wagga40
commented
1 year ago Hi, thanks for the PR.
Since it involves modifying a ruleset, the way to do that is to modify the Sigma config file (i.e Zircolite.yml) used to generate the rulesets.
Closed mkilijanek closed 1 year ago
wagga40
commented
1 year ago Hi, thanks for the PR.
Since it involves modifying a ruleset, the way to do that is to modify the Sigma config file (i.e Zircolite.yml) used to generate the rulesets.
wagga40
commented
1 year ago Hi,
The "generic" ruleset are for Windows system without Sysmon. It is possible to add to generic rulesets what you want by :
order field value to 12 pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/generic/windows-audit.yml -c ./legacy-sigmatools/tools/config/generic/sysmon-generic.yml -c ./legacy-sigmatools/tools/config/generic/powershell.yml -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/windows/ --output-fields title,id,description,author,tags,level,falsepositives,filename,status --output-format json -r -o rules_windows_generic_full.json --backend-option table=logsI would avise against doing it because it is much simpler to edit your own rulesets or to use multiple rulesets on the same logs.
I won't merge your PR since it will be overwritten in this repo.
Feel free to ask questions here if I am not clear enough.
Fix Sysmon Blocked Executable (id: 23b71bc5-953e-4971-be4c-c896cda73fc2) to be triggered only on Sysmon channel