Merge pull request #98 from marcelkwaschny/documentation/exists-modifier

Added exists keyword to the modifiers documentation page
SigmaHQ · Dec 5, 2024 · d07d63b · d07d63b
2 parents 659f75b + 60cde6a
commit d07d63b
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/docs/basics/modifiers.md b/docs/basics/modifiers.md
@@ -37,6 +37,7 @@ Below is a list of available field modifiers.
     <li><a href="#cidr"><code>cidr</code></a></li>
     <li><a href="#contains"><code>contains</code></a></li>
     <li><a href="#endswith"><code>endswith</code></a></li>
+    <li><a href="#exists"><code>exists</code></a></li>
     <li><a href="#expand"><code>expand</code></a></li>
     <li><a href="#fieldref"><code>fieldref</code></a></li>
     <li><a href="#gt"><code>gt</code></a></li>
@@ -227,6 +228,46 @@ The `endswith` modifier will insert a wildcard token (usually `*`) at the end of
 
 ---
 
+### exists
+
+::: code-group
+
+```yaml [/rules/rule.yml]
+title: Administrator Usage
+logsource:
+  product: windows
+detection:
+  selection:
+    user|exists: true
+  condition: selection
+```
+```netwitness [NetWitness Output]
+user exists
+```
+
+:::
+
+::: code-group
+
+```yaml [/rules/rule.yml]
+title: Administrator Usage
+logsource:
+  product: windows
+detection:
+  selection:
+    user|exists: false
+  condition: selection
+```
+```netwitness [NetWitness Output]
+user !exists
+```
+
+:::
+
+The `exists` modifier will generate a query to check if `fieldname` exists. The value for the modifier can either be `true` or `false`. Setting the value to `false` will result in a not exists query.
+
+---
+
 ### expand
 
 ::: code-group