fixed test

test_files/rules/yaml/exclude1.yml

@@ -1,5 +1,5 @@
-title: Sysmon Check command lines
+title: Excluded Rule Test 1
-id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
+id : 00000000-0000-0000-0000-000000000000
 description: hogehoge
 enabled: true
 author: Yea

test_files/rules/yaml/exclude2.yml

@@ -1,13 +1,10 @@
-title: Possible Exploitation of Exchange RCE CVE-2021-42321
+title: Excluded Rule 2
-author: Florian Roth, @testanull
 date: 2021/11/18
-description: Detects log entries that appear in exploitation attempts against MS Exchange
-  RCE CVE-2021-42321
 detection:
   condition: 'Cmdlet failed. Cmdlet Get-App, '
 falsepositives:
 - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
-id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
+id: 00000000-0000-0000-0000-000000000000
 level: critical
 logsource:
   product: windows
@@ -15,7 +12,4 @@ logsource:
 references:
 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
 status: experimental
-tags:
-- attack.lateral_movement
-- attack.t1210
 ruletype: SIGMA

test_files/rules/yaml/exclude3.yml

@@ -1,8 +1,5 @@
-title: Hidden Local User Creation
+title: Excluded Rule 3
-author: Christian Burkard
 date: 2021/05/03
-description: Detects the creation of a local hidden user account which should not
-  happen for event ID 4720.
 detection:
   SELECTION_1:
     EventID: 4720
@@ -14,7 +11,7 @@ falsepositives:
 fields:
 - EventCode
 - AccountName
-id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+id: 00000000-0000-0000-0000-000000000000
 level: high
 logsource:
   product: windows
@@ -22,7 +19,4 @@ logsource:
 references:
 - https://twitter.com/SBousseaden/status/1387743867663958021
 status: experimental
-tags:
-- attack.persistence
-- attack.t1136.001
 ruletype: SIGMA

test_files/rules/yaml/exclude4.yml

@@ -1,8 +1,5 @@
-title: User Added to Local Administrators
+title: Excluded Rule 4
-author: Florian Roth
 date: 2017/03/14
-description: This rule triggers on user accounts that are added to the local Administrators
-  group, which could be legitimate activity or a sign of privilege escalation activity
 detection:
   SELECTION_1:
     EventID: 4732
@@ -13,18 +10,11 @@ detection:
   SELECTION_4:
     SubjectUserName: '*$'
   condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
-falsepositives:
+id: 00000000-0000-0000-0000-000000000000
-- Legitimate administrative activity
-id: c265cf08-3f99-46c1-8d59-328247057d57
 level: medium
 logsource:
   product: windows
   service: security
 modified: 2021/07/07
 status: stable
-tags:
-- attack.privilege_escalation
-- attack.t1078
-- attack.persistence
-- attack.t1098
 ruletype: SIGMA

test_files/rules/yaml/exclude5.yml

@@ -1,9 +1,5 @@
-title: Local User Creation
+title: Excluded Rule 5
-author: Patrick Bareiss
 date: 2019/04/18
-description: Detects local user creation on windows servers, which shouldn't happen
-  in an Active Directory environment. Apply this Sigma Use Case on your windows server
-  logs and not on your DC logs.
 detection:
   SELECTION_1:
     EventID: 4720
@@ -15,7 +11,7 @@ fields:
 - EventCode
 - AccountName
 - AccountDomain
-id: 66b6be3d-55d0-4f47-9855-d69df21740ea
+id: 00000000-0000-0000-0000-000000000000
 level: low
 logsource:
   product: windows
@@ -24,8 +20,4 @@ modified: 2020/08/23
 references:
 - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
 status: experimental
-tags:
-- attack.persistence
-- attack.t1136
-- attack.t1136.001
 ruletype: SIGMA

test_files/rules/yaml/noisy1.yml

@@ -1,7 +1,5 @@
-title: WMI Event Subscription
+title: Noisy Rule Test1
-author: Tom Ueltschi (@c_APT_ure)
 date: 2019/01/12
-description: Detects creation of WMI event subscription persistence method
 detection:
   SELECTION_1:
     EventID: 19
@@ -12,7 +10,7 @@ detection:
   condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
 falsepositives:
 - exclude legitimate (vetted) use of WMI event subscription in your network
-id: 0f06a3a5-6a09-413f-8743-e6cf35561297
+id: 0090ea60-f4a2-43a8-8657-3a9a4ddcf547
 level: high
 logsource:
   category: wmi_event

test_files/rules/yaml/noisy2.yml

@@ -1,9 +1,6 @@
-title: Rare Schtasks Creations
+title: Noisy Rule Test2
-author: Florian Roth
 date: 2017/03/23
-description: Detects rare scheduled tasks creations that only appear a few times per
+description: excluded rule
-  time frame and could reveal password dumpers, backdoor installs or other types of
-  malicious code
 detection:
   SELECTION_1:
     EventID: 4698
@@ -11,21 +8,6 @@ detection:
 falsepositives:
 - Software installation
 - Software updates
-id: b0d77106-7bb0-41fe-bd94-d1752164d066
+id: 8b8db936-172e-4bb7-9f84-ccc954d51d93
 level: low
-logsource:
-  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
-    Access Events has to be configured to allow this detection (not in the baseline
-    recommendations by Microsoft). We also recommend extracting the Command field
-    from the embedded XML in the event data.
-  product: windows
-  service: security
-status: experimental
-tags:
-- attack.execution
-- attack.privilege_escalation
-- attack.persistence
-- attack.t1053
-- car.2013-08-001
-- attack.t1053.005
 ruletype: SIGMA

test_files/rules/yaml/noisy3.yml

@@ -1,26 +1,13 @@
-title: Rare Service Installs
+title: Noisy Rule Test 3
-author: Florian Roth
 date: 2017/03/08
-description: Detects rare service installs that only appear a few times per time frame
-  and could reveal password dumpers, backdoor installs or other types of malicious
-  services
 detection:
   SELECTION_1:
     EventID: 7045
   condition: SELECTION_1 | count() by ServiceFileName < 5
-falsepositives:
+id: 1703ba97-b2c2-4071-a241-a16d017d25d3
-- Software installation
-- Software updates
-id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
 level: low
 logsource:
   product: windows
   service: system
 status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1050
-- car.2013-09-005
-- attack.t1543.003
 ruletype: SIGMA

test_files/rules/yaml/noisy4.yml

@@ -1,8 +1,5 @@
-title: Failed Logins with Different Accounts from Single Source System
+title: Noisy Rule Test 4
-author: Florian Roth
 date: 2017/01/10
-description: Detects suspicious failed logins with different user accounts from a
-  single source system
 detection:
   SELECTION_1:
     EventID: 529
@@ -14,20 +11,11 @@ detection:
     WorkstationName: '*'
   condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName)
     by WorkstationName > 3
-falsepositives:
+id: 9f5663ce-6205-4753-b486-fb8498d1fae5
-- Terminal servers
-- Jump servers
-- Other multiuser systems like Citrix server farms
-- Workstations with frequently changing users
-id: e98374a6-e2d9-4076-9b5c-11bdb2569995
 level: medium
 logsource:
   product: windows
   service: security
 modified: 2021/09/21
 status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1078
 ruletype: SIGMA

test_files/rules/yaml/noisy5.yml

@@ -1,8 +1,5 @@
-title: Failed Logins with Different Accounts from Single Source System
+title: Noisy Rule Test 5
-author: Florian Roth
 date: 2017/01/10
-description: Detects suspicious failed logins with different user accounts from a
-  single source system
 detection:
   SELECTION_1:
     EventID: 4776
@@ -12,23 +9,11 @@ detection:
     Workstation: '*'
   condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName)
     by Workstation > 3
-falsepositives:
+id: 3546ce10-19b4-4c4c-9658-f4f3b5d27ae9
-- Terminal servers
-- Jump servers
-- Other multiuser systems like Citrix server farms
-- Workstations with frequently changing users
-id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
 level: medium
 logsource:
   product: windows
   service: security
 modified: 2021/09/21
-related:
-- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
-  type: derived
 status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1078
 ruletype: SIGMA