search

opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[BUG] Invalid condition for 1 of pattern, all of pattern condition #987

Open yblee85 opened 6 months ago

yblee85 commented 6 months ago

What is the bug? Sigma documentation ( Advanced Conditions: 1 of search pattern ) condition: 1 of selection* is considered as invalid

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Go to /app/opensearch_security_analytics_dashboards#/import-rule
  2. Import Rule
  3. Import following rule 
    title: DEWMODE Webshell Access
description: Detects access to DEWMODE webshell as described in FIREEYE report
logsource:
category: webserver
detection:
selection1:
    c-uri|contains|all:
        - '?dwn='
        - '&fn='
        - '.html?'
selection2:
    c-uri|contains|all:
        - '&dwn='
        - '?fn='
        - '.html?'
condition: 1 of selection*

What is the expected behavior? It should allow

What is your host/environment?

Do you have any screenshots? image

yblee85 commented 6 months ago

Update

I used api and it works; it creates a detection rule and detects events.

jowg-amazon commented 6 months ago

Added issue to our backlog