sigma-specification icon indicating copy to clipboard operation
sigma-specification copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Compare two different attributes of a log

Open nofaceinbook opened this issue 8 months ago • 2 comments

I checked now the specification (thank you very much for it), several times, but I don't see a possibility to compare two different attributes of a log file. E.g. you want to check if the sourceIp is equal to destinationIp (not discussing here if this example makes any sense). If this feature is not yet available I would suggest to allow a new modifier 'field'. In case it is present the value of a search identifier is treated as fieldname. E.g.

selection:
     sourceIp|field: destinationIp    # select flows where sourceIp eqauls destinaitionIp

Also having the option to compare values with comparison modifiers of the new version like:

selection:
    bytesOut|field|g:  bytesIn   # select flows where more bytes went out than in

And in addition I would also vote for a specifc "not equal" comparison e.g. 'ne' to avoid to have a complicated comparision with two different selections and not-statement for this.

nofaceinbook avatar Nov 05 '23 18:11 nofaceinbook

This modifier exists! However it's in the version 2 of the specification. It's called fieldref: https://github.com/SigmaHQ/sigma-specification/blob/version_2/appendix_modifer.md

Res260 avatar Nov 05 '23 19:11 Res260

Great. Thank you very much @Res260 . So I did not read version 2 carefully enough :-)

But I would still recommend to have a not-equal modifier like 'ne' as described above.

nofaceinbook avatar Nov 05 '23 20:11 nofaceinbook