Closed huntantr closed 11 months ago
gfs
commented
1 year ago Hi @huntantr,
The result levels correspond to the values of this enum
And conceptually explained on the wiki page about authoring rules:
https://github.com/microsoft/AttackSurfaceAnalyzer/wiki/Authoring-Analysis-Rules#rule-basics-1
Hopefully that unblocks you for now, but I agree we could make it more obvious from the cli context itself.
huntantr
commented
1 year ago Yes that helps. That will let me move on.
I assume that NONE = 0 is the default?
Thank you.
gfs
commented
1 year ago @huntantr
The default level for each result type is specified in the analyses/rules configuration - either the default one or your own custom one if you choose. The default rules are intended so the lowest level most users would be interested in is INFORMATION, which contains detected changes for some object types which may be interesting even without a specific rule that applies to them, while other results that merely have changed but don't have a specific detection may be less interesting and are marked DEBUG. If specific rules apply to a change that was detected, instead of the default the level is set to the highest level among rules that applied to that change. If you look only for WARNING and up I believe you'll only get results which have a specific rule that detects something interesting - and not just the existence of a change.
I hope that helps clarify. I'm leaving this issue open to track adding this additional detail somewhere more obvious in the documentation.
huntantr
commented
1 year ago If each rule has it's own default, how does the --resultlevels argument work? Does it just set the new default for all collectors?
gfs
commented
1 year ago If each rule has it's own default, how does the --resultlevels argument work? Does it just set the new default for all collectors?
The default levels type is object/collector type based (ie the value in default levels for "file" will be the level used for all files where no rule applies and so forth) rather tied to any specific rule, and is defined once per rule set.
ASA Analysis has two steps:
The default levels apply to anything detected from the first step that doesn't match any rules from the second.
Then, the results which will be output to the user are filtered using the ResultLevels argument (when set) to export to the user only findings which match the specified levels they requested.
huntantr
commented
1 year ago Thanks for clarifying.
gfs
commented
11 months ago I believe this is resolved but reach back out if you still have any issues.
gfs
commented
11 months ago The options available for result levels are also defined here in the wiki: https://github.com/microsoft/AttackSurfaceAnalyzer/wiki/Authoring-Analysis-Rules#flags-1
Describe the bug The help does not specify what the results level options are. --resultlevels Specify the ResultLevels to report
To Reproduce Steps to reproduce the behavior:
Expected behavior Help should clearly indicate what the options are for this parameter.
System Configuration (please complete the following information):