Sigma rules with null values in detection fields can't be created

[Jorgesnchz]

Description

Sigma rules that use null values in detection fields to match the absence of a field or an empty value, are not being correctly processed, these rules return a 500 Internal Server Error:

Example rule detection block:

{
  "detection": {
    "condition": "all of selection_* and not 1 of filter_optional_*",
    "selection": {
      "event.code": 4624
    },
    "filter_optional_localhost": {
      "process.command_line|contains": null
    }
  }
}

Current error:

{
  "message": "Error in Security Analytics. {\"SigmaDetectionError\":\"Sigma rule must have a detection definitions\"}",
  "status": 500
}

Functional requirements

• Investigate and decide on one of the following strategies:
  1. Support null values: Translate null into the appropriate query (e.g., a must_not exists query) so the rule works as intended
  2. Reject with a clear 400 error: If null values are not going to be supported, return a 400 Bad Request with a descriptive message indicating which fields have null values, instead of the current 500
• Regardless of the chosen strategy, the plugin must not return a 500 for this case, it should be a 400

Implementation restrictions

• If option 1 (support) is chosen, ensure the generated OpenSearch query correctly represents the Sigma null semantics (field does not exist or is empty).
• If option 2 (reject) is chosen, the error message must clearly state which fields contain null values.

Plan

• Investigate if the current code supports null values used with a different format
• Decide on the handling strategy (support / reject)
• Implement the chosen strategy
• Ensure the plugin does not return 500 for rules with null detection values
• Add tests covering null value scenarios

[AlexRuiz7]

I think we can obtain the same result using Sigma's "exists" modifier. In that case, we'll need to add support for this modifier.

See:

• Missing Sigma modifiers #173