SigmaHQ/tests/test-modifiers.yml

title: Modifier test rule
logsource:
    product: windows
    service: security
detection:
    selection:
        field|re: '.*foobar.*'
        encoded|wide|base64: 'This string is Base64 encoded'
        obfuscated|base64offset|contains:
            - 'http://'
            - 'https://'
        allmatch|contains|all:
            - foo
            - bar
            - bla
        end|endswith: test
        start|startswith: test
    condition: selection
Added test case for value modifiers 2019-07-16 21:14:55 +00:00			`title: Modifier test rule`
Improved QRadar regular expression support 2019-09-05 13:35:26 +00:00			`logsource:`
			`product: windows`
			`service: security`
Added test case for value modifiers 2019-07-16 21:14:55 +00:00			`detection:`
			`selection:`
			`field\|re: '.foobar.'`
Added encoding modifiers 2019-10-16 21:52:06 +00:00			`encoded\|wide\|base64: 'This string is Base64 encoded'`
Added test case for value modifiers 2019-07-16 21:14:55 +00:00			`obfuscated\|base64offset\|contains:`
			`- 'http://'`
			`- 'https://'`
			`allmatch\|contains\|all:`
			`- foo`
			`- bar`
			`- bla`
Added modifiers: startswith and endswith 2019-11-05 22:04:13 +00:00			`end\|endswith: test`
			`start\|startswith: test`
Added test case for value modifiers 2019-07-16 21:14:55 +00:00			`condition: selection`