The content of Sigma rules supplied with the application databases is unavailable to the user. This is because the triggering conditions for these rules are Kaspersky's intellectual property and cannot be disclosed.
In the editor for editing a Sigma rule supplied with the application databases, you can only add exclusions from the rule by specifying exclusion settings in the detection section.
The exclusion template is defined as follows:
detection:
exclude1:
- ...
condition: not 1 of exclude*
This template assumes that exclusions are specified using exclude* attributes, and the rule triggering condition assumes that the conditions hidden from the user are satisfied and that none of the specified exclusions are a match.
For example:
detection:
exclude1:
Image|endswith:
- '\chrome.exe'
- '\tor.exe'
exclude2:
QueryName|endswith: 'api.parsec.app'
condition: not 1 of exclude*
Page top