Closed xC0uNt3r7hr34t closed 1 year ago
Still working on a review of this but in the meantime, this is the test file I'm using for future reference
{
"query_i_know_works":{
"process_name":["services.exe"]
},
"two_1-field_queries":{
"query":[
"TgtProcName = \"services.exe\"",
"DnsRequest = \"google.com\""
]
},
"1-field_query":{
"query":["TgtProcName = \"powershell.exe\""]
},
"2-field_query":{
"query":["TgtProcName = \"svchost.exe\" AND DnsRequest = \"github.com\""]
},
"two_2-field_queries":{
"query":[
"TgtProcName = \"chrome.exe\" AND DnsRequest = \"gmail.com\"",
"FilePath = \"malware.zip\" AND TgtProcName = \"firefox.exe\""
]
},
"regex_test":{
"ipaddr":["(^127\\.)|(^10\\.)|(^172\\.1[6-9]\\.)|(^172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(^192\\.168\\.)"],
"process_name":["[A-Z]{9}.exe"]
}
}
changes are only applied to the SentinelOne product in this PR.
Validation: definition file containing full query options and regular definitions
successful output of definition file using regex and showing added fields in CSV
Resolves #85 Resolves #86