Opesnsearch sigma rules are case sensitive?

Versions (relevant - OpenSearch) - 2.15

I have set up a security analytics detector, which looks for windows rules.
One of the Sigma rules Detects Pandemic Windows Implant which searches for a path in TargetObject field.

I wish to know are these rules case sensitive or case insensitive ?
(Does opensearch security analytics plugin treats it as case sensitive or insensitive) ?

@gaobinlong , @pablo , @Gsmitt can you help with this ?
@lejbl @dragsu can you help with this ?

The opensearch rule for windows detection Pandemic Registry Key rule is

TargetObject|contains: \SYSTEM\CurrentControlSet\services\null\Instance

But in the actual value I am getting it as
\System\CurrentControlSet\Services\Null\Instance\ (different casing)

and the detector is not alerting because of this.

I had set a custom rule matching the case of my value which enables the detector to fire.

Is there any other way may be by adjusting mapping or anything so that it can trigger this rule, and not consider case sensitivity?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.