Learn about the Sigma detection constructs that cause format conversion to fail, even when a logsource is supported.
Supported field modifiers
Only the following field modifiers (the part after | in a field name) are supported:
contains, startswith, endswith, re , and exists.Any other modifier (including
all, windash, base64offset, fieldref, and re|i) cause errors. You must remove or edit the affected condition before importing.keywords detection is not supported
The
keywords construct performs a full text search across all log fields without targeting a specific
field and is not supported in custom filters.# Keyword detection is not supported
detection:
keywords:
- '/Basic/Command/Base64/'
- '/Basic/ReverseShell/'
condition: keywords
Other syntax errors
The following field conditions in the
detection block also cause format conversion to fail:|
Condition
|
Error
|
Hashes or Imphash used without md5, sha1, or sha256 |
The
Hashes and Imphash fields are not supported if the logic only contains these hash-related fields. |
Description or Product used without Image |
The
Description andProductfields are not supported if Image is not included in the logic. |
|
Fields:
Protocol, requestParameters*, responseElements*, resources*, userIdentity* |
<field> cannot be queried in XDR Data Explorer. |
SourceIp or SourcePort used alongside DestinationHostname in network_internet rules |
<field> is not supported if DestinationHostname is also present in the rule. |
|
Details:
Binary Data in registry rules |
Binary Data is not supported in TELEMETRY_REGISTRY. |
|
EventType:
RenameKey in registry rules |
Registry rename events are not supported.
|