Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple grouping by in count #1339

Closed
YamatoSecurity opened this issue May 3, 2024 · 1 comment · Fixed by #1341
Closed

Support multiple grouping by in count #1339

YamatoSecurity opened this issue May 3, 2024 · 1 comment · Fixed by #1341
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
v2.16.0

Comments

@YamatoSecurity
Copy link
Collaborator

@fukusuket This is related to Event and Value Counting correlation rules. Since we need to support multiple group-by, it might be better to first implement and test this with our current count. (This can also lower false positives with our current rules)

For example:

title: PW Guessing
details: ''  #Cannot be used because this is a count rule
description: Search for many 4625 wrong password failed logon attempts in a short period of time.

id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
level: medium
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4625
        SubStatus: "0xc000006a" #Wrong password
    filter:
       IpAddress: "-"
    condition: selection and not filter | count() by IpAddress >= 5 
    timeframe: 5m

It would nice to be able to specify this as selection and not filter | count() by IpAddress,Computer >= 5

So both IpAddress and Computer have to be the same. This will check that both source and target of the attack are the same. Now, when we use Hayabusa to scan all .evtx files from multiple computers, there is a possibility of false positives if an attacker is guessing passwords to multiple machines. This will let us distinguish between password guessing attacks against one machine and password spray attacks against multiple machines event if we are scanning logs from multiple machines.
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label May 3, 2024
@YamatoSecurity YamatoSecurity added this to the v2.16.0 milestone May 3, 2024
@YamatoSecurity
Copy link
Collaborator Author

One more thing, ついでに I'd like to change how results are outputted.
Now:
[condition] count(TargetUserName) by IpAddress > 3 in timeframe [result] count: 4 TargetUserName:tanaka/Administrator/adsyncadmin/suzuki IpAddress:- timeframe:5m

Since no other rules print out the condition statement, I think it would be better just to display the results.

After:
Count: 4 ¦ TargetUserName: tanaka/Administrator/adsyncadmin/suzuki ¦ IpAddress: -

Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -

This would let us keep the field name convention.

This was referenced May 6, 2024
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.16.0
Development

Successfully merging a pull request may close this issue.

feat: add support for multiple key grouping in count condition Yamato-Security/hayabusa
2 participants
@fukusuket @YamatoSecurity