Event Action data missing apostrophes

Question

Event Action data missing apostrophes

djlukic opened this issue 4 months ago · 5 comments

Rule UUID

cde0a575-7d3d-4a49-9817-b8004a7bf105

Example EventLog

RuleId {5B6F0B20-15BF-437D-B5EA-AF499B23FF4A}
RuleName @{Microsoft.YourPhone_1.24072.111.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.YourPhone/Resources/AppName}
Origin 1
ApplicationPath
ServiceName
Direction 2
Protocol 256
LocalPorts
RemotePorts
Action 2
Profiles 2147483647
LocalAddresses *
RemoteAddresses *
RemoteMachineAuthorizationList
RemoteUserAuthorizationList
EmbeddedContext @{Microsoft.YourPhone_1.24072.111.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.YourPhone/Resources/AppName}
Flags 1
Active 1
EdgeTraversal 0
LooseSourceMapped 0
SecurityOptions 0
ModifyingUser S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
ModifyingApplication C:\Windows\System32\svchost.exe
SchemaVersion 542
RuleStatus 65536
LocalOnlyMapped 0
PolicyAppId

Description

Hi,

I was testing this rule and it seems it needs apostrophes around 2, otherwise that condition is not valued.

    filter_main_block:
        Action: 2 # Block

it should be

    filter_main_block:
        Action: '2' # Block

Please correct me if I am wrong as I am still learning Sigma. Thank you!

Answer 1 · 2024-08-21T14:50:07.000Z

Welcome @djlukic 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

Answer 2 · 2024-08-21T15:48:54.000Z

Hi @djlukic,

How did you find that it's not evaluated? TheAction value is an integer and not a string, so it should be correct. Can you please share more info on your setup?

Answer 3 · 2024-08-21T17:29:25.000Z

Hi. I used a custom tool that was supposed to convert this to Golang like script but integer was not properly parsed apparently. Thank you for your guidance.

Answer 4 · 2024-08-21T19:28:21.000Z

Hi. I used a custom tool that was supposed to convert this to Golang like script but integer was not properly parsed apparently. Thank you for your guidance.

So is this an issue from your side? or how do we proceed?

Answer 5 · 2024-08-22T06:36:13.000Z

Yes, issue was on my side.