search

matanolabs / matano

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
https://matano.dev
Apache License 2.0
1.42k stars 98 forks source link

Allow a detection to define how many alerts occurred #138

Open chrismsnz opened 1 year ago

chrismsnz commented 1 year ago

Just dealing with a Google workspace log, this is how it reports 5 failed logins:

...
"events": {
    "name": "login_failure",
    "parameters": [
      {
        "name": "login_type",
        "value": "unknown"
      },
      {
        "multiValue": [
          "password",
          "password",
          "password",
          "password",
          "password"
        ],
        "name": "login_challenge_method"
      }
    ],
    "type": "login"
  },
...

I'd like the detection to be able to be customised to dynamically return (e.g. via a count() function or some such) how many detections have occurred by processing the one log line.

Implementation wise, not sure. run_detection() could return an array of alert data, or create_alert() could create multiple alerts based on a number returned in alert_response. The more efficient way might be to change the threshold logic to respect an "occurrences" number or something in an alert.