Improving count rule's output

[fukusuket]

https://github.com/Yamato-Security/hayabusa/pull/1341#issuecomment-2097170105

1. Is it possible to put in the Channel and EventID info? When there are multiple values, we can separate them with ¦.
2. ExtraFieldInfo is blank (··) but would nice to have it as - which we use for n/a. So ·· -> · - ·
3. EvtxFile is also - but many users ask me how they can look up the evtx file from this alert so it would be nice to get this information as well. Again, separate by ¦ when there are multiple values.
4. Is it possible to do the field key mapping? For example, change SubStatus: 0xc000006a to SubStatus: WRONG PW, etc...

[fukusuket]

https://github.com/Yamato-Security/hayabusa/issues/1339#issuecomment-2092704365

Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -

[fukusuket]

https://github.com/Yamato-Security/hayabusa/pull/1341#issuecomment-2099492290

• If top level Channel has multiple values, should it be an array or string?
• If top level EventID has multiple values, should it be an array or string?
• If each field under Details has multiple values, should it be an array or string?
• Should the aggregate results of Channel and EventID be placed under Details?

[YamatoSecurity]

@fukusuket I talked to someone who is more familiar with importing into elastic stack and he said that elastic will create multiple logs (documents) when arrays are used and it will make parsing more difficult so I think we should avoid arrays and keep everything as strings. We should probably keep the Channel and EventID information not in Details, but in the normal fields so that it makes searching for them easier.

[fukusuket]

@YamatoSecurity Thank you for checking :) Is the expected JSON output format like the following?

• Top-level fields are strings joined with ¦.
• Create fields such as Count/IpAddress/SubStatus... under the Details field and store values ​​in each.

  {
  "Timestamp": "2021-10-24 06:50:11.666 +09:00",
  "RuleTitle": "TEST_TITLE",
  "Level": "info",
  "Computer": "HOSTA ¦ HOSTB",
  "Channel": "Sysmon ¦ Security",
  "EventID": "4624 ¦ 4625",
  "RecordID": "",
  "Details": {
      "Count": 2,
      "IpAddress": "10.23.23.9",
      "SubStatus": "0x0",
      "LogonType": "10"
  },
  "ExtraFieldInfo": "-"
  }

[YamatoSecurity]

@fukusuket LGTM!

[fukusuket]

https://github.com/Yamato-Security/hayabusa/issues/1373#issue-2369875686

Problems:

1. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results

https://github.com/Yamato-Security/hayabusa/pull/1376#issue-2372922094

[fukusuket]

TODO

• [x] 1. Is it possible to put in the Channel and EventID info? When there are multiple values, we can separate them with ¦.
• [x] 2. ExtraFieldInfo is blank (··) but would nice to have it as - which we use for n/a. So ·· -> · - ·
• [x] 3. EvtxFile is also - but many users ask me how they can look up the evtx file from this alert so it would be nice to get this information as well. Again, separate by ¦ when there are multiple values.
• [ ] 4. Is it possible to do the field key mapping? For example, change SubStatus: 0xc000006a to SubStatus: WRONG PW, etc...
• [x] 5. We should probably keep the Channel and EventID information not in Details, but in the normal fields
• [x] 6. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results
• [x] 7. Events with hits / Total events: 0 / 26,341 (Data reduction: 26,341 events (100.00%)) should say Events with hits / Total events: 2 / 26,341 (Data reduction: 26,339 events (99.99%))
• [ ] 8. Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -