From 3f11e426bad4319c87d8ce060e0a52a04850eca8 Mon Sep 17 00:00:00 2001
From: kazuminn <warugaki.k.k@gmail.com>
Date: Thu, 9 Dec 2021 01:06:50 +0900
Subject: [PATCH] add test rule file

---
 test_files/rules/exclude_rules/1.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 test_files/rules/exclude_rules/1.yml

diff --git a/test_files/rules/exclude_rules/1.yml b/test_files/rules/exclude_rules/1.yml
new file mode 100644
index 00000000..76e3e73d
--- /dev/null
+++ b/test_files/rules/exclude_rules/1.yml
@@ -0,0 +1,19 @@
+title: Sysmon Check command lines
+id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        EventLog: Sysmon
+        EventID: 1
+        CommandLine: '*'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8
\ No newline at end of file