search

SigmaHQ / sigma-specification

Sigma rule specification
Other
111 stars 40 forks source link

Fixed missing link to rules for event_count #70

Closed 0xr2po closed 1 year ago

0xr2po commented 1 year ago

event_count hat no referenenced rules. With this the sigma meta rule would not work in the way described. Added the missing rule failed logon to fix the missing link.

nasbench commented 1 year ago

The value_count doesn't require a rule ID. As it is counting the occurrences defined by a field and group-by

0xr2po commented 1 year ago

Hi nasbench,

thank you for your reply. I understand that value_count generally does not require rule IDs due to the specification.

However, the example in says "Simple example : Failed logon attempts with more than 100 different user accounts per source and destination at a day:" and the rule under this description has no relation to failed logins.

The way the value_count example rule is currently written, it says something like "Events from more than 100 different user accounts per source and destination in one day". To fix that, I created this pull request by adding the reference rule: 5638f7c0-ac70-491d-8465-2a65075e0d86 from the previous example, which I understand is failed_login.

By the way, an older version of the Sigma_meta_rules specification included a reference to the failed_login rule, which made more sense to me:

action: correlation
type: value_count
rule: failed_login
field: User
group-by:
    - ComputerName
    - WorkstationName
timespan: 1d
condition:
    gte: 100
thomaspatzke commented 1 year ago

The value_count doesn't require a rule ID. As it is counting the occurrences defined by a field and group-by

All correlation rules need a reference to a Sigma rule that describes the events where the values are counted. It's because....

However, the example in says "Simple example : Failed logon attempts with more than 100 different user accounts per source and destination at a day:" and the rule under this description has no relation to failed logins.

...this 😉

By the way, an older version of the Sigma_meta_rules specification included a reference to the failed_login rule, which made more sense to me:

Yes, the original idea was to give Sigma rules a human-readable name with a separate attribute name and refer to these names instead of the id to improve the readability of the rules. Both references, name and id, should be valid. It's partially contained in the examples, and the rules attribute definition got lost somehow in the action example. Just fixing that.