Open defensivedepth opened 9 months ago
Ok, so if I run the following with no pipelines:
sigma convert -t eql --without-pipeline sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml Parsing Sigma rules [####################################] 100% any where Payload:"*Get-Clipboard*"
Then, I add the windows-logsources pipeline:
windows-logsources
sigma convert -t eql -p windows-logsources sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml Parsing Sigma rules [####################################] 100% any where (Channel like~ ("Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational")) and (EventID:4103 and Payload:"*Get-Clipboard*")
Finally, I add the ecs_windows pipeline:
ecs_windows
sigma convert -t eql -p ecs_windows -p windows-logsources sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml Parsing Sigma rules [####################################] 100% any where (winlog.channel like~ ("Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational")) and ((winlog.channel like~ ("Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational")) and (event.code:4103 and winlog.event_data.Payload:"*Get-Clipboard*"))
In that last one, is it expected that there is a duplicate search for winlog.channel?
@thomaspatzke Do you have an idea how to solve this?
Ok, so if I run the following with no pipelines:
Then, I add the
windows-logsources
pipeline:Finally, I add the
ecs_windows
pipeline:In that last one, is it expected that there is a duplicate search for winlog.channel?