mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
19 lines
457 B
YAML
19 lines
457 B
YAML
title: Modifier test rule
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
field|re: '.*foobar.*'
|
|
encoded|wide|base64: 'This string is Base64 encoded'
|
|
obfuscated|base64offset|contains:
|
|
- 'http://'
|
|
- 'https://'
|
|
allmatch|contains|all:
|
|
- foo
|
|
- bar
|
|
- bla
|
|
end|endswith: test
|
|
start|startswith: test
|
|
condition: selection
|