New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Count column #103
Comments
Hey, so the count in this context it about how many documents were needed to cause the detection to fire. Thus it is only really there to inform users when aggregation based rules trigger such as brute force attacks. The reason it is shown in every row is for consistency. Very happy to change or improve things, do you have any thoughts on it? |
Hi, is it possible to concatenate results of a column whenever trying to perform an aggregation. |
I believe that is doable in the way that I wrote it, are you wanting to aggregate by multiple columns or just one? The chainsaw rule syntax should already support both use cases: https://github.com/WithSecureLabs/chainsaw/blob/master/rules/login_attacks/account_brute_force.yml Please let me know if this is not what you meant and we can hash out what is missing in order to get it added in :) |
Having said that I have not wired up the fancy outputting for aggregates yet which I think is what you want? https://github.com/WithSecureLabs/chainsaw/blob/master/src/cli.rs#L347 |
So you can do the first bit by adding the extra field to the aggregate fields in the rule. The second part of merging the non grouped columns is not implemented yet (it just picks the first doc as show in my second comment above). But in theory this is pretty easy to add so I can add that to my list of things to do. Rule tweak would be like this:
|
The implementation of this is not that nice due to compromises that had to be made elsewhere but this should do the job for now. This will be handled properly when rescoping occurs.
@Sub-Z3r0, if you are able to compile Chainsaw, can you give the latest master branch a go? full aggregation support should be working properly now. |
@alexkornitzer Thank you for your support. It is working as expected. |
No problem, will get that tagged up and released. Thanks for testing. |
The behavior of Chainsaw does not work as I thought. I assumed the output column 'count' represents the number of occurrences of that specific event, but based on my EVTX files, that does not appear correct. So what does the 'column' mean?
The text was updated successfully, but these errors were encountered: