remove correlation mandary for temporal rules

frack113 · frack113 · commit f0ff47e29a63 · 2026-02-05T06:40:27.000+01:00
diff --git a/json-schema/sigma-correlation-rules-schema.json b/json-schema/sigma-correlation-rules-schema.json
@@ -166,7 +166,7 @@
         {
           "if": { "properties": { "type": { "const": "temporal" } } },
           "then": {
-            "required": ["condition", "group-by", "rules", "timespan"],
+            "required": ["group-by", "rules", "timespan"],
             "properties": {
               "condition": { "type": "string" }
             }
@@ -175,7 +175,7 @@
         {
           "if": { "properties": { "type": { "const": "temporal_ordered" } } },
           "then": {
-            "required": ["condition", "group-by", "rules", "timespan"],
+            "required": ["group-by", "rules", "timespan"],
             "properties": {
               "condition": { "type": "string" }
             }
diff --git a/tests/schema/correlation/temporal.yml b/tests/schema/correlation/temporal.yml
@@ -9,4 +9,3 @@ correlation:
         - ComputerName
         - User
     timespan: 5m
-    condition: recon_cmd_a AND recon_cmd_b AND recon_cmd_c
diff --git a/tests/schema/correlation/temporal_condition.yml b/tests/schema/correlation/temporal_condition.yml
@@ -0,0 +1,12 @@
+title: Recon
+correlation:
+    type: temporal
+    rules:
+        - recon_cmd_a
+        - recon_cmd_b
+        - recon_cmd_c
+    group-by:
+        - ComputerName
+        - User
+    timespan: 5m
+    condition: recon_cmd_a AND recon_cmd_b AND recon_cmd_c
diff --git a/tests/schema/correlation/temporal_ordered.yml b/tests/schema/correlation/temporal_ordered.yml
@@ -9,4 +9,3 @@ correlation:
         - ComputerName
         - User
     timespan: 5m
-    condition: recon_cmd_a AND recon_cmd_b AND recon_cmd_c
diff --git a/tests/schema/correlation/temporal_ordered_condition.yml b/tests/schema/correlation/temporal_ordered_condition.yml
@@ -0,0 +1,12 @@
+title: Recon ordered
+correlation:
+    type: temporal_ordered
+    rules:
+        - recon_cmd_a
+        - recon_cmd_b
+        - recon_cmd_c
+    group-by:
+        - ComputerName
+        - User
+    timespan: 5m
+    condition: recon_cmd_a AND recon_cmd_b AND recon_cmd_c

Original file line number	Diff line number	Diff line change
`@@ -166,7 +166,7 @@`
`166`	`166`	`{`
`167`	`167`	`"if": { "properties": { "type": { "const": "temporal" } } },`
`168`	`168`	`"then": {`
`169`		`- "required": ["condition", "group-by", "rules", "timespan"],`
	`169`	`+ "required": ["group-by", "rules", "timespan"],`
`170`	`170`	`"properties": {`
`171`	`171`	`"condition": { "type": "string" }`
`172`	`172`	`}`
`@@ -175,7 +175,7 @@`
`175`	`175`	`{`
`176`	`176`	`"if": { "properties": { "type": { "const": "temporal_ordered" } } },`
`177`	`177`	`"then": {`
`178`		`- "required": ["condition", "group-by", "rules", "timespan"],`
	`178`	`+ "required": ["group-by", "rules", "timespan"],`
`179`	`179`	`"properties": {`
`180`	`180`	`"condition": { "type": "string" }`
`181`	`181`	`}`