In deploying this rule, the Grafana SecOps team discovered that the contains modifier does not reference the field that this rule is trying to reference. Instead, we discovered that there is another modifier in pySigma that will enable field referencing which is called fieldref which enables us to update pySigma-backend-loki to reflect this modifier.
Changelog
update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
Summary of the Pull Request
In deploying this rule, the Grafana SecOps team discovered that the
contains
modifier does not reference the field that this rule is trying to reference. Instead, we discovered that there is another modifier inpySigma
that will enable field referencing which is calledfieldref
which enables us to update pySigma-backend-loki to reflect this modifier.Changelog
update: AWS User Login Profile Was Modified - use
fieldref
instead ofcontains
modifierExample Log Event
An (abridged) event we want to match on:
Whereas something we don't want to detect on:
Fixed Issues
SigmaHQ Rule Creation Conventions