Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improving count rule's output #1342

Open
fukusuket opened this issue May 7, 2024 · 7 comments
Open

Improving count rule's output #1342

fukusuket opened this issue May 7, 2024 · 7 comments
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@fukusuket
Copy link
Collaborator

#1341 (comment)

  1. Is it possible to put in the Channel and EventID info? When there are multiple values, we can separate them with ¦.
  2. ExtraFieldInfo is blank (··) but would nice to have it as - which we use for n/a. So ·· -> · - ·
  3. EvtxFile is also - but many users ask me how they can look up the evtx file from this alert so it would be nice to get this information as well. Again, separate by ¦ when there are multiple values.
  4. Is it possible to do the field key mapping? For example, change SubStatus: 0xc000006a to SubStatus: WRONG PW, etc...
@fukusuket fukusuket added the enhancement New feature or request label May 7, 2024
@fukusuket fukusuket added this to the v2.16.0 milestone May 7, 2024
@fukusuket fukusuket self-assigned this May 7, 2024
@fukusuket
Copy link
Collaborator Author

#1339 (comment)

Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -

@fukusuket
Copy link
Collaborator Author

fukusuket commented May 7, 2024

#1341 (comment)

  • If top level Channel has multiple values, should it be an array or string?
  • If top level EventID has multiple values, should it be an array or string?
  • If each field under Details has multiple values, should it be an array or string?
  • Should the aggregate results of Channel and EventID be placed under Details?

@YamatoSecurity
Copy link
Collaborator

@fukusuket I talked to someone who is more familiar with importing into elastic stack and he said that elastic will create multiple logs (documents) when arrays are used and it will make parsing more difficult so I think we should avoid arrays and keep everything as strings. We should probably keep the Channel and EventID information not in Details, but in the normal fields so that it makes searching for them easier.

@fukusuket
Copy link
Collaborator Author

fukusuket commented May 9, 2024

@YamatoSecurity
Thank you for checking :) Is the expected JSON output format like the following?

  • Top-level fields are strings joined with ¦.
  • Create fields such as Count/IpAddress/SubStatus... under the Details field and store values ​​in each.
{
    "Timestamp": "2021-10-24 06:50:11.666 +09:00",
    "RuleTitle": "TEST_TITLE",
    "Level": "info",
    "Computer": "HOSTA ¦ HOSTB",
    "Channel": "Sysmon ¦ Security",
    "EventID": "4624 ¦ 4625",
    "RecordID": "",
    "Details": {
        "Count": 2,
        "IpAddress": "10.23.23.9",
        "SubStatus": "0x0",
        "LogonType": "10"
    },
    "ExtraFieldInfo": "-"
}

@YamatoSecurity
Copy link
Collaborator

@fukusuket LGTM!

@fukusuket
Copy link
Collaborator Author

#1373 (comment)

Problems:

1. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results

#1376 (comment)

@fukusuket
Copy link
Collaborator Author

fukusuket commented Jul 9, 2024

TODO

  • 1. Is it possible to put in the Channel and EventID info? When there are multiple values, we can separate them with ¦.
  • 2. ExtraFieldInfo is blank (··) but would nice to have it as - which we use for n/a. So ·· -> · - ·
  • 3. EvtxFile is also - but many users ask me how they can look up the evtx file from this alert so it would be nice to get this information as well. Again, separate by ¦ when there are multiple values.
  • 4. Is it possible to do the field key mapping? For example, change SubStatus: 0xc000006a to SubStatus: WRONG PW, etc...
  • 5. We should probably keep the Channel and EventID information not in Details, but in the normal fields
  • 6. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results
  • 7. Events with hits / Total events: 0 / 26,341 (Data reduction: 26,341 events (100.00%)) should say Events with hits / Total events: 2 / 26,341 (Data reduction: 26,339 events (99.99%))
  • 8. Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants