Skip to content

Instantly share code, notes, and snippets.

@0xtf

0xtf/sigma-overrides-literals.yaml

Created May 1, 2020 19:19
Show Gist options
  • Save 0xtf/51069c1828476fb1357962b6a84cce9e to your computer and use it in GitHub Desktop.
Save 0xtf/51069c1828476fb1357962b6a84cce9e to your computer and use it in GitHub Desktop.
Download ZIP
example of literals definition
Raw
sigma-overrides-literals.yaml
literals:
- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*))
- ((aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin") OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
- ((aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin") OR (aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment