frack113

Please take a lokk at https://github.com/SigmaHQ/pySigma From sigmac help message : Sigmac will be deprecated by the end of 2022 in favour of sigma-cli and pySigma. Please stop contributing backends...

Hi , @tcmcgahanred can I close this issue as it is a sysmon trouble ?

More information here : https://github.com/SigmaHQ/sigma-specification

The cli is here https://github.com/SigmaHQ/sigma-cli And the specification are here https://github.com/SigmaHQ/sigma-specification

As sigmac is now at only best efforts Take a look at https://github.com/SigmaHQ/pySigma-backend-elasticsearch

Check https://github.com/SigmaHQ/sigma-specification/blob/main/wip/Sigma_Correlations.md You can open a discution on https://github.com/SigmaHQ/sigma-specification/discussions

Closed because no more activity since 1 year

Make some update to check wtah need to be check before close this issue | Page | Sigma Rule | Topic | |:-----------------------------------------------------------------------------:|:----------:|------------------------------------------------------| |[42](https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42)| X | FromBase64String / Compression /...

You must use the backend options : ```bash PS D:\rootme\sigma\tools> python sigmac -t es-qs -c .\config\winlogbeat-modules-enabled.yml ..\rules\windows\process_creation\proc_creation_win_office_spawn_exe_from_users_directory.yml --backend-option keyword_blacklist="process.parent.executable,process.executable" ((process.parent.executable:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\MSACCESS.exe...

@tmcgahan can close it ?