Wrong network direction values

[cospirho]

The default winlogbeat sysmon pipeline values for the network direction are changed from true/false to egress/ingress, and winlog.event_data.Initiated is removed (changed to network.direction). This backend will output the values of true/false

detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
        DestinationPort:
            - 80
            - 443

I'm not sure what the best way to handle this would be....also not 100% sure if it's an issue with this repo, the rules, both, or neither. I didn't see 'Initiated' anywhere in the sigma rule taxonomy specification.

[andurin]

@cospirho If I understood you correctly you would like to see a transformation like:

# Initiated: true 
network.direction: 'egress'

or

# Initiated: false
network.direction: 'ingress'

?

[andurin]

@thomaspatzke Would this be possible in the pipeline? A value determined conditional?

[cospirho]

@cospirho If I understood you correctly you would like to see a transformation like:

# Initiated: true 
network.direction: 'egress'

?

Yes that's right, like network.direction:egress instead of network.direction:true. Thank you for looking in to it.