diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 601a58fac..4c6801856 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -248,20 +248,15 @@ impl Detection { continue; } for value in rule.judge_satisfy_aggcondition(stored_static) { - if let CorrelationType::TemporalRef(_, uuid) = &rule.correlation_type { + let mut output = false; + if let CorrelationType::TemporalRef(generate, uuid) = &rule.correlation_type { detected_temporal_refs .entry(uuid.clone()) .or_insert_with(Vec::new) .push(value.clone()); - } else { - if CorrelationType::ValueCount == rule.correlation_type - || CorrelationType::EventCount == rule.correlation_type - { - detected_temporal_refs - .entry(rule.yaml["name"].as_str().unwrap_or_default().to_string()) - .or_insert_with(Vec::new) - .push(value.clone()); - } + output = *generate; + } + if output { ret.push(Detection::create_agg_log_record(rule, value, stored_static)); } } diff --git a/src/detections/rule/correlation_parser.rs b/src/detections/rule/correlation_parser.rs index abaab8c0a..0e1ba2fa8 100644 --- a/src/detections/rule/correlation_parser.rs +++ b/src/detections/rule/correlation_parser.rs @@ -354,10 +354,9 @@ fn parse_temporal_rules( .unwrap_or_default(); let mut new_yaml = other_rule.yaml.clone(); if other_rule.correlation_type != CorrelationType::None { + other_rule.correlation_type = + CorrelationType::TemporalRef(generate, ref_id.to_string()); temporal_ref_ids.push(Yaml::String(ref_id.to_string())); - if !generate { - referenced_del_ids.insert(ref_id.to_string()); - } continue; } let new_id = Uuid::new_v4().to_string();