Integer field are not parsed inside the Details field

Velocidex / velociraptor-sigma-rules

A Compiler from Sigma rules to VQL

7 stars 3 forks source link

Integer field are not parsed inside the Details field #16

Closed ablescia closed 6 months ago

ablescia commented 7 months ago

When I use the Sigma.Windows.Hayabusa.Rules artifact, I noticed that the Details field does not parse integer fields.

For example, observe that both the LogonType and the TargetLogonId are not parsed:

scudette commented 7 months ago

The Details field is supposed to show a single line human representation of the event for fast viewing. It is a similar idea to the windows event log message - it is a format string which has some of the event details interpolated into it.

This is an extension to the Sigma standard used by Hayabusa. The details format string can be in the rule itself - for example https://github.com/Yamato-Security/hayabusa-rules/blob/09dba13950cb849d320d76ae63707496c5947f14/hayabusa/builtin/Security/LogonLogoff/Logoff/Sec_4634_Info_Logoff_Noisy.yml#L6

or the details field can be set as a default for that event type in the config file - for example:

https://github.com/Velocidex/velociraptor-sigma-rules/blob/4a689a4fd58217821c881c7577303b524184e04a/config/windows_hayabusa_rules.yaml#L329

Either way the details field is not supposed to show all the event data - only some of it that the rule writer considers important.

ablescia commented 7 months ago

Dear @scudette, I have had the opportunity to review the proposed configuration file. Event 4624, as stated in the configuration file, should display the LogonType field set with the corresponding value. Instead, it shows the text Type: LogonType. I do not understand why this is happening. The example I showed in the photo contains the LogonType value set to 2, which is why I expect it to be displayed.

ablescia commented 7 months ago

@scudette I tried with the event_id 4634.

As you can see below, the problem persists with the TargetLogonId and LogonId fields:

Hayabusa detail declaration: details: 'User: %TargetUserName% ¦ LID: %TargetLogonId% ¦ Type: %LogonType%'

Regards,

scudette commented 7 months ago

Oh I see - the LogonType is not properly expanded into the format string. Let me look at it

ablescia commented 7 months ago

Oh I see - the LogonType is not properly expanded into the format string. Let me look at it

I think the problem concerns all the integers.

scudette commented 7 months ago

Yes you are absolutely right - this is an issue confirmed and filed https://github.com/Velocidex/velociraptor/issues/3231

Thanks for reporting it !

scudette commented 6 months ago

This should be fixed since 0.7.1-2