search

AttackIQ / pySigma-backend-kusto

GNU Lesser General Public License v3.0
30 stars 10 forks source link

Error with negation #7

Closed rfackroyd closed 1 year ago

rfackroyd commented 1 year ago

Hey again.

This issue is on negation, where I am getting errors from MDE. I have converted the following test Sigma logic:

logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image:
      - '*\process.exe'
    CommandLine:
      - '*this*'
  filter:
    CommandLine:
      - '*notthis*'
  condition: selection and not filter

To this KQL:

DeviceProcessEvents
| where FolderPath endswith "\\process.exe" and ProcessCommandLine contains "this" and  !~  ProcessCommandLine contains "notthis"

I get red error marking underneath and:

"A value of type 'bool' expected.(KS107)"

And underneath '!~':

"The incomplete fragment is unexpected.(KS198)"

I wonder if we are using a string comparison operator !~ when we may need to simply use not. Keen to hear your thoughts though.

When I correct the KQL manually to the following, I do not get the error. Note that I needed to add the parenthesis around the last condition (ProcessCommandLine contains "notthis") to make it work.

DeviceProcessEvents
| where FolderPath endswith "\\process.exe" and ProcessCommandLine contains "this" and  not  (ProcessCommandLine contains "notthis")
slincoln-aiq commented 1 year ago

Yep, this is broken. Thanks for letting me know! The negation works as expected when you don't use any wildcards, but once any wildcards are used and the backend uses contains/startswith/endswith, you get the behavior seen above. There's a few options based on string operator documentation here for wildcard values in detection items:

  1. Putting a NOT in front of the detection item in the query, as you suggested
  2. Put a ! in front of contains/startswith/endswith if negation is needed (i.e., ProcessCommandLine !contains "this"

I'll take a look in the backend logic to see what makes the most sense and test against a few different use cases.

slincoln-aiq commented 1 year ago

I half lied, the negation didn't work as expected at all 😄, but either way this has been fixed in the latest commit to main 8f24371. I'll take a look at the other issue you raised, and once that's fixed as well I'll create another release with the bug fixes. Thanks again!

rfackroyd commented 1 year ago

No worries! Nice one.