Closed ablescia closed 8 months ago
The Details
field is supposed to show a single line human representation of the event for fast viewing. It is a similar idea to the windows event log message - it is a format string which has some of the event details interpolated into it.
This is an extension to the Sigma standard used by Hayabusa. The details format string can be in the rule itself - for example https://github.com/Yamato-Security/hayabusa-rules/blob/09dba13950cb849d320d76ae63707496c5947f14/hayabusa/builtin/Security/LogonLogoff/Logoff/Sec_4634_Info_Logoff_Noisy.yml#L6
or the details field can be set as a default for that event type in the config file - for example:
Either way the details field is not supposed to show all the event data - only some of it that the rule writer considers important.
Dear @scudette, I have had the opportunity to review the proposed configuration file. Event 4624, as stated in the configuration file, should display the LogonType field set with the corresponding value. Instead, it shows the text Type: LogonType. I do not understand why this is happening. The example I showed in the photo contains the LogonType value set to 2, which is why I expect it to be displayed.
@scudette I tried with the event_id 4634.
As you can see below, the problem persists with the TargetLogonId and LogonId fields:
Hayabusa detail declaration:
details: 'User: %TargetUserName% ¦ LID: %TargetLogonId% ¦ Type: %LogonType%'
Regards,
Oh I see - the LogonType is not properly expanded into the format string. Let me look at it
Oh I see - the LogonType is not properly expanded into the format string. Let me look at it
I think the problem concerns all the integers.
Yes you are absolutely right - this is an issue confirmed and filed https://github.com/Velocidex/velociraptor/issues/3231
Thanks for reporting it !
This should be fixed since 0.7.1-2
When I use the Sigma.Windows.Hayabusa.Rules artifact, I noticed that the Details field does not parse integer fields.
For example, observe that both the LogonType and the TargetLogonId are not parsed: