frack113
frack113
Hello, For me this is not going in the right direction. You modify the rules to match your personal use of the sql backend. The rules have been corrected to...
Hi, I works with nxlog and winlogbeat , so I know the problem. nxlog keep the original field when winlogbeat transform and remove data... But this can not be a...
Hi, I we go this way , I think the name shoud use a prexif like `logical_RegistryKey` . When we read the rule it must be easy to see it...
I'm not use to Carbon Black but in the code : https://github.com/SigmaHQ/sigma/blob/bcf2bf2e4db218b30b546b4e499b6cd8ea82525e/tools/sigma/backends/carbonblack.py#L92 https://github.com/SigmaHQ/sigma/blob/bcf2bf2e4db218b30b546b4e499b6cd8ea82525e/tools/sigma/backends/carbonblack.py#L119 So seen to be the expected behavior
HI, Yaml don't like space in field name so we have replace it with `_` The correct selection is `New_Value|contains: '\Microsoft\Windows Defender\Exclusions'` Go catch 👍 I have add field to...
This is a trouble with `es-dsl` . Field with space must be echape in elastic. When I try with `es-qs` I get a `winlog.event_data.Source\ Name:"AMSI"` But with `es-dsl` I get...
Sorry I did not find a quick fix to the es-dsl backend. Hope a [pySigma](https://github.com/SigmaHQ/pySigma) for elastic come fast
> I can't find anything regarding this for field name in context of DSL. As I writte in elasticsearch field name with space are not a good idea . https://github.com/elastic/elasticsearch-dsl-py/issues/721...
I remember well having a discussion about space in field name : https://github.com/SigmaHQ/sigma/pull/2139
Space in field name will break some backend output where a space is important (like sqlite or es-qs or splunk). In view of the test and correction work on **sigmac**,...