Support `contains|all` field

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

GNU Affero General Public License v3.0

2.26k stars 200 forks source link

Support `contains|all` field #945

Closed YamatoSecurity closed 1 year ago

YamatoSecurity commented 1 year ago

In Sigma rules, the following declaration is often used:

selection:
    ImagePath|contains|all:
        - 'ADMIN$'
        - '.exe'

However, to use it in Hayabusa, it needs written in the following way:

selection:
    ImagePath|contains: 'ADMIN$'
    ImagePath|contains: '.exe'

Many users request more compatibility with sigma rules so I would like to support this way of writing as well as it is more commonly used in sigma and it makes rules easier to read.

hitenkoku commented 1 year ago

@YamatoSecurity Basically, I am thinking of the principle of OR conditions for anything written in the form of an array. Wouldn't that be confusing if the "and" condition is used only when "all" is added?

YamatoSecurity commented 1 year ago

@hitenkoku YAML lists are written with - and have OR logic so might be confusing for those not familiar with sigma. In sigma rules, contains|all makes them AND logic. That is how everyone writes sigma rules so I don't think it will be confusing if explained.