-
|
I need to track some false positive/negative events in my sigma rules, can I add a new field like "test" (similar to "references" field)? Or I can only use the standard SIGMA fields? I don't want to add those test event info under "references" field. In other words, is there any restriction for adding customised fields? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi, You can add as many fields as you like for your internal needs. The SIGMA specification lists the fields that are currently supported and approved by the SigmaHQ team to work with different toolings such as PySIGMA or SIGMAC. |
Beta Was this translation helpful? Give feedback.
-
|
Great! Thanks @nasbench for the quick clarification! |
Beta Was this translation helpful? Give feedback.
-
|
No worries. |
Beta Was this translation helpful? Give feedback.
Hi,
You can add as many fields as you like for your internal needs. The SIGMA specification lists the fields that are currently supported and approved by the SigmaHQ team to work with different toolings such as PySIGMA or SIGMAC.