Steps to reproduce:

Use this rule:

title: indicator rule
id: fad282fb-0499-4d3f-9670-55cfc950e2dc
status: stable
level: critical
description: indicator rule
logsource:
  product: Crowdstrike_raw
detection:
  selection:
    QID: 'ProcessRollup2'
    Hostname: 'bitsadmin.exe'
  selection2:
    Hostname: 'bitss.exe'
  condition: selection or selection2
tags:
  - type.indicator

1. put a breakpoint in TextQueryBackend (base.py) line 463 as shown here:
   

2. Debug sigma-cli using this command: python -m sigma.cli.main convert --target splunk --pipeline sysmon --format default myrule.yml

3. See when you hit the breakpoint that the AND condition misses information:
   

Expected result: the AND condition should have a parent and a source property that are not None.

I know it's weird but I need it for the backend i'm currently building.

Does my explanation make sense?
Thanks for your help :)

Understood 😉

Nice! If you tell me where to look I might have time to try and fix it :)

This would be great 😊

Basically, it's the parent attribute from the sigma.conditions.ParentChainMixin located here. This can be done by the included postprocess method of this mixin class or by custom code of the class that should be linked.

The Condition* classes should do it by the ConditionItem base class implementation of postprocess() in this part of the code, but somehow the attributes are not set or get lost afterwards.

Alright, I got a fix working, just need to make sure with my employer I have permission to open a PR (lol), shouldn't be too long.