SigmaHQ/tests/test-modifiers.yml

title: Modifier test rule
detection:
    selection:
        field|re: '.*foobar.*'
        encoded|base64: 'This string is Base64 encoded'
        obfuscated|base64offset|contains:
            - 'http://'
            - 'https://'
        allmatch|contains|all:
            - foo
            - bar
            - bla
    condition: selection
Added test case for value modifiers 2019-07-16 21:14:55 +00:00			`title: Modifier test rule`
			`detection:`
			`selection:`
			`field\|re: '.foobar.'`
			`encoded\|base64: 'This string is Base64 encoded'`
			`obfuscated\|base64offset\|contains:`
			`- 'http://'`
			`- 'https://'`
			`allmatch\|contains\|all:`
			`- foo`
			`- bar`
			`- bla`
			`condition: selection`