From 7d1ac246fbfe3e683dab3cf7a6e134997f03da7a Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 8 Nov 2024 17:58:58 +0100
Subject: [PATCH 1/2] Empty string is not a valid regex

---
 sigma/processing/transformations.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sigma/processing/transformations.py b/sigma/processing/transformations.py
index 51567316..43e12b8d 100644
--- a/sigma/processing/transformations.py
+++ b/sigma/processing/transformations.py
@@ -997,6 +997,11 @@ def __post_init__(self):
 
     def apply_string_value(self, field: str, val: SigmaString) -> Optional[SigmaString]:
         regex = ""
+
+        # empty string can not be convert into a simple regex
+        if val == "":
+            return val
+
         for sc in val.s:  # iterate over all SigmaString components (strings and special chars)
             if isinstance(sc, str):  # if component is a string
                 if (

From 21feb6b83037f3a51dacd8222bd0dafe68b84f93 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Sun, 10 Nov 2024 02:26:20 +0100
Subject: [PATCH 2/2] Test + fix of return type

---
 sigma/processing/transformations.py      | 2 +-
 tests/test_processing_transformations.py | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/sigma/processing/transformations.py b/sigma/processing/transformations.py
index 43e12b8d..dcca74e5 100644
--- a/sigma/processing/transformations.py
+++ b/sigma/processing/transformations.py
@@ -1000,7 +1000,7 @@ def apply_string_value(self, field: str, val: SigmaString) -> Optional[SigmaStri
 
         # empty string can not be convert into a simple regex
         if val == "":
-            return val
+            return SigmaRegularExpression("")
 
         for sc in val.s:  # iterate over all SigmaString components (strings and special chars)
             if isinstance(sc, str):  # if component is a string
diff --git a/tests/test_processing_transformations.py b/tests/test_processing_transformations.py
index fc0a4330..09dad813 100644
--- a/tests/test_processing_transformations.py
+++ b/tests/test_processing_transformations.py
@@ -1544,6 +1544,13 @@ def test_regex_transformation_plain_method(dummy_pipeline):
     assert detection_item.value[0] == SigmaRegularExpression("\\\\te\\.st.*va.ue")
 
 
+def test_regex_transformation_empty_string(dummy_pipeline):
+    detection_item = SigmaDetectionItem("field", [], [SigmaString("")])
+    transformation = RegexTransformation(method="plain")
+    transformation.apply_detection_item(detection_item)
+    assert detection_item.value[0] == SigmaRegularExpression("")
+
+
 def test_regex_transformation_case_insensitive_bracket_method(dummy_pipeline):
     detection_item = SigmaDetectionItem("field", [], [SigmaString("\\tE.sT*val?ue")])
     transformation = RegexTransformation(method="ignore_case_brackets")