Velocidex / velociraptor-sigma-rules

A Compiler from Sigma rules to VQL
10 stars 4 forks source link

Integer field are not parsed inside the Details field #16

Closed ablescia closed 8 months ago

ablescia commented 10 months ago

When I use the Sigma.Windows.Hayabusa.Rules artifact, I noticed that the Details field does not parse integer fields.

For example, observe that both the LogonType and the TargetLogonId are not parsed:

image

scudette commented 10 months ago

The Details field is supposed to show a single line human representation of the event for fast viewing. It is a similar idea to the windows event log message - it is a format string which has some of the event details interpolated into it.

This is an extension to the Sigma standard used by Hayabusa. The details format string can be in the rule itself - for example https://github.com/Yamato-Security/hayabusa-rules/blob/09dba13950cb849d320d76ae63707496c5947f14/hayabusa/builtin/Security/LogonLogoff/Logoff/Sec_4634_Info_Logoff_Noisy.yml#L6

or the details field can be set as a default for that event type in the config file - for example:

https://github.com/Velocidex/velociraptor-sigma-rules/blob/4a689a4fd58217821c881c7577303b524184e04a/config/windows_hayabusa_rules.yaml#L329

Either way the details field is not supposed to show all the event data - only some of it that the rule writer considers important.

ablescia commented 10 months ago

Dear @scudette, I have had the opportunity to review the proposed configuration file. Event 4624, as stated in the configuration file, should display the LogonType field set with the corresponding value. Instead, it shows the text Type: LogonType. I do not understand why this is happening. The example I showed in the photo contains the LogonType value set to 2, which is why I expect it to be displayed.

ablescia commented 10 months ago

@scudette I tried with the event_id 4634.

As you can see below, the problem persists with the TargetLogonId and LogonId fields: image

Hayabusa detail declaration: details: 'User: %TargetUserName% ¦ LID: %TargetLogonId% ¦ Type: %LogonType%'

Regards,

scudette commented 10 months ago

Oh I see - the LogonType is not properly expanded into the format string. Let me look at it

ablescia commented 10 months ago

Oh I see - the LogonType is not properly expanded into the format string. Let me look at it

I think the problem concerns all the integers.

scudette commented 10 months ago

Yes you are absolutely right - this is an issue confirmed and filed https://github.com/Velocidex/velociraptor/issues/3231

Thanks for reporting it !

scudette commented 8 months ago

This should be fixed since 0.7.1-2