value comparison #62

trend-jason-x-lin · 2023-02-13T02:52:15Z

trend-jason-x-lin
Feb 13, 2023

Hi all,

Is there a way to compare column values with specific values such as EventId > 10?
I saw there is an aggregation with the comparison (count(UserName) by SourceWorkstation > 3) but I don't need aggregation.
Thanks!

Answered by thomaspatzke

Feb 16, 2023

Yes, the very basic version of a detection item compares to a specific value: EventID: 10. Modifiers can be used to add numeric conditions, e.g. EventID|gt: 10 does exactly what you describe above.

View full answer

trend-jason-x-lin · 2023-02-15T09:31:29Z

trend-jason-x-lin
Feb 15, 2023
Author

Duplicate with discussion https://github.com/SigmaHQ/sigma/discussions/4035 here.

0 replies

thomaspatzke · 2023-02-16T22:17:37Z

thomaspatzke
Feb 16, 2023
Maintainer

Yes, the very basic version of a detection item compares to a specific value: EventID: 10. Modifiers can be used to add numeric conditions, e.g. EventID|gt: 10 does exactly what you describe above.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

value comparison #62

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

value comparison #62

trend-jason-x-lin Feb 13, 2023

Replies: 2 comments

trend-jason-x-lin Feb 15, 2023 Author

thomaspatzke Feb 16, 2023 Maintainer

trend-jason-x-lin
Feb 13, 2023

trend-jason-x-lin
Feb 15, 2023
Author

thomaspatzke
Feb 16, 2023
Maintainer