search

Yamato-Security / hayabusa-rules

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.
Other
135 stars 23 forks source link

Incomplete field modifier(`expand`) rule created #552

Closed fukusuket closed 10 months ago

fukusuket commented 10 months ago

Describe the bug The recently updated rules below seem to have field modifiers that are not supported by Hayabusa🤔

https://github.com/Yamato-Security/hayabusa-rules/blob/7bdca9b56863aafd83a0e14a293d8800380ae87d/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml#L23-L25

https://github.com/Yamato-Security/hayabusa-rules/blob/7bdca9b56863aafd83a0e14a293d8800380ae87d/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml#L24-L31

It was a correct modifier according to the Sigma rule specifications. https://sigmahq.io/docs/basics/modifiers.html#expand

fukusuket commented 10 months ago

@YamatoSecurity I think it would be better to modify logsource_mapping.py so that it does not convert rules with the following modifiers that are not currently supported. What do you think?🤔

https://sigmahq.io/docs/basics/modifiers.html

YamatoSecurity commented 10 months ago

@fukusuket I think that is a good idea.

fukusuket commented 10 months ago

Thank you for checking! I'll try implementing it💪

YamatoSecurity commented 10 months ago

@fukusuket Thanks so much!