-
Hi Team, My data has a parsed process.name field which i'd like to do exact matches on in elastic. I'm finding most sigma detections use "Image|endswith: '\cmd.exe'".
and map it to my process.name field as this is more performant than doing wildcard matches on the entire process path and ending with Any ideas on how to achieve this using sigmac? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
This is possible with Pysigma. Give this a read as it should have your answer https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070 |
Beta Was this translation helpful? Give feedback.
This is possible with Pysigma. Give this a read as it should have your answer https://medium.com/sigma-hq/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070