frack113

hi @foxalfabravo , with `"` rule fail, So I try simply this ```yaml filter: - query: query_string: query: {{ query }} ``` It's works , I think it is more...

Hi, Thanks for the fix. As the regex fix change the detection the field `modified` must be updated.

Find this https://research.splunk.com/application/dfe55688-82ed-4d24-a21b-ed8f0e0fda99/ ` search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/" `

Hi, Can you give some references and a "redacted" log ? Thanks

From the test result https://github.com/SigmaHQ/sigma/actions/runs/12250758661/job/34174271371#step:5:36

Please check, It is already cover by https://github.com/SigmaHQ/sigma/blob/85fd5958bcccdf12984ab5cc9230fcaf2d42c1e0/rules/windows/builtin/security/win_security_audit_log_cleared.yml

Can you give the xml version of the event that I can update the initial rule ? Thnaks

THe GUI information are for humain, in the xml you can see that `Provider Name="Microsoft-Windows-Eventlog"` like the orignal rule. The logsource `service: security ` match `Channel:Security` From the xml ,...

HI, There are allready some rules : - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml I'm surprised by the the field `ProcessVersionInfoProductName`

> ProcessVersionInfoProductName In the sysmon event (but not in the windows 4688) you have: - Description - Product - Company - OriginalFileName Can be somethink like this ```yaml selection_exe: -...