Open YamatoSecurity opened 1 month ago
@YamatoSecurity Thank you for mention! Yes, I would love to implement it💪
sequence draft memo:
I was thinking about just manually ignoring the problem rules with the unique ID but we might be able to automate the anti-virus scan with this: https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action I am not sure if the Windows VM used for github actions has defender running in the background (i don't think so), so we wouldn't run hayabusa and check for defender alerts with a live scan, but just try to run a defender anti malware check against the converted sigma yml files.
@YamatoSecurity Sorry, I misunderstood! First I'll implement a process that just ignores specific UUIDs💪
Original issue:
I created following PR in sigma-to-hayabusa-converter repo. https://github.com/Yamato-Security/sigma-to-hayabusa-converter/pull/1
@YamatoSecurity
After merging following PRs, A PR excluding ec19ebab-72dc-40e1-9728-4c0b805d722c
will be created in the regular scheduled execution :)
There are a couple of rules that cause false positives with Windows defender so we would like to ignore them and not create them in the
hayabusa-rules
repository until we can create a fix with hayabusa to encrypt the rules and evade detection. @fukusuket Could I ask you to do this?