-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add field mapping check for process_creation
rule
#445
Conversation
process_creation
rule
Test1 (Field mapping)When run against the following rule,
|
Test2 (
|
Test3 (
|
Test4 (
|
Test5 (
|
Ver | Sigma rules | Hits / Total | crit(total/uniq) | high(total/uniq) | med(total/uniq) | low(total/uniq) | info(total/uniq) |
---|---|---|---|---|---|---|---|
main | 3569 | 5,632 / 48,262 | 52 / 21 | 5,333 / 265 | 1,160 / 178 | 706 / 59 | 28 / 4 |
This PR | 3444 | 5,434 / 48,262 | 52 / 21 | 5,305 / 261 | 1,155 / 177 | 399 / 58 | 99 / 5 |
Test6 (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
@fukusuket Thanks so much for the PR! One question:
That is, one filter section with incompatible fields but another filter section with a compatible field. I checked and since Potentially Suspicious Rundll32Activity is not being converted, I assume that rules are not being created in this case? Although it might increase FPs, I think we should convert these rules as it may also lower True Positives. Also, when it is
because although it has a section with compatible fields (filter_high) it also relies on a section that includes incompatible fields (filter_correct). |
When a rule is filtering on a section with compatible fields OR a section with in-compatible fields then not creating a 4688 rule will lower FPs but may result in decrease of TPs... so I am wondering what the best way is. What do you think? (I don't want to lower the detection rate by default) |
@YamatoSecurity
I see, I hadn't thought of this case...😅 I agree with you, in this case it would be better to create a rule. At first, I'll count how many rules match this case and I'll understand the characteristics! |
…' into 443-fix-incompatible-fileds-rule
Addressing Although it is not a perfect countermeasure, I tried the implementation below, what do you think? 🤔 Number of
|
No | description | count |
---|---|---|
1 | process_creation rule total count |
1,326 |
2 | Has fields unique to Sysmon |
662 / 1,326 |
3 | Has fields unique to Sysmon and condition with all of */ 1 of * |
484 / 1,326 |
4 | Has fields unique to Sysmon and condition without all of */ 1 of * |
178 / 1,326 |
5 | Has fields unique to Sysmon and condition without all of */ 1 of * and undetectable rule |
61 / 1,326 |
New Implementation
I changed the implementation(460d7f1) to check only the case No.5
. then result is as follows.
Ver | Sigma rules | Hits / Total | crit(total/uniq) | high(total/uniq) | med(total/uniq) | low(total/uniq) | info(total/uniq) |
---|---|---|---|---|---|---|---|
main | 3,569 | 5,632 / 48,262 | 52 / 21 | 5,333 / 265 | 1,160 / 178 | 706 / 59 | 28 / 4 |
460d7f1 | 3,499 | 5,704 / 48,262 | 52 / 21 | 5,334 / 266 | 1,163 / 179 | 706 / 59 | 99 / 5 |
The diff is as follows.
(old.csv
is main
result / fix.csv
is 460d7f1 result )
hayabusa-2.6.0-all-platforms % cat old.csv | awk -F"," '{print $5, $7}' | sort | uniq -c > old-rule-count.csv
hayabusa-2.6.0-all-platforms % cat fix.csv | awk -F"," '{print $5, $7}' | sort | uniq -c > fix-rule-count.csv
hayabusa-2.6.0-all-platforms % diff old-rule-count.csv fix-rule-count.csv
220c220
< 1 "high" "Suspicious Spool Service Child Process"
---
> 2 "high" "Suspicious Spool Service Child Process"
251a252
> 71 "info" "Suspicious High IntegrityLevel Conhost Legacy Option"
369a371
> 3 "med" "Potential RDP Session Hijacking Activity"
Rules using 1 of *
or all of *
are often valid rules(such as #445 (comment)), so it's not a perfect countermeasure,
but for now, I think 460d7f1 is better. Because with 460d7f1 we can detect more with fewer rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fukusuket
Thanks for looking into the different cases! LGTM!
Please merge this when ready. I updated the Changelog. Please check the Japanese version and fix if any mistakes.
@YamatoSecurity |
@fukusuket Thanks so much! I updated the count in the English changelog as well so I will merge this. |
What Changed
process_creation
rules #443non-existent fields are not output
to the post-conversion rule in theprocess_creation
rule conversion.Specification
process_creation
field conversionFields for which post conversion rules are not created
If the following fields are in the
AND condition
(orall of the OR conditions
), do not create post-conversion rulesEvidence
Test Environment
I would appreciate it if you could review🙏