mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
17 lines
394 B
YAML
17 lines
394 B
YAML
title: Modifier test rule
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
field|re: '.*foobar.*'
|
|
encoded|base64: 'This string is Base64 encoded'
|
|
obfuscated|base64offset|contains:
|
|
- 'http://'
|
|
- 'https://'
|
|
allmatch|contains|all:
|
|
- foo
|
|
- bar
|
|
- bla
|
|
condition: selection
|