Potential bug with matrix found item

[cyb3rxp]

Hi,

I'd like to report the following potential bug, while running Zircolite latest version with latest ruleset on a Sysmon EVTX file sample:

in the Matrix tab of Zircolite Gui, I can see that there is a 'T1490-Inhibit System Recovery' TTP being found ('found' tag being displayed),
when I select this TTP ID from the matrix, I only get filtered events (within the upper tab) that are related to: 'Amsi.DLL Load By Uncommon Process'. No other events related to T1490 are being shown.
Unless I'm mistaking, this does not seem to be consistent, between what the matrix shows and what the upper tab ('Sigma alerts') shows.

NB: sorry, can't share the sample.

Many thanks and regards,

[wagga40]

When you select a technique in the matrix, if some rules that have been triggered on your Sysmon EVTX file sample have a tag correponding to the one selected, they will appear with their related events in the "Sigma alerts" panel.

When I test with the EVTX-ATTACK-SAMPLES from Samir Bousseaden, it works perfectly. It this test, 5 rules with the "attack.t1490" tag are triggered and are displayed in the Sigma alerts panel when I click on "T1490-Inhibit System Recovery" in the Matrix.

Only 25 rules have a tag "attack.t1490", are you sure your Sysmon EVTX file sample triggers multiples rules ?

What is the output when you do jq -r '.[] | select(.tags != null and (.tags | index("attack.t1490"))) | [.title, .count] | @csv' detected_events.json just after the execution of Zircolite ?

[wagga40]

Closing because there was no answer.
Feel free to reopen.