Support `fieldref|startswith` and `fieldref|contains`

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

GNU Affero General Public License v3.0

2.32k stars 203 forks source link

Support `fieldref|startswith` and `fieldref|contains` #1439

Closed YamatoSecurity closed 1 month ago

YamatoSecurity commented 1 month ago

In the Sigma discord channel, other users are reporting that they want to write rules with |fieldref|startswith and |fieldref|contains so we might as well start supporting it in v2.18.0. @fukusuket Since you did that endswith version, could I ask you to support these as well?

fukusuket commented 1 month ago

Sounds good! Yes, I would love to implement it!💪