`Sigma.Windows.Hayabusa.Rules` has no `process_creation` rule for `Sysmon EventID 1`

[fukusuket]

I am reporting this because I noticed lack of rules while using Client artifact:Sigma.Windows.Hayabusa.Rules. I'm sorry if it was intentional and I misunderstood.

In the hayabusa_rule repository, There are following two folder hierarchies: (FYI: https://github.com/Yamato-Security/hayabusa-rules/issues/443)

• Sysmon:EID 1 (builtin/process_creation) ... These are Sigma project original rules.
• Security:EID 4688(sysmon/process_creation) ... These are rules converted from the above Sigma original rule by our script.

It seems that Client artifact:Sigma.Windows.Hayabusa.Rules does not have rules for Sysmon:EID 1 (builtin/process_creation)(There are approximately 1000 rules).

Is this intentional? Or is it implemented so that the Sysmon:EID 1 event log can also be detected on the Velociraptor side?

Regards,

[fukusuket]

There are following two folder hierarchies for registry event: (FYI: https://github.com/Yamato-Security/hayabusa-rules/issues/476)

• Sysmon:EID 12/13/14 (sysmon/registry) ... These are Sigma project original rules.
• Security:EID 4657(builtin/registry) ... These are rules converted from the above Sigma original rule by our script.

The same goes for the rules for registry events, and there seems to be no rule for Sysmon:EID 12/13/14 in Client artifact:Sigma.Windows.Hayabusa.Rules

[scudette]

Thanks for reporting and testing!

Looks like I made a typo in the import path and skipped importing the entire hayabusa/sigma/sysmon/ directory.

Thanks for reporting it and also explaining what those rules actually are!

Should be fixed by #22

[fukusuket]

Thank you so much for quick fix!!