Searching for time in the last 90 days

[hippyjm]

Hopefully a simple one. Im looking to only get results if an event occurred in the last 90 days to get rid of a lot of noise. im unsure of the syntax / commands i require and cant seem to find any information online. Ive tried time-window. timeframe doesn't work as that's just not right :)
basically i want to see if that event has occoured in the last 90 days

logsource: product: windows service: system detection: selection: EventID: - 16384 condition: selection

[phantinuss]

This is something you need to define in your post-processing pipeline in pySigma for your specific SIEM use case. There's an example on how to do that for Splunk in this blog post: https://blog.sigmahq.io/introducing-query-post-processing-and-output-finalization-to-processing-pipelines-4bfe74087ac1

I am not aware of other public documentation about this, right now.

[phantinuss]

Sigma is an intermediate language mainly for knowledge transfer. What you are asking about is on how to implement something for a specific ?SIEM?. I don't know. Without more explanation on what exactly you are working on and with which tools, there's no way to help.

[hippyjm]

Using it with chainsaw.exe to look at event logs and determine any issues. the issue is that some rules are very repetative. we do care about them but hoping to streamline it a bit as it can take a while to parse the logs. all good though and really enjoying the work

[phantinuss]

Yeah, so it's more a question on how to use chainsaw. Better ask there if there are workflows that help your use case.

[hippyjm]

Will do. ive found a bit of a messy way to get round the issue
detection:
selection:
EventID:
- 16384
Event.System.TimeCreated:
- '2023-07*'
- '2023-08*'
- '2023-09*'
- '2023-10*'
- '2023-11*'
- '2023-12*'
- '2024-*'
condition: selection

as i want logs further back for everything else. just not this one. ill need to maintain and keep on top of it but hey ho. the fun of IT