Count column

[mkwired]

The behavior of Chainsaw does not work as I thought. I assumed the output column 'count' represents the number of occurrences of that specific event, but based on my EVTX files, that does not appear correct. So what does the 'column' mean?

[alexkornitzer]

Hey, so the count in this context it about how many documents were needed to cause the detection to fire. Thus it is only really there to inform users when aggregation based rules trigger such as brute force attacks. The reason it is shown in every row is for consistency. Very happy to change or improve things, do you have any thoughts on it?

[Sub-Z3r0]

Hi, is it possible to concatenate results of a column whenever trying to perform an aggregation.
For instance, trying to perform an aggregation rule for a brute force attack and I need to concatenate all of the source IPs into a single cell. is that feasible ?

[alexkornitzer]

I believe that is doable in the way that I wrote it, are you wanting to aggregate by multiple columns or just one? The chainsaw rule syntax should already support both use cases: https://github.com/WithSecureLabs/chainsaw/blob/master/rules/login_attacks/account_brute_force.yml

Please let me know if this is not what you meant and we can hash out what is missing in order to get it added in :)

[alexkornitzer]

Having said that I have not wired up the fancy outputting for aggregates yet which I think is what you want? https://github.com/WithSecureLabs/chainsaw/blob/master/src/cli.rs#L347

[Sub-Z3r0]

I would like to add to the aggregation the ability to concat cells. attached you can see an example.
In the first screenshot the users and timestamps are each in a row, I would like to concatenate them in a single row if that is feasible.

by doing so additional rule use cases can be added to chainsaw playbook.

[alexkornitzer]

So you can do the first bit by adding the extra field to the aggregate fields in the rule. The second part of merging the non grouped columns is not implemented yet (it just picks the first doc as show in my second comment above). But in theory this is pretty easy to add so I can add that to my list of things to do.

Rule tweak would be like this:

...
aggregate:
  count: '>5'
  fields:
    - Event.EventData.TargetUserName
    - Event.EventData.SourceIP

[alexkornitzer]

@Sub-Z3r0, if you are able to compile Chainsaw, can you give the latest master branch a go? full aggregation support should be working properly now.

[Sub-Z3r0]

@alexkornitzer Thank you for your support. It is working as expected.

[alexkornitzer]

No problem, will get that tagged up and released. Thanks for testing.