Closed mkilijanek closed 1 year ago
Hi, thanks for the PR.
Since it involves modifying a ruleset, the way to do that is to modify the Sigma config file (i.e Zircolite.yml) used to generate the rulesets.
Hi,
The "generic" ruleset are for Windows system without Sysmon. It is possible to add to generic rulesets what you want by :
order
field value to 12
pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/generic/windows-audit.yml -c ./legacy-sigmatools/tools/config/generic/sysmon-generic.yml -c ./legacy-sigmatools/tools/config/generic/powershell.yml -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/windows/ --output-fields title,id,description,author,tags,level,falsepositives,filename,status --output-format json -r -o rules_windows_generic_full.json --backend-option table=logs
I would avise against doing it because it is much simpler to edit your own rulesets or to use multiple rulesets on the same logs.
I won't merge your PR since it will be overwritten in this repo.
Feel free to ask questions here if I am not clear enough.
Fix Sysmon Blocked Executable (id: 23b71bc5-953e-4971-be4c-c896cda73fc2) to be triggered only on Sysmon channel