Skip to content

Fix eventlog clear false-positive filter scope#6038

Open
srkyn wants to merge 1 commit into
SigmaHQ:masterfrom
srkyn:fix-eventlog-clear-filter-scope
Open

Fix eventlog clear false-positive filter scope#6038
srkyn wants to merge 1 commit into
SigmaHQ:masterfrom
srkyn:fix-eventlog-clear-filter-scope

Conversation

@srkyn

@srkyn srkyn commented Jun 1, 2026

Copy link
Copy Markdown

Summary

This updates one existing Windows process creation rule:

rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

The current condition is parsed so the filter_main_msiexec false-positive filter only applies to the WMI branch:

A or B or C and not filter

Because and binds tighter than or, the filter does not apply to the wevtutil or PowerShell branches. This PR groups the three detection branches first, then applies the filter to the full expression:

(A or B or C) and not filter

It also fixes a nearby comment typo: uset to used.

Validation

sigma check rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

Result:

Found 0 errors, 0 condition errors and 0 issues.
No rule errors found.
No condition errors found.
No validation issues found.

Scope

This PR intentionally touches one existing rule only. No new rules are added.

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Welcome 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jun 1, 2026
@srkyn srkyn force-pushed the fix-eventlog-clear-filter-scope branch from e15c828 to 549110a Compare June 8, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@srkyn