Move null values out from list in rules

2020-05-05 09:04:47 +02:00
parent 022d73f842
commit 84dd8c39c4
1 changed files with 5 additions and 5 deletions
@@ -17,11 +17,11 @@ logsource:
 detection:
    selection:
        EventID: 15
-    filter:
-        Imphash: 
-            - '00000000000000000000000000000000'
-            - null
-    condition: selection and not filter
+    filter1:
+        Imphash: '00000000000000000000000000000000'
+    filter2:
+        Imphash: null
+    condition: selection and not 1 of filter*
 fields:
    - TargetFilename
    - Image