search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU General Public License v3.0
2.21k stars 196 forks source link

Sigma correlation rule count does not show up in 'Events with hits' #1373

Closed YamatoSecurity closed 2 months ago

YamatoSecurity commented 3 months ago

@fukusuket Sorry I noticed this bug after merging the previous PR..

I am using this rule:

title: Value Count TEST
id: 0e95725d-7320-415d-80f7-004da920fc11
level: high
correlation:
  type: value_count
  rules:
    - 8afa97ce-a217-4f7c-aced-3e320a57756d
    - e87bd730-df45-4ae9-85de-6c75369c5d29
  group-by:
    - Computer
  timespan: 5m
  condition:
    gte: 2
    field: SubStatus
---
title: Logon Failure (User Does Not Exist)
description: Prints failed logons

id: 8afa97ce-a217-4f7c-aced-3e320a57756d
level: medium
logsource:
  product: windows
  service: security
detection:
  selection_basic:
    Channel: Security
    EventID: 4625
  selection_user_not_exist:
    SubStatus: "0xc0000064" #Username does not exist error
  condition: selection_basic and selection_user_not_exist
---
title: Logon Failure (Wrong Password)
description: Prints logon information.

id: e87bd730-df45-4ae9-85de-6c75369c5d29
level: low
logsource:
  product: windows
  service: security
detection:
  selection_basic:
    Channel: Security
    EventID: 4625
  selection_wrong_password:
    SubStatus: "0xc000006a" #Wrong password
  condition: selection_basic and selection_wrong_password

and this command: ./target/release/hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r ~/Desktop/test.yml

It gives me this summary:

Results Summary:

Events with hits / Total events: 0 / 26,341 (Data reduction: 26,341 events (100.00%))

Total | Unique detections: 2 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 2 (100.00%) | 1 (0.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (100.00%)

Dates with most total detections:
critical: n/a, high: 2021-05-20 (1), medium: n/a, low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: n/a

╭──────────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts:     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         Value Count TEST (2) │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
│ n/a                         n/a                  │
╰───────────────────────────╌──────────────────────╯

Problems:

  1. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results
  2. Events with hits / Total events: 0 / 26,341 (Data reduction: 26,341 events (100.00%)) should say Events with hits / Total events: 2 / 26,341 (Data reduction: 26,339 events (99.99%))
fukusuket commented 3 months ago

@YamatoSecurity Let me confirm one thing! The aggregation condition rule also did not count Events with hits, https://github.com/Yamato-Security/hayabusa/issues/1375 but isn't this behavior particularly intended?

If either issue does not work as intended, I will fix it both!💪

fukusuket commented 3 months ago

@YamatoSecurity I have a question! Which of the following is the best number of numbers to output to event with hits?

YamatoSecurity commented 3 months ago

@YamatoSecurity Let me confirm one thing! The aggregation condition rule also did not count Events with hits, #1375 but isn't this behavior particularly intended?

If either issue does not work as intended, I will fix it both!💪

Thanks! Yes, I think we should include the | count rules as well.

YamatoSecurity commented 3 months ago

@YamatoSecurity I have a question! Which of the following is the best number of numbers to output to event with hits?

  • Number of all events matching correlation
  • Number of sets of events matching correlation

What do you mean by sets of events?

I was thinking the total number of events that any rule matched on. So for example, if 50 failed logon events caused 50 failed logon alerts plus 1 password spray alert then it would be 50 events with hits (not 51. We would still use 51 for total detections though). Also if the the 50 failed logon events caused just the 1 password spray alert (because the default generate: false behavior, then still it would be 50 events with hits. (and 1 total detection)

What do you think?

fukusuket commented 3 months ago

@YamatoSecurity Thank you for comment :) Yes, I think it is good! I will modify it with the above specifications!