tweak: set groups to true for aggregates so we don't miss data

Due to how mappings work we can't easily tell without a lot of preprocessing what is an aggregation rule and what is not plus we would then be inconsistent. So now we default that to true.
wawawao · Jul 5, 2022 · f124c82 · f124c82
1 parent 7fbfbf0
commit f124c82
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 4 deletions.
diff --git a/src/cli.rs b/src/cli.rs
@@ -141,7 +141,6 @@ pub fn print_detections(
             .entry(&hunt.group)
             .or_insert((vec![], HashSet::new()));
         // NOTE: We only support count in aggs atm so we can inject that value in...!
-        // NOTE: This will not work for sigma based aggs...
         if hunt.is_aggregation() {
             (*headers).0.push("count".to_owned());
             (*headers).1.insert("count".to_owned());

diff --git a/src/hunt.rs b/src/hunt.rs
@@ -351,10 +351,10 @@ pub struct Hunt {
 
 impl Hunt {
     pub fn is_aggregation(&self) -> bool {
-        if let HuntKind::Rule { aggregate, .. } = &self.kind {
-            return aggregate.is_some();
+        match &self.kind {
+            HuntKind::Group { .. } => true,
+            HuntKind::Rule { aggregate, .. } => aggregate.is_some(),
         }
-        false
     }
 }