 'POST'
        - 200
        - '/ecp/DDI/DDIService.svc/SetObject'

Are There More?

Will there be other types, say, booleans/floats/...?
For example, is usage of a map like

detection:
    sample-search-id:
        some-field: false

considered valid?

Summary

In conclusion, the spec's type definition seems to be incomplete/inaccurate and may need some update.

Maybe we can consider defining types as follows

A scalar: string/null/boolean/integer/floating point (as defined in YAML spec).
A search-identifier can hold (1) a list of scalars, (2) a list of maps, or (3) a map
A map is a key-value pair where the value can be (1) a scalar or (2) a list of scalars.

Agreed. Since pySigma boolean values are also explicitly allowed, therefore it makes sense.

	#### Search-Identifier

	A definition that can consist of two different data structures - lists and maps.

	#### Lists

	Lists can contain:

	* strings that are applied to the full log message and are linked with a logical 'OR'.
	* maps (see below). All map items of a list are logically linked with 'OR'.

	#### Maps

	Maps (or dictionaries) consist of key/value pairs, in which the key is a field in the log data and the value is a string or integer value. All elements of a map are joined with a logical 'AND'.

	#### Special Field Values

	There are special field values that can be used.

	* An empty value is defined with `''`
	* A null value is defined with `null`

	selection:
	EventLog: Security
	EventID:
	- 517
	- 1102
	condition: selection