tallyoh
commented
3 months ago Just wondering if there has been any movement on this and if a fix is coming in 2.15. Thanks!
Open tallyoh opened 4 months ago
tallyoh
commented
3 months ago Just wondering if there has been any movement on this and if a fix is coming in 2.15. Thanks!
What is the bug? A sigma rules with a whitespace gets incorrectly translated to a search query with "ws" instead of a whitespace.
How can one reproduce the bug? detection: condition: (selection and selection_evt) and not filter_main_known_locations filter_main_known_locations: process.executable|contains:
Results in: (((process.name: "MpCmdRun.exe") OR (process.name: "NisSrv.exe")) AND ((event.code: 1) AND (event.module: "sysmon"))) AND ((((NOT process.executable: C\:\Program_ws_Filesws(x86)\Windows_ws_Defender\* AND exists: process.executable) AND (NOT process.executable: C\:\Program_ws_Files\Microsoft_ws_Security_ws_Client\ AND exists: process.executable) AND (NOT process.executable: C\:\Program_ws_Files\Windows_ws_Defender\ AND exists: process.executable) AND (NOT process.executable: C\:\ProgramData\Microsoft\Windows_ws_Defender\Platform\ AND exists: process.executable) AND (NOT process.executable: C\:\Windows\WinSxS\* AND exists: process.executable))))
What is the expected behavior? A whitespace should work properly in a sigma rule that is translated to a lucene query
What is your host/environment? OS 2.13
Do you have any additional context? Looking in github, I can see where the "ws" is being set. Not sure why. https://github.com/search?q=repo%3Aopensearch-project%2Fsecurity-analytics%20%20_ws_&type=code