Help Understanding Correlations Between Event IDs

Question

Help Understanding Correlations Between Event IDs

AlaZegnani opened this issue 2 years ago · 2 comments

Greetings,

I am having a little confusion when it comes to understanding how Event IDs are seperated in the IOCs content table in the Readme.md.

For example difference between 4728,4756,4732 AND 4728/4756. My initial thoughts are, when IDs are seperated with a comma "," that's an AND Operator (All IDs have to be present to detect the technique), whereas "/" means one of the Event IDs is enough for detection..

However I'm also seeing Event IDs seperated by "-" or some description values inbetween parantheses (), does this have any impact?.

Your help in understanding main differences between these would be greatly appreciated.

Thankyou.

Answer 1 · 2023-02-21T21:30:12.000Z

Hi @AlaZegnani, thanks for the feedback. You are right, the definition of the separators is currently not clear and requires to check the SIGMA rule logic. I will see how I can improve this topic in a future release soon.

Answer 2 · 2023-04-08T14:45:37.000Z

Hi @AlaZegnani, thanks again for the feedback. I have updated the event ID information to clarify if it is about OR or ANDoperators.