You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Spotted a 2nd bug with the backend. Some Sigma queries aren't properly translated to MDE when only operators are being added instead of the full condition (filters) for some reason.
From the Sigma Core++ Ruleset -> proc_creation_win_netsh_fw_add_rule.ym
This rule gets translated to the following KQL statement:
DeviceProcessEvents
| where ((FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ")) and (not((match or match)))
You can see that towards the end, the condition does not make sense. If I was to manually translate that rule, it should give something like.
DeviceProcessEvents
| where ((FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ")) and not (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any" or ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=?:\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any")
This issue is present with multiple rules, so look like an issue with the backend.
Once again, Python is not my strong suit so I'm not of much help in identifying the issue in the code and proposing a fix. But I do know my KQL and have access to a Sentinel test tenant to run as many tests (queries) as needed!
The text was updated successfully, but these errors were encountered:
Hi, me again!
Spotted a 2nd bug with the backend. Some Sigma queries aren't properly translated to MDE when only operators are being added instead of the full condition (filters) for some reason.
From the Sigma Core++ Ruleset -> proc_creation_win_netsh_fw_add_rule.ym
This rule gets translated to the following KQL statement:
You can see that towards the end, the condition does not make sense. If I was to manually translate that rule, it should give something like.
This issue is present with multiple rules, so look like an issue with the backend.
Once again, Python is not my strong suit so I'm not of much help in identifying the issue in the code and proposing a fix. But I do know my KQL and have access to a Sentinel test tenant to run as many tests (queries) as needed!
The text was updated successfully, but these errors were encountered: