Closed fukusuket closed 2 months ago
@fukusuket Thanks for the quick fix! We should probably also ignore
title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
Is it possible to add comments to the text file so we don't have to look up what rules they are. For example:
# These rules are ignored because they have keywords that cause false positives for Windows Defender
ec19ebab-72dc-40e1-9728-4c0b805d722c # Tamper Windows Defender - PSClassic
14c71865-6cd3-44ae-adaa-1db923fae5f2 # Tamper Windows Defender - ScriptBlockLogging
@YamatoSecurity Thank you so much for checking :) I updated!
% poetry run python sigma-to-hayabusa-converter.py -r ../sigma -o ./converted_sigma_rules
...
% diff -r converted_sigma_rules converted_sigma_rules_org
Only in converted_sigma_rules_org/builtin/powershell/powershell_classic: posh_pc_tamper_windows_defender_set_mp.yml
Only in converted_sigma_rules_org/builtin/powershell/powershell_script: posh_ps_tamper_windows_defender_set_mp.yml
What Changed
Related https://github.com/Yamato-Security/sigma-to-hayabusa-converter/issues/6
I would appreciate it if you could check it out when you have time🙏