0xtf/sigma-overrides-config.yaml

## sigma-overrides-config.yaml
overrides:
  - field: event.outcome
    value: failure
    regexes:
      - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
      - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
      - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))
  - field: event.outcome
    value: success
    literals:
      - 'NOT (event.outcome:failure)'
	overrides:
	- field: event.outcome
	value: failure
	regexes:
	- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
	- (\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(aws.cloudtrail.response_elements.keyword:\Failure\.* aws.cloudtrail.error_code.keyword:\*\)\))
	- field: event.outcome
	value: success
	literals:
	- 'NOT (event.outcome:failure)'