From 64109ee3be9e4b286fe234211bc213bffdade887 Mon Sep 17 00:00:00 2001
From: Tony Phipps <anthony.james.phipps@gmail.com>
Date: Mon, 9 Sep 2024 11:19:31 -0600
Subject: [PATCH] append '4688' to new rules

---
 Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1 b/Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1
index 2cb6f3f..1e9461a 100644
--- a/Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1
+++ b/Splunk/sigma/Copy-SplunkSigma-Sysmon1-to-4688.ps1
@@ -111,6 +111,7 @@
             $_ = $_ -replace ' IntegrityLevel=".*?"', ''
             $_ = $_ -replace ' OR CurrentDirectory=".*?"', ''
             $_ = $_ -replace ' CurrentDirectory=".*?"', ''
+            $_ = $_ -replace '^\[(.*?)\]$', '[$1 4688]'
 
             # Return the modified line
             $_