Number of detection rules does not change when filtering with -m or -e

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

GNU Affero General Public License v3.0

2.26k stars 200 forks source link

Number of detection rules does not change when filtering with -m or -e #1039

Closed YamatoSecurity closed 11 months ago

YamatoSecurity commented 1 year ago

When using -m or -e to only use certain level rules (Ex: -m low, -e high, etc...), the number of detection rules loaded does not change. Ex: ./hayabusa-2.5.0-mac-intel csv-timeline -d ../hayabusa-sample-evtx shows:

Excluded rules: 24
Noisy rules: 7 (Disabled)

Deprecated rules: 161 (4.54%) (Disabled)
Experimental rules: 1839 (51.82%)
Stable rules: 225 (6.34%)
Test rules: 1485 (41.84%)
Unsupported rules: 43 (1.21%) (Disabled)

Hayabusa rules: 152
Sigma rules: 3397
Total enabled detection rules: 3549

but the numbers don't change when adding -m high, -e informational, etc... It would be nice to know how many rules were actually used when only using a subset of certain levels.

hitenkoku commented 1 year ago

@YamatoSecurity

It would be nice to know how many rules were actually used when only using a subset of certain levels.

If you want to see what you want in plain sight, how about the following output?

Excluded rules: 24
Noisy rules: 7 (Disabled)

Deprecated rules: 161 (4.54%) (Disabled)
Experimental rules: 1839 (51.82%)
Stable rules: 225 (6.34%)
Test rules: 1485 (41.84%)
Unsupported rules: 43 (1.21%) (Disabled)

Hayabusa rules: 152
  critical rules: xxx
  high rules: xxx
  medium rules: xxx
  low rules: xxx
  informational rules: xxx
Sigma rules: 3397
  critical rules: yyy (Sigma-critical)
  high rules: yyy(Sigma-high)
  medium rules: yyy(Sigma-medium)
  low rules: yyy(Sigma-low)
  informational rules: yyy(Sigma-informational)
Total enabled detection rules: 3549

YamatoSecurity commented 1 year ago

@hitenkoku Thank you for the suggestion! Maybe one day it might be nice to separate showing the levels between sigma and built in hayabusa rules but I would like to keep them together as it is now for now.

garigariganzy commented 11 months ago

@YamatoSecurity @hitenkoku @itiB When I checked with "Hayabusa v2.10.1", the number of rules is displayed according to each specified level as shown below. A display example is attached.

.\hayabusa-2.10.1-win-x64.exe csv-timeline -d ..\hayabusa-sample-evtx\ -m medium --no-wizard

1039_display_sample

.\hayabusa-2.10.1-win-x64.exe csv-timeline -d ..\hayabusa-sample-evtx\ -m critical --no-wizard

1039_display_sample2

YamatoSecurity commented 11 months ago

@garigariganzy Thank you for looking into this. It seems that this issue must have been fixed in another PR so I will close it. I will try to find another issue for you.