You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thus rules are more complicated because the object pathways are more complicated, even though the grouping and other conditions you already do, for example
[email-message:from_ref.value MATCHES '.+\@example\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\.exe$']
([file:name = 'foo.dll'] AND [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\foo\bar']) OR [process:image_ref.name = 'fooproc' OR process:image_ref.name = 'procfoo']
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.33/32']
([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\foo\bar']) WITHIN 300 SECONDS
[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary']
Obviously I could give you many more examples, but the main difficulty appears to be selecting an object-variable pathway, like object:property.sub-property.sub-sub-property, before selecting the comparison operator and the variable or wildcard system. All I need to do is to build those complex queries, and then in the back end i have full grammar processing engine to process the query.
Assume i already have the data model (lists, linked lists, dicts etc) to drive this object-variable pathway dynamically on the user interface, is it:
Possible to build these more complex variables in your query builder, assuming i have the data model so one one can first select the object, then the property, then the sub property and so on, before selecting the comparison operator and the value?
Possible for you to give us a sketch of how to go about this?
We love the rest of your toolset, but making the variables more complex appears tricky.
Can you help please?
The text was updated successfully, but these errors were encountered:
Please see attached a reference card describing the Stix Pattern Rules standard, for your interest.
Please do not get put off by the complexity. the main issue remains selecting objects, properties, sub properties and so on before the comparison operator.
If you can help me do this, then i can easily handle the complexity of handling lists and dicts in addition to discrete values. Plus from a geeky perspective, if you can do this one, then i can bring many more cyber security rule sets to your tool, like Sigma, Yara etc.. which is pretty exciting.
We really love your tool, but currently all of the flexibility lies in what happens after one selects an id variable, like category or name.
However, I want to use the system to write Stix Pattern rules for cyber security. In this, my id variables, are actually object pathways, like:
Thus rules are more complicated because the object pathways are more complicated, even though the grouping and other conditions you already do, for example
Obviously I could give you many more examples, but the main difficulty appears to be selecting an object-variable pathway, like object:property.sub-property.sub-sub-property, before selecting the comparison operator and the variable or wildcard system. All I need to do is to build those complex queries, and then in the back end i have full grammar processing engine to process the query.
Assume i already have the data model (lists, linked lists, dicts etc) to drive this object-variable pathway dynamically on the user interface, is it:
We love the rest of your toolset, but making the variables more complex appears tricky.
Can you help please?
The text was updated successfully, but these errors were encountered: