Updated - GitHub Action / Test Sigma

rules/network/zeek/zeek_http_exfiltration_compressed_files.yml

@@ -10,8 +10,9 @@ references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/17
 logsource:
     product: zeek
-    service: files
-    service: http
+    service:
+        - files
+        - http
 detection:
     selection1:
         uri:

rules/network/zeek/zeek_http_exfiltration_compressed_files_filtered.yml

@@ -10,8 +10,9 @@ references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/17
 logsource:
     product: zeek
-    service: files
-    service: http
+    service:
+        - files
+        - http
 detection:
     selection1:
         uri:

rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml

@@ -20,7 +20,7 @@ detection:
         LogonType: 3
         ProcessName: '*scrcons.exe' 
     filter:
-        TargetLogonId:  '0x3e7'
+        TargetLogonId: '0x3e7'
     condition: selection and not filter
 falsepositives:
     - SCCM

rules/windows/sysmon/sysmon_new_application_appcompat.yml

@@ -1,6 +1,5 @@
 title: New Application in AppCompat
 id: 60936b49-fca0-4f32-993d-7415edcf9a5d
-status: experimental
 description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
 status: experimental
 date: 2020/05/02

rules/windows/sysmon/sysmon_sysinternals_sdelete_registry_keys.yml

@@ -18,7 +18,7 @@ detection:
         EventID: 12
         EventType: 'CreateKey'
         TargetObject|endswith: '\Software\Sysinternals\SDelete'
-    selection1:
+    selection2:
         EventID: 13
         EventType: 'SetValue'
         TargetObject|contains: '\Software\Sysinternals\SDelete'