Sigma Rule Filtering "OR" #14335
Sigma Rule Filtering "OR"
#14335
Replies: 2 comments
-
|
Can you give a practical example of what you are trying to do? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Example: With the alert "Driver Load From A Temporary Directory" I can create an exclusion rule to allow certain executables that I know should be preforming this activity, but there are a few executables like powershell.exe where it may or may not be normal activity. I would like to put an option in my exclusion where I can list executables that are allowed and also exclude PowerShell events that are using specific temporary directories. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Is there a way to add an OR option into your sigma rule filter?
I would like to have multiple sigma filters, but only actual sigma filter applies to the rule itself so is there an option to create an OR in that single filter?
Beta Was this translation helpful? Give feedback.
All reactions