Comments missing

[YamatoSecurity]

On the left are our converted rule and the right has the original sigma rule. There seems to be a missing comment: Note: In the case of...
@fukusuket Whenever you have time, could you see if you can keep these comments as well?

Also, - 'ping' gets converted to - ping which is still valid YAML so is no problem, but would like to still keep the single quotes intact if it is not difficult to do.

[YamatoSecurity]

@fukusuket Whenever you have time, could you take a look at this? I'd like to use the converted rules for triage but will be harder if comments are missing.

[fukusuket]

@YamatoSecurity
Could you give me a specific case where the comment does not remain? (Basically, the comment is supposed to remain, and it is probably a case where the comment cannot remain due to the addition of node, etc.)

[YamatoSecurity]

@fukusuket There is an example at the top, for example rule ded2b07a-d12f-4284-9b76-653e37b6c8b0.

In the original rule, on line 18 it says # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 but this comment is not there in the converted rules.

[fukusuket]

@YamatoSecurity
Comments disappear in the following cases

• The line immediately following detection
• If you are converting field names (e.g., process_creation(builtin 4688))

Unfortunately, in the above case, it is difficult to retain comments because the original values have been rewritten... :(
Pending until another solution is found.