Closed YamatoSecurity closed 5 months ago
One more thing, ついでに I'd like to change how results are outputted.
Now:
[condition] count(TargetUserName) by IpAddress > 3 in timeframe [result] count: 4 TargetUserName:tanaka/Administrator/adsyncadmin/suzuki IpAddress:- timeframe:5m
Since no other rules print out the condition
statement, I think it would be better just to display the results.
After:
Count: 4 ¦ TargetUserName: tanaka/Administrator/adsyncadmin/suzuki ¦ IpAddress: -
Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%'
and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -
This would let us keep the field name convention.
@fukusuket This is related to Event and Value Counting correlation rules. Since we need to support multiple
group-by
, it might be better to first implement and test this with our currentcount
. (This can also lower false positives with our current rules)For example:
It would nice to be able to specify this as
selection and not filter | count() by IpAddress,Computer >= 5
So both
IpAddress
andComputer
have to be the same. This will check that both source and target of the attack are the same. Now, when we use Hayabusa to scan all.evtx
files from multiple computers, there is a possibility of false positives if an attacker is guessing passwords to multiple machines. This will let us distinguish between password guessing attacks against one machine and password spray attacks against multiple machines event if we are scanning logs from multiple machines.