Closed fukusuket closed 2 months ago
detection.rs#L44-L51 https://github.com/Yamato-Security/hayabusa/blob/95ee553a8abe9b0f3886ed60673452e2496cd06c/src/detections/detection.rs#L44-L51
mod.rs#L30-L35 https://github.com/Yamato-Security/hayabusa/blob/efaca57e93c6e298a3f2afcd9dbbad93e545dff8/src/detections/rule/mod.rs#L30-L35
mod.rs#L375-L386 https://github.com/Yamato-Security/hayabusa/blob/95ee553a8abe9b0f3886ed60673452e2496cd06c/src/detections/rule/mod.rs#L375-L386
rule/mod.rs#L85-L104 https://github.com/Yamato-Security/hayabusa/blob/efaca57e93c6e298a3f2afcd9dbbad93e545dff8/src/detections/rule/mod.rs#L85-L110
rule/count.rs#L20-L74 https://github.com/Yamato-Security/hayabusa/blob/efaca57e93c6e298a3f2afcd9dbbad93e545dff8/src/detections/rule/count.rs#L20-L74
main.rs#L1576 https://github.com/Yamato-Security/hayabusa/blob/95ee553a8abe9b0f3886ed60673452e2496cd06c/src/main.rs#L1576
#[derive(Debug, Clone, PartialEq, Eq, Default)]
/// countなどのaggregationの結果を出力する構造体
pub struct AggResult {
/// countなどの値
pub data: i64,
/// count byで指定された条件のレコード内での値
pub key: String,
/// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる
pub field_values: Vec<String>,
///検知したブロックの最初のレコードの時間とEventID
pub id_time_pair : Vec<(String, DateTime<Utc>)>
}
#[derive(Debug, Clone, PartialEq, Eq, Default)]
pub struct DetectInfo {
pub detected_time: DateTime<Utc>,
pub rulepath: CompactString,
pub ruleid: CompactString,
pub ruletitle: CompactString,
pub level: CompactString,
pub computername: CompactString,
pub eventid: CompactString,
pub detail: CompactString,
pub ext_field: Vec<(CompactString, Profile)>,
pub agg_result: Option<Aggresult>,
pub details_convert_map: HashMap<CompactString, Vec<CompactString>>,
}
Describe the bug
aggregation condition
rule count does not show up inEvents with hits
(andTop 5 computers
) It's probably the similar cause as #1373, but I'll create a separate issue to make it easier to understand.Step to Reproduce
./hayabusa-2.16.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -r rules/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml -w
ref: Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml
Actuail behavior
Expected behavior
Environment
Additional context This seems to be because the aggregation condition rule is not counted in the line below. https://github.com/Yamato-Security/hayabusa/blob/efaca57e93c6e298a3f2afcd9dbbad93e545dff8/src/afterfact.rs#L500-L502