fix(rules): remove redundant androdr-084 (duplicates androdr-047)#213
Merged
Conversation
Unbundles androdr-084 and bumps the android-sigma-rules submodule to 95cc55f (rule removed there too). androdr-047 already covers CVE-2025-48595 — its source is the CISA Known Exploited Vulnerabilities catalog and its evidence lists the CVE with per-CVE severity. Capped at medium by the device_posture policy, 084 added no distinction over 047 and produced a duplicate card. The 52 IOC entries from the same batch remain in the submodule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reverts the bundled rule
androdr-084and bumps theandroid-sigma-rulessubmodule to95cc55f(rules#31).Why:
androdr-084keyed on CVE-2025-48595, which androdr-047 already covers — 047's source is the CISA Known Exploited Vulnerabilities catalog (= actively-exploited CVEs) and its evidence already lists CVE-2025-48595 with per-CVE severity (CRITICAL). Forced tolevel: mediumby thedevice_postureseverity cap, 084 had no distinction over 047 and rendered a duplicate finding card (confirmed on a real device).Removes
res/raw/sigma_androdr_084_*.yml+ itsSigmaRuleEngineregistration. The 52 IOC entries from the original batch are retained in the submodule.Sigma test suite green after removal.
🤖 Generated with Claude Code