String Exclusions for Hunt Function

[PeterCottontail2023]

Greetings, I've been using Chainsaw for over a year now and it has been wonderfully useful. One suggestion. If it is possible to incorporate a string exclusion into the Hunt feature this would allow effective preemptory whitelisting which would reduce the number of returned results. For instance, EDR, AV, or other security applications frequently trigger relevant Sigma rules. Adding a simple exclusion capability would be tremendously beneficial.

[alexkornitzer]

Hey, would you be able to provide me with an example cause I am not totally sure what you are asking for. Currently we can already do two kinds of whitelisting with Sigma based rules...

Ignoring Rules Complety

# mapping file

...

exclusions:
- Defense evasion via process reimaging
- Exports Registry Key To an Alternate Data Stream
- NetNTLM Downgrade Attack
- Non Interactive PowerShell

...

Using a Group Filter

# mapping file

...


groups:
  - name: Sigma
    timestamp: Event.System.TimeCreated
    filter:
      not(Provider):
        - foobar
        - a really noisy provider

...