title: Check for unsigned EXEs/DLLs
description: hogehoge
enabled: true
author: Yea
logsource: 
    product: windows
detection:
    selection:
        Channel: Sysmon
        EventID: 7
        Signed: "false" # Compare by string
    # condition: selection
falsepositives:
    - unknown
level: low
output: 'Message: Unsigned Image(DLL)¥n Result : Loaded by: %event_data.Image%¥nCommand : %event_data.ImageLoaded%'
creation_date: 2020/11/8
uodated_date: 2020/11/8