-
Hi Team, My data has a parsed process.name field which i'd like to do exact matches on in elastic. I'm finding most sigma detections use "Image|endswith: '\cmd.exe'".
and map it to my process.name field as this is more performant than doing wildcard matches on the entire process path and ending with Any ideas on how to achieve this using sigmac? |
Beta Was this translation helpful? Give feedback.
Answered by
nasbench
Jun 23, 2023
Replies: 1 comment
-
This is possible with Pysigma. Give this a read as it should have your answer https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070 |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
nasbench
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is possible with Pysigma. Give this a read as it should have your answer https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070