-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Temporal Proximity correlation #1446
Comments
@YamatoSecurity |
It seems that a simple OR -> AND change may not be enough, and may be a bit difficult ... 🤔 Current impl memoCurrent Data Structhayabusa/src/detections/rule/mod.rs Lines 32 to 37 in 8e56e37
hayabusa/src/detections/rule/mod.rs Lines 163 to 168 in 8e56e37
hayabusa/src/detections/rule/mod.rs Lines 377 to 388 in 8e56e37
hayabusa/src/detections/rule/count.rs Lines 215 to 231 in 8e56e37
Current sequence
|
New impl memoNew Data Struct
New Sequence |
Support Temporal Proximity correlation
https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-correlation-rules-specification.md#temporal-proximity-temporal
Reference: https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527
Sample rule from blog:
(Note: when testing you can use any two rules that find two different events within a short period of time.)
I think this is similar to the
count
rules we already have but instead of treating multiple rules as OR, we treat them as AND. And then we ignore the part about aggregating fields, so should actually be easier to implement. 😄 (Well, except for filtering to check if they have certain same fields, defined bygroup-by
)@fukusuket I think this one will be very easy for you, so I will assign you. 😉
The text was updated successfully, but these errors were encountered: