Data|contains|all versus '|all': ?

[YamatoSecurity]

Some rules use Data|contains|all to specify a list of keywords that all need to be present somewhere in the log (any field):

detection:
    application:
        Channel: Application
    selection:
        Provider_Name: Windows Error Reporting
        EventID: 1001
        Data|contains|all:
            - MsMpEng.exe
            - mpengine.dll
    condition: application and selection

However, some rules use '|all': to also do the same thing (from my understanding):

detection:
    keywords_export_command:
        '|all':
            - 'New-ExchangeCertificate'
            - ' -GenerateRequest'
            - ' -BinaryEncoded'
            - ' -RequestFile'
    keywords_export_params:
        - '\\\\localhost\\C$'
        - '\\\\127.0.0.1\\C$'
        - 'C:\\inetpub'
        - '.aspx'
    condition: keywords_export_command and keywords_export_params

Is there a difference in the meaning or just two ways to write the same rule? (If so, should rules be re-written to follow a uniform syntax?)

The same thing also happens with Data|contains:

detection:
    selection:
        Provider_Name: 'MSSQLSERVER'
        EventID: 33205
        Data|contains:
            - 'statement:ALTER SERVER AUDIT'
            - 'statement:DROP SERVER AUDIT'
    condition: selection

and rules that don't specify a field:

detection:
    keywords:
        - 'dpapi::masterkey'
        - 'eo.oe.kiwi'  
        - 'sekurlsa::'
    condition: keywords

Are these the same meaning as well?

[YamatoSecurity]

I am guessing that '|all': and - lists are for searching both System and EventData or UserData for Windows logs, and Data|contains is when you just want to search in EventData or UserData. However, looking at the rules, there does not seems to be a scenario where it would be necessary to search System as the suspicious keywords should not show up there, only in EventData or UserData. So rules should all probably be rewritten to search just the Data fields to speed up processing and lower possibilities of FPs?

[nasbench]

They're basically all different ways to write keywords rule. Basically Data|contains| was used based on unparsed event log that have the Data element having all the information such as PowerShell classic logs. The other notation of using keywords is basically targeting all available fields in an event log.

There are plan to consolidate everything in the future to use similar syntax but for now it's like this unfortunately.

[nasbench]

@YamatoSecurity Much appreciated if mark this as resolved if my response answers your question :D

[thomaspatzke]

Is there a difference in the meaning or just two ways to write the same rule? (If so, should rules be re-written to follow a uniform syntax?)

The first search is bound to a ield while the second is unbound (also called keyword rule) syntax and means that the whole log event is searched for appearance of all strings. For keyword the contains modifier is implicitly assumed because it mostly doesn't makes sense to match a complete event because they usually contain dynamic information like time, hostnames etc. This reflects also how most SIEMs behave.

The same thing also happens with Data|contains:
...
Are these the same meaning as well?

Yes, both are contains searches, the one explicitly bound to a field the other implicitly and unbound.

[YamatoSecurity]

@nasbench @thomaspatzke Thank you both the explanations. All is clear now.
Data|contains was for rules with unnamed Data fields (Ex: <Data>xxx</Data>) while '|all': is for named Data fields as well (Ex: <Data Name="somename">xxx</Data>).
I misinterpreted Data|contains conditions to search on named Data fields as well so was a little confused.