Duplicate query when using multiple pipelines

[defensivedepth]

Ok, so if I run the following with no pipelines:

sigma convert -t eql --without-pipeline sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml                                  

Parsing Sigma rules  [####################################]  100%

any where Payload:"*Get-Clipboard*"

Then, I add the windows-logsources pipeline:

sigma convert -t eql -p windows-logsources sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml                               

Parsing Sigma rules  [####################################]  100%

any where (Channel like~ ("Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational")) and (EventID:4103 and Payload:"*Get-Clipboard*")

Finally, I add the ecs_windows pipeline:

sigma convert -t eql -p ecs_windows -p windows-logsources sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml                

Parsing Sigma rules  [####################################]  100%

any where (winlog.channel like~ ("Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational")) and ((winlog.channel like~ ("Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational")) and (event.code:4103 and winlog.event_data.Payload:"*Get-Clipboard*"))

In that last one, is it expected that there is a duplicate search for winlog.channel?

[andurin]

@thomaspatzke Do you have an idea how to solve this?