Closed YamatoSecurity closed 11 months ago
@YamatoSecurity
It would be nice to know how many rules were actually used when only using a subset of certain levels.
If you want to see what you want in plain sight, how about the following output?
Excluded rules: 24
Noisy rules: 7 (Disabled)
Deprecated rules: 161 (4.54%) (Disabled)
Experimental rules: 1839 (51.82%)
Stable rules: 225 (6.34%)
Test rules: 1485 (41.84%)
Unsupported rules: 43 (1.21%) (Disabled)
Hayabusa rules: 152
critical rules: xxx
high rules: xxx
medium rules: xxx
low rules: xxx
informational rules: xxx
Sigma rules: 3397
critical rules: yyy (Sigma-critical)
high rules: yyy(Sigma-high)
medium rules: yyy(Sigma-medium)
low rules: yyy(Sigma-low)
informational rules: yyy(Sigma-informational)
Total enabled detection rules: 3549
@hitenkoku Thank you for the suggestion! Maybe one day it might be nice to separate showing the levels between sigma and built in hayabusa rules but I would like to keep them together as it is now for now.
@YamatoSecurity @hitenkoku @itiB When I checked with "Hayabusa v2.10.1", the number of rules is displayed according to each specified level as shown below. A display example is attached.
.\hayabusa-2.10.1-win-x64.exe csv-timeline -d ..\hayabusa-sample-evtx\ -m medium --no-wizard
.\hayabusa-2.10.1-win-x64.exe csv-timeline -d ..\hayabusa-sample-evtx\ -m critical --no-wizard
@garigariganzy Thank you for looking into this. It seems that this issue must have been fixed in another PR so I will close it. I will try to find another issue for you.
When using
-m
or-e
to only use certain level rules (Ex:-m low
,-e high
, etc...), the number of detection rules loaded does not change. Ex:./hayabusa-2.5.0-mac-intel csv-timeline -d ../hayabusa-sample-evtx
shows:but the numbers don't change when adding
-m high
,-e informational
, etc... It would be nice to know how many rules were actually used when only using a subset of certain levels.