alexkornitzer
commented
8 months ago Happy to merge this but just gonna query your filter logic first cause if I understand what you want to do we can probably sneak it in here.
So what logic are you trying to implement is it provider/id pairs or either/or logic cause you should be able to write them like so:
filter:
- Provider: Microsoft-Windows-Sysmon
int(EventID): 1
- Provider: Microsoft-Windows-Security-Auditing
int(EventID): 999filter:
Provider:
- Microsoft-Windows-Sysmon
- Microsoft-Windows-Security-Auditing
int(EventID):
- 1
- 999Remember that arrays are or and maps are and hence the duplicate warnings.
reece394
This is a continuation of Pull Request #130 and reduces the false positive rate of sigma rules. Using these event logs as a test I managed to reduce the sigma.csv from 5083KB to 4781KB a decrease of around 5.94%.
Unfortunately I could not figure out how to use multiple EventID filters for some of these so there is most likely still some improvement that could be made here.
I tried both of these with the top one not erroring but continuing to show 4688 events for process_creation instead of taking them off due to me wanting to just have EventIDs 1 and 999 for testing. The second one errored claiming it was duplicated.
This does not necessarily hold this pull request up as I can always create a new one after this is merged if you can tell me where I am going wrong (Probably something simple).