Hey,
I am currently using chainsaw + SIGMA to evaluate log datasets and stumbled upon the following issue:
Certain SIGMA rules produce an abnormally high number of false positives, to the point where I suspect that it just triggers on most events. The rule in question is
title: Sysmon Blocked Executable
id: 23b71bc5-953e-4971-be4c-c896cda73fc2
description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
status: experimental
author: Nasreddine Bencherchali
date: 2022/08/16
references:
- https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
tags:
- attack.defense_evasion
logsource:
product: windows
category: file_block
detection:
selection:
Image: '*'
condition: selection
falsepositives:
- Unlikely
level: highI think the problem is that the category in question (file_block) is not mapped to anything - where and how can I define this?
In this example, the category should be file_block iff "provider_name": "Microsoft-Windows-Sysmon" and event_id: 27, which would clearly identify the category.
I have a similar problem for several other rules. Am I perhaps misunderstanding how certain things work?
Any help on this would be much appreciated :)
Hey,
I am currently using chainsaw + SIGMA to evaluate log datasets and stumbled upon the following issue:
Certain SIGMA rules produce an abnormally high number of false positives, to the point where I suspect that it just triggers on most events. The rule in question is
I think the problem is that the category in question (
file_block) is not mapped to anything - where and how can I define this?In this example, the category should be
file_blockiff"provider_name": "Microsoft-Windows-Sysmon"andevent_id: 27, which would clearly identify the category.I have a similar problem for several other rules. Am I perhaps misunderstanding how certain things work?
Any help on this would be much appreciated :)