From 01fcbeb2c10c17f248c6983c525a2fce3354f4b9 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 10 Nov 2024 17:26:29 +0100
Subject: [PATCH] Return a SigmaString if the regex is empty

---
 sigma/processing/transformations.py      | 2 +-
 tests/test_processing_transformations.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sigma/processing/transformations.py b/sigma/processing/transformations.py
index d429cf1e..db953cbb 100644
--- a/sigma/processing/transformations.py
+++ b/sigma/processing/transformations.py
@@ -1000,7 +1000,7 @@ def apply_string_value(self, field: str, val: SigmaString) -> Optional[SigmaStri
 
         # empty string can not be convert into a simple regex
         if val == "":
-            return SigmaRegularExpression("")
+            return val
 
         for sc in val.s:  # iterate over all SigmaString components (strings and special chars)
             if isinstance(sc, str):  # if component is a string
diff --git a/tests/test_processing_transformations.py b/tests/test_processing_transformations.py
index 09dad813..daabe0c5 100644
--- a/tests/test_processing_transformations.py
+++ b/tests/test_processing_transformations.py
@@ -1548,7 +1548,7 @@ def test_regex_transformation_empty_string(dummy_pipeline):
     detection_item = SigmaDetectionItem("field", [], [SigmaString("")])
     transformation = RegexTransformation(method="plain")
     transformation.apply_detection_item(detection_item)
-    assert detection_item.value[0] == SigmaRegularExpression("")
+    assert detection_item.value[0] == SigmaString("")
 
 
 def test_regex_transformation_case_insensitive_bracket_method(dummy_pipeline):