Josh comments

Results 7 comments of


                                            Josh

Modified logic

![image](https://github.com/SigmaHQ/sigma/assets/16333554/f822d821-004e-4734-8341-e307aad776e7) ahh - we don't even need both `\..\..\mshtml` because `\..\mshtml` does just fine

There is a similar rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml But I couldn't get anything except `javascript:` to work in my testing. I think I was close to the `vbscript:` attempt but I didn't...

Processing pipeline guidance

This is a problem with the backend and not pySigma - please see this link to the section of code that is supporting that error generation: https://github.com/7RedViolin/pySigma-backend-sentinelone-pq/blob/24123bcba1cc4ee425a55d3ef6b46a64c90109b7/sigma/pipelines/sentinelone_pq/sentinelone_pq.py#L26

Processing pipeline guidance

> @joshnck I see. I understand that `translation_dict` is meant to translate field naming, I can't understand how I can discard certain fields. Thanks for your help. So your pipeline...

Processing pipeline guidance

That would be my recommendation. I'm not very familiar with that backend but the way it is handling these errors in my cli is really unusual. AFAIK you cannot overwrite...

Support for regex named capture groups

The logic in this sigma rule is flawed - but I hope my point comes across. Let me know if you'd like me to refactor this rule to make more...

Splunk backend allegedly doesn't support or conditions in regex, but fails to detect them (and for some reason creates a newline before | regex)

![image](https://github.com/SigmaHQ/pySigma-backend-splunk/assets/16333554/5f48886a-9c8b-4ac9-8822-285b144b7cf8) ![image](https://github.com/SigmaHQ/pySigma-backend-splunk/assets/16333554/06ed1bbc-0138-41a8-95af-1e57531de95c) This is an adjacent issue (and a less important one) but when the Sigma rule has newlines in the description, they are kept via the postprocessing even though...