Windows Event Data section #21

frack113 · 2022-10-26T04:27:50Z

frack113
Oct 26, 2022
Maintainer

Ref SigmaHQ/sigma#3622
Some Windows Eventid don't have field name.
data field name should be add to Taxonomy_1_2_0.md.

phantinuss · 2022-11-01T11:59:12Z

phantinuss
Nov 1, 2022
Maintainer

I am not sure I understand correctly. The rule in question just uses a keyword search and does not specify on which EventID it should match. I don't see an issue with the rule.

What would the data field name be and what would be its purpose/what would it map to?

8 replies

nasbench Nov 1, 2022
Maintainer

The issue with the keyword is you can't use modifiers and most of the time when we write rules for this we use a combination of stuff. And "Data" is actually a field in the Event.

Example:

b3d57a5c-c92e-4b48-9a79-5f124b7cf964
7f103213-a04e-4d59-8261-213dddf22314

phantinuss Nov 1, 2022
Maintainer

It is an unnamed field. Every event data is inside a data element. So it is still unstructured data and the field can (and does) exist multiple times. I am not sure if that itself is an issue.

thomaspatzke Nov 1, 2022
Maintainer

The issue with the keyword is you can't use modifiers

Wrong 😉

detection:
    selection:
        |contains: value

Does the trick 😉

Regarding the main question, I'm a bit confused about the Data element. Partially they seem to be named, e.g. here for Security/4688 with <Data Name="..."> here I think the usage of the field name from the Name attribute is already practiced a lot in open source Sigma rules. On the other side the Data elements can also be unnamed, like described here. I assume this discussion is about the latter case.

From my perspective, it would be consistent to use Data for such cases as Sigma field name. This should be documented as special case in the taxonomy documentation and that it must be handled accordingly by rule preprocessingt or conversion backends, E.g. in Splunk this can be simply accomplished by mapping to EventData_Xml.

phantinuss Nov 2, 2022
Maintainer

We need to clarify this special case in the spec then as well:
https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_1_0_1.md#field-usage
In my opinion this should be 3. iii) then.

thomaspatzke Nov 28, 2022
Maintainer

Argh...we should stop to do versioning with file names (link was broken) 😐

I think this is more appropriate in the modifiers section because this is where the special case applies. Normal keyword detections are expressed as list. Or in both places (despite the fact I dislike redundancy), such that it doesn't gets missed.

nasbench · 2025-11-12T17:36:40Z

nasbench
Nov 12, 2025
Maintainer

This has been resolved and sigma rules in the repo have been modified.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Windows Event Data section #21

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 8 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Windows Event Data section #21

Uh oh!

frack113 Oct 26, 2022 Maintainer

Replies: 2 comments · 8 replies

Uh oh!

phantinuss Nov 1, 2022 Maintainer

Uh oh!

nasbench Nov 1, 2022 Maintainer

Uh oh!

Uh oh!

phantinuss Nov 1, 2022 Maintainer

Uh oh!

thomaspatzke Nov 1, 2022 Maintainer

Uh oh!

phantinuss Nov 2, 2022 Maintainer

Uh oh!

thomaspatzke Nov 28, 2022 Maintainer

Uh oh!

nasbench Nov 12, 2025 Maintainer

frack113
Oct 26, 2022
Maintainer

Replies: 2 comments 8 replies

phantinuss
Nov 1, 2022
Maintainer

nasbench Nov 1, 2022
Maintainer

phantinuss Nov 1, 2022
Maintainer

thomaspatzke Nov 1, 2022
Maintainer

phantinuss Nov 2, 2022
Maintainer

thomaspatzke Nov 28, 2022
Maintainer

nasbench
Nov 12, 2025
Maintainer