Support `expand` modifiers

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

GNU Affero General Public License v3.0

2.32k stars 203 forks source link

Support `expand` modifiers #1434

Open YamatoSecurity opened 1 month ago

YamatoSecurity commented 1 month ago

contains|expand and expand are the last modifiers that are used by rules but is not supported. This will require creating lists of DC hostnames, admin PC names, etc.. placeholders so needs some cautious planning before implementation. I will update this description at a later date.

List of expand possibilities:

Admins_Workstations
DC-MACHINE-NAME
Workstations
internal_domains
domain_controller_hostnames