You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using the specification sigma-correlation-rules-schema.json to write correlation rules of type "value_count" in Visual Studio Code. According to the documentation, the attribute "field" must be specified within the "condition" section. However, in the current version of the sigma-correlation-rules-schema.json, the attribute "field" is required outside of the condition section.
Here is an example.
This is how it should look according to the documentation:
However, the sigma-correlation-rules-schema.json requires the field attribute outside of condition, which is inconsistent with the documentation:
title: Failed loginid: 0e95725d-7320-415d-80f7-004da920fc12correlation:
type: value_countrules:
- 5638f7c0-ac70-491d-8465-2a65075e0d86group-by:
- ComputerName
- WorkstationNamefield: User # required because of sigma-correlation-rules-schema.jsontimespan: 1dcondition:
field: Usergte: 100
In my opinion, the schema validation should be updated to reflect that the field attribute belongs inside the condition section when the type is value_count. This is currently being examined:
I'm using the specification sigma-correlation-rules-schema.json to write correlation rules of type "value_count" in Visual Studio Code. According to the documentation, the attribute "field" must be specified within the "condition" section. However, in the current version of the sigma-correlation-rules-schema.json, the attribute "field" is required outside of the condition section.
Here is an example.
This is how it should look according to the documentation:
However, the sigma-correlation-rules-schema.json requires the field attribute outside of condition, which is inconsistent with the documentation:
In my opinion, the schema validation should be updated to reflect that the field attribute belongs inside the condition section when the type is value_count. This is currently being examined:
The text was updated successfully, but these errors were encountered: