append '4688' to new rules

TonyPhipps · Sep 9, 2024 · 64109ee · 64109ee
1 parent 84920ae
commit 64109ee
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1 b/Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1
@@ -111,6 +111,7 @@
             $_ = $_ -replace ' IntegrityLevel=".*?"', ''
             $_ = $_ -replace ' OR CurrentDirectory=".*?"', ''
             $_ = $_ -replace ' CurrentDirectory=".*?"', ''
+            $_ = $_ -replace '^\[(.*?)\]$', '[$1 4688]'
 
             # Return the modified line
             $_