// LAB ยท DETECTION (BLUE TEAM)

๐Ÿ›ก๏ธ Sigma Detection Lab

Scenario: You have a Windows process_creation log stream. An attacker is using PowerShell to download and run payloads. Your mission: write a detection rule that catches ALL malicious activity with zero false positives (the admin's legitimate PowerShell must not fire).

Rule builder

AND
๐Ÿ’ก In "contains" you can put several comma-separated values: it matches if any appears (like a Sigma list).

Logs โ€” process_creation

#ImageCommandLineUser