fix: rule parse error when config/expand does not exist

[fukusuket]

What Changed

• Closed [bug] rule parse error occurs when config/expand folder does not exist #1537
• Related feat: Keep expand fieldref modifier as is sigma-to-hayabusa-converter#33

Evidence

Integraion-Test

/~https://github.com/Yamato-Security/hayabusa/actions/runs/12505301280

I would appreciate it if you could check it out when you have time🙏

[fukusuket]

Yamato-Security/sigma-to-hayabusa-converter#33

No parse error in the rule folder with the expand rule.

./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r ~/Scripts/Python/sigma-to-hayabusa-converter/converted_sigma_rules_new -q -o timeline.csv
Start time: 2024/12/27 00:09
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.

Excluded rules: 23

Deprecated rules: 214 (5.15%) (Disabled)
Experimental rules: 324 (7.79%)
Stable rules: 114 (2.74%)
Test rules: 3,719 (89.46%)
Unsupported rules: 42 (1.01%) (Disabled)

Expand rules: 0 (0.00%)
Enabled expand rules: 0 (0.00%)

Sigma rules: 4,157
Total detection rules: 4,157

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 580
Detection rules enabled after channel filter: 4,108

Output profile: standard

Scanning in progress. Please wait.

[00:00:06] 580 / 580   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                               Rule Authors:

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Florian Roth (178)                 Nasreddine Bencherchali (122)     oscd.community (108)              frack113 (91)                   │
│ Tim Shelton (31)                   Daniil Yugoslavskiy (23)          Jonhnathan Ribeiro (22)           Teymur Kheirkhabarov (21)       │
│ Thomas Patzke (20)                 Christian Burkard (17)            Markus Neis (16)                  Timur Zinniatullin (14)         │
│ Roberto Rodriguez @Cyb3r... (14)   Roberto Rodriguez (13)            Tim Rauch (12)                    E.M. Anhaus (12)                │
│ Elastic (12)                       Michael Haag (11)                 Samir Bousseaden (11)             Swachchhanda Shrawan Poudel (9) │
│ OTR (9)                            Victor Sergeev (8)                Natalia Shornikova (7)            Endgame) (7)                    │
│ David ANDRE (6)                    JHasenbusch (6)                   Ecco (6)                          Endgame (6)                     │
│ X__Junior (6)                      omkar72 (5)                       Sander Wiebing (5)                Arnim Rupp (5)                  │
│ Andreas Hunkeler (4)               Tobias Michalski (4)              Zach Mathis (4)                   Gleb Sukhodolskiy (4)           │
│ @neu5ron (4)                       Max Altgelt (4)                   FPT.EagleEye Team (3)             wagga (3)                       │
│ @twjackomo (3)                     Daniel Bohannon (3)               Janantha Marasinghe (3)           Austin Songer @austinsonger (3) │
│ pH-T (3)                           Wojciech Lesicki (3)              Vasiliy Burov (3)                 FPT.EagleEye (3)                │
│ Ilyas Ochkov (3)                   Nikita Nazarov (3)                Christopher Peacock @sec... (3)   juju4 (3)                       │
│ Anton Kutepov (3)                  James Pemberton@4A616D6573 (3)    Hieu Tran (3)                     Justin C. (2)                   │
│ Yassine Oukessou (2)               Modexp (2)                        Harish Segar (2)                  Alexandr Yampolskyi (2)         │
│ Romaissa Adjailia (2)              Oleg Kolesnikov @securon... (2)   @dreadphones (2)                  Perez Diego (2)                 │
│ Karneades (2)                      elhoim (2)                        Tony Lambert (2)                  Sean Metcalf (2)                │
│ Mark Woan (2)                      Cyb3rEng (2)                      Nik Seetharaman (2)               D3F7A5105 (2)                   │
│ Tom Ueltschi (2)                   SCYTHE @scythe_io (2)             @SBousseaden (2)                  Bartlomiej Czyz (2)             │
│ Hosni Mribah (2)                   SOC Prime (2)                     James Pemberton@4A616D65... (2)   Aleksey Potapov (2)             │
│ @2xxeformyshirt (2)                keepwatch (2)                     Dimitrios Slamaris (2)            Tony Lambert) (2)               │
│ Sreeman (2)                        Mark Russinovich (2)              Jakob Weinzettl (2)               Chakib Gzenayi (2)              │
│ Zach Stanford @svch0st (2)         Vadim Khrykov (2)                 Relativity (2)                    Ahmed Farouk (1)                │
│ @kostastsale (1)                   Andreas Braathen (1)              @atc_project (1)                  Subhash Popuri (1)              │
│ Open Threat Research (1)           Stephen Lincoln `@slinco... (1)   fuzzyf10w (1)                     Benjamin Delpy (1)              │
│ Stamatis Chatzimangou (1)          Teymur Kheirkhabarov @He... (1)   blueteam0ps (1)                   Nextron Systems (1)             │
│ Georg Lauenstein (1)               James Dickenson (1)               Christopher Peacock @Sec... (1)   David Strassegger (1)           │
│ Daniel Koifman (1)                 Sami Ruohonen (1)                 Scott Dermott (1)                 NVISO (1)                       │
│ Julia Fomina (1)                   Bartlomiej Czyz @bczyz1 (1)       j4son (1)                         SBousseaden (1)                 │
│ Center for Threat Inform... (1)    Dave Kennedy (1)                  KevTheHermit (1)                  Maxime Thiebaut (1)             │
│ Dmitriy Lifanov (1)                Furkan CALISKAN (1)               Fatih Sirin (1)                   Alec Costello (1)               │
│ Jeff Warren (1)                    Mangatas Tondang (1)              Tom U. @c_APT_ure (1)             @signalblur (1)                 │
│ mdecrevoisier (1)                  Dominik Schaudel (1)              Sorina Ionescu (1)                @juju4 (1)                      │
│ SCYTHE (1)                         Joseliyo Sanchez (1)              @oscd_initiative (1)              Sherif Eldeeb (1)               │
│ Kutepov Anton (1)                  Semanur Guneysu @semanurtg (1)    Tuan Le (1)                       @scythe_io (1)                  │
│ MalGamy (1)                        Maxim Pavlunin (1)                Matt Anderson (1)                 Josh Nickels (1)                │
│ Bhabesh Raj (1)                    CD_ROM_ (1)                       Matthew Green @mgreen27 (1)       @Joseliyo_Jstnk (1)             │
│ Pushkarev Dmitry (1)               Austin Songer (1)                 vburov (1)                        Tom Kern (1)                    │
│ EagleEye Team (1)                  Jose Rodriguez (1)                Trent Liffick (1)                 Cedric MAURUGEON (1)            │
│ Maxence Fossat (1)                 Jason Lynch (1)                   Anish Bogati (1)                  Timon Hackenjos (1)             │
│ John Lambert (1)                   Zaw Min Htun (1)                  Jack Croock (1)                   Margaritis Dimitrios (1)        │
│ Ivan Dyachkov (1)                  Omer Faruk Celik (1)              David Burkett (1)                 @gott_cyber (1)                 │
│ Mustafa Kaan Demir (1)             Chad Hudson (1)                   @svch0st (1)                      James Pemberton @4A616D6573 (1) │
│ Swisscom CSIRT (1)                 Markus Neis @Karneades (1)        Ali Alwashali (1)                 Oddvar Moe (1)                  │
│ Dan Beavin) (1)                    @caliskanfurkan_ (1)                                                                                │
╰──────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 5,927 / 46,233 (Data reduction: 40,306 events (87.18%))

Total | Unique detections: 7,599 | 560
Total | Unique critical detections: 47 (0.62%) | 19 (0.00%)
Total | Unique high detections: 5,050 (66.46%) | 245 (0.71%)
Total | Unique medium detections: 1,393 (18.33%) | 218 (13.21%)
Total | Unique low detections: 1,014 (13.34%) | 74 (38.93%)
Total | Unique informational detections: 95 (1.25%) | 4 (43.75%)

Dates with most total detections:
critical: 2019-07-19 (12), high: 2016-09-20 (3,634), medium: 2019-05-19 (167), low: 2021-11-03 (244), informational: 2020-08-02 (69)

Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (8), srvdefender01.offsec.lan (2), DESKTOP-PIU87N6 (1), WIN10-client01.offsec.lan (1), rootdc1.offsec.lan (1)
high: MSEDGEWIN10 (95), IEWIN7 (57), FS03.offsec.lan (21), fs03vuln.offsec.lan (19), IE10Win7 (19)
medium: MSEDGEWIN10 (81), IEWIN7 (53), FS03.offsec.lan (21), fs03vuln.offsec.lan (18), rootdc1.offsec.lan (15)
low: MSEDGEWIN10 (34), IEWIN7 (18), FS03.offsec.lan (16), fs03vuln.offsec.lan (14), srvdefender01.offsec.lan (11)
informational: srvdefender01.offsec.lan (1), DESKTOP-TTEQ6PR (1), 02694w-win10.threebeesco.com (1), WIN-77LTAPHIQ1R.example.corp (1), IE8Win7 (1)

╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                         Top high alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Sticky Key Like Backdoor Usage - Registry (8)                Metasploit SMB Authentication (3,562)            │
│ CobaltStrike Service Installations - System (6)              PowerShell Scripts Installed as Services (250)   │
│ Active Directory Replication from Non Machine Account (6)    Suspicious Service Installation Script (250)     │
│ WannaCry Ransomware Activity (4)                             Suspicious Child Process Of SQL Server (70)      │
│ HackTool - Dumpert Process Dumper Default File (3)           Malicious PowerShell Scripts - PoshModule (64)   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                           Top low alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Remote Thread Creation Via PowerShell (93)                   Non Interactive PowerShell Process Spawned (326) │
│ Remote Thread Creation In Uncommon Target Image (93)         User with Privileges Logon (179)                 │
│ Potentially Suspicious CMD Shell Output Redirect (71)        CMD Shell Output Redirect (98)                   │
│ WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript (62)   Unauthorized System Time Modification (44)       │
│ Pass the Hash Activity 2 (48)                                Windows Event Auditing Disabled (42)             │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Suspicious High IntegrityLevel Conhost Legacy Option (71)    n/a                                              │
│ VSSAudit Security Event Source Registration (20)             n/a                                              │
│ Windows Spooler Service Suspicious Binary Load (2)           n/a                                              │
│ Suspicious Tasklist Discovery Command (2)                    n/a                                              │
│ n/a                                                          n/a                                              │
╰────────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (7.2 MB)

Elapsed time: 00:00:07.2222

[YamatoSecurity]

@fukusuket LGTM! Thanks!