What is the bug?
A clear and concise description of the bug.
There is a feature gap for customers when configuring a Sigma rule with a not clause. The not clause generates a finding if an ingested document does not match whatever is specified in the detection section. However, this currently also includes cases where that field itself doesn’t exist in the ingested document.
Example of a Pre-Packaged Cloudtrail YAML Rule:
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
logsource:
product: cloudtrail
title: AWS Root Credentials
description: Detects AWS root account usage
tags:
- attack.privilege_escalation
- attack.t1078.004
falsepositives:
- >-
AWS Tasks That Require AWS Account Root User Credentials
https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium
status: experimental
references:
- 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html'
author: vitaliy0x1
detection:
selection_usertype:
userIdentity.type: Root
selection_eventtype:
eventType: AwsServiceEvent
condition: selection_usertype and not selection_eventtype
Example of an ingested document generating an incorrect finding
{
“selection_usertype”: Root
}
This above example generates an incorrect finding because of the not selection_eventtype condition since the field eventType is not present in the ingested document.
How can one reproduce the bug?
Steps to reproduce the behavior:
- Create a detector with a sigma rule with a
not condition
- Insert a document without that field specified in the
not condition
- Incorrect finding will be generated
What is the expected behavior?
A clear and concise description of what you expected to happen.
What is your host/environment?
- OS: 2.11
- Version [e.g. 22]
- Plugins
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.
What is the bug?
A clear and concise description of the bug.
There is a feature gap for customers when configuring a Sigma rule with a not clause. The not clause generates a finding if an ingested document does not match whatever is specified in the detection section. However, this currently also includes cases where that field itself doesn’t exist in the ingested document.
Example of a Pre-Packaged Cloudtrail YAML Rule:
Example of an ingested document generating an incorrect finding
This above example generates an incorrect finding because of the not selection_eventtype condition since the field eventType is not present in the ingested document.
How can one reproduce the bug?
Steps to reproduce the behavior:
notconditionnotconditionWhat is the expected behavior?
A clear and concise description of what you expected to happen.
What is your host/environment?
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.