fukusuket
commented
1 month ago @YamatoSecurity Thank you for mention! Yes, I would love to implement it💪
Open YamatoSecurity opened 1 month ago
fukusuket
commented
1 month ago @YamatoSecurity Thank you for mention! Yes, I would love to implement it💪
fukusuket
commented
1 month ago sequence draft memo:
YamatoSecurity
commented
1 month ago I was thinking about just manually ignoring the problem rules with the unique ID but we might be able to automate the anti-virus scan with this: https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action I am not sure if the Windows VM used for github actions has defender running in the background (i don't think so), so we wouldn't run hayabusa and check for defender alerts with a live scan, but just try to run a defender anti malware check against the converted sigma yml files.
fukusuket
commented
1 month ago @YamatoSecurity Sorry, I misunderstood! First I'll implement a process that just ignores specific UUIDs💪
fukusuket
commented
1 month ago Original issue:
fukusuket
commented
1 month ago I created following PR in sigma-to-hayabusa-converter repo. https://github.com/Yamato-Security/sigma-to-hayabusa-converter/pull/1
fukusuket
commented
1 month ago @YamatoSecurity
After merging following PRs, A PR excluding ec19ebab-72dc-40e1-9728-4c0b805d722c will be created in the regular scheduled execution :)
There are a couple of rules that cause false positives with Windows defender so we would like to ignore them and not create them in the
hayabusa-rulesrepository until we can create a fix with hayabusa to encrypt the rules and evade detection. @fukusuket Could I ask you to do this?