Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rule condition #4716

Merged
merged 3 commits into from
Feb 12, 2024
Merged

Update rule condition #4716

merged 3 commits into from
Feb 12, 2024

Conversation

qasimqlf
Copy link
Contributor

@qasimqlf qasimqlf commented Feb 9, 2024
edited by nasbench
Loading

Summary of the Pull Request

1st: Filter condition was still startswith after removing c in last commit but it should also be changed to contains.
2nd: Event 6416 also included deviceDescription, so i updated the event condition

Changelog

update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@qasimqlf
fix: updated the wrong filter condition
22ac73f 
last commit removed the c but didn't change the condition from startswith to contains
@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Feb 9, 2024
@qasimqlf
fix: deviceDescription is also part of 6416 event
b73524f 
Event 6416 was not part of selection_usb, that was wrong, because deviceDescription is also the field of 6416.
@qasimqlf qasimqlf changed the title fix: updated the wrong filter condition fix: updated the wrong conditions Feb 9, 2024
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Feb 9, 2024
frack113
frack113 approved these changes Feb 11, 2024
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nasbench nasbench changed the title fix: updated the wrong conditions Update rule condition Feb 12, 2024
@nasbench nasbench merged commit cf84dcd into SigmaHQ:master Feb 12, 2024
12 checks passed
@nasbench nasbench removed the 2nd Review Needed PR need a second approval label Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 approved these changes

@nasbench nasbench nasbench approved these changes

Assignees
No one assigned
Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@qasimqlf @nasbench @frack113