Event Action data missing apostrophes

[djlukic]

Rule UUID

cde0a575-7d3d-4a49-9817-b8004a7bf105

Example EventLog

RuleId {5B6F0B20-15BF-437D-B5EA-AF499B23FF4A}
RuleName @{Microsoft.YourPhone_1.24072.111.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.YourPhone/Resources/AppName}
Origin 1
ApplicationPath
ServiceName
Direction 2
Protocol 256
LocalPorts
RemotePorts
Action 2
Profiles 2147483647
LocalAddresses *
RemoteAddresses *
RemoteMachineAuthorizationList
RemoteUserAuthorizationList
EmbeddedContext @{Microsoft.YourPhone_1.24072.111.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.YourPhone/Resources/AppName}
Flags 1
Active 1
EdgeTraversal 0
LooseSourceMapped 0
SecurityOptions 0
ModifyingUser S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
ModifyingApplication C:\Windows\System32\svchost.exe
SchemaVersion 542
RuleStatus 65536
LocalOnlyMapped 0
PolicyAppId

Description

Hi,

I was testing this rule and it seems it needs apostrophes around 2, otherwise that condition is not valued.

    filter_main_block:
        Action: 2 # Block

it should be

    filter_main_block:
        Action: '2' # Block

Please correct me if I am wrong as I am still learning Sigma. Thank you!

[github-actions]

Welcome @djlukic 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

[nasbench]

Hi @djlukic,

How did you find that it's not evaluated? TheAction value is an integer and not a string, so it should be correct. Can you please share more info on your setup?

[djlukic]

Hi. I used a custom tool that was supposed to convert this to Golang like script but integer was not properly parsed apparently. Thank you for your guidance.

[nasbench]

Hi. I used a custom tool that was supposed to convert this to Golang like script but integer was not properly parsed apparently. Thank you for your guidance.

So is this an issue from your side? or how do we proceed?

[djlukic]

Yes, issue was on my side.