You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As far as I can tell every detection with a join failed to translated properly to your dev/endpoint/ sigma collection.
According to this search there are 60 rules using joins.
For the example above I would create the following Sigma.
data_source:
- Sysmon Event ID 11
search:
selection1:
TargetFilename|contains: .bat
selection2:
TargetFilename|contains:
- system32
- syswow64
condition: selection1 AND selection2
I'm not sure if this would be an acceptable change since it's not going off the Endpoint Data Model like the original rule. If this is acceptable let me know and I would be happy to work on a PR to get these Sigma rules updated.
The text was updated successfully, but these errors were encountered:
Describe the bug
As far as I can tell every detection with a join failed to translated properly to your dev/endpoint/ sigma collection.
According to this search there are 60 rules using joins.
Here is one example:
SPL: https://github.com/splunk/security_content/blob/f6882b10686ba9ba0d5e58ab2a2d3add636c57f7/detections/endpoint/batch_file_write_to_system32.yml
Sigma: https://github.com/splunk/security_content/blob/f6882b10686ba9ba0d5e58ab2a2d3add636c57f7/dev/endpoint/batch_file_write_to_system32.yml
Expected behavior
For the example above I would create the following Sigma.
I'm not sure if this would be an acceptable change since it's not going off the Endpoint Data Model like the original rule. If this is acceptable let me know and I would be happy to work on a PR to get these Sigma rules updated.
The text was updated successfully, but these errors were encountered: