Skip to content

Fix false positives for OpenCode to some osascript related rules#6027

Merged
nasbench merged 3 commits into
SigmaHQ:masterfrom
norbert791:rule-update
Jun 11, 2026
Merged

Fix false positives for OpenCode to some osascript related rules#6027
nasbench merged 3 commits into
SigmaHQ:masterfrom
norbert791:rule-update

Conversation

@norbert791

@norbert791 norbert791 commented May 21, 2026
edited by swachchhanda000
Loading

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

This PR updates the logic for two detections matching suspicious usage of OSAScript on MacOS. The rules are updated to not generate false positives for Opencode. Opencode is a popular tool for running AI agents, used by many developers worldwide. Embedding the filter into the rules should improve overall quality for consumers.

Changelog

fix: MacOS Scripting Interpreter AppleScript - filter opencode
fix: Clipboard Access Via OSAScript - filter opencode

Example Log Event

The following sample log contains the relevant fields. I had to remove most of the original event.

{
    "CommandLine": "osascript -e set the clipboard to <REDACTED>",
    "Image": "/usr/bin/osascript",
    "ParentImage": "opencode"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added the Rules label May 21, 2026
@github-actions

github-actions Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

Welcome 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@github-actions github-actions Bot added Review Needed The PR requires review MacOS Pull request add/update macos related rules labels May 21, 2026
@swachchhanda000
Update osascript clipboard rule title, description and reduce level
922505c 
Rename rule to reflect that clipboard access via osascript is not
inherently data collection, soften description and false positives
accordingly, reduce level from high to medium, and tighten the
OpenCode filter to use more specific command line conditions.
@swachchhanda000 swachchhanda000 added this to the Sigma-May-Release milestone May 22, 2026
@nasbench nasbench merged commit c2500ea into SigmaHQ:master Jun 11, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frack113 frack113 frack113 approved these changes

@swachchhanda000 swachchhanda000 swachchhanda000 approved these changes

@nasbench nasbench Awaiting requested review from nasbench

@phantinuss phantinuss Awaiting requested review from phantinuss

Assignees

No one assigned

Labels

MacOS Pull request add/update macos related rules Review Needed The PR requires review Rules

Projects

None yet

Milestone

Sigma-June-Release

Development

Successfully merging this pull request may close these issues.

4 participants

@norbert791 @frack113 @swachchhanda000 @nasbench