Support Temporal Proximity correlation

[YamatoSecurity]

Support Temporal Proximity correlation

https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-correlation-rules-specification.md#temporal-proximity-temporal

Reference: https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527

Sample rule from blog:

title: CVE-2023-22518 Exploit Chain
description: Access to endpoint vulnerable to CVE-2023-22518 with suspicious process creation.
status: experimental
correlation:
    type: temporal
    rules:
        - a902d249-9b9c-4dc4-8fd0-fbe528ef965c
        - 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
    group-by:
        - Computer
    timespan: 10s
level: high

(Note: when testing you can use any two rules that find two different events within a short period of time.)

I think this is similar to the count rules we already have but instead of treating multiple rules as OR, we treat them as AND. And then we ignore the part about aggregating fields, so should actually be easier to implement. 😄 (Well, except for filtering to check if they have certain same fields, defined by group-by)

@fukusuket I think this one will be very easy for you, so I will assign you. 😉

[fukusuket]

@YamatoSecurity
Thank you for the assignment! Yes, I would love to implement it!!💪

[fukusuket]

It seems that a simple OR -> AND change may not be enough, and may be a bit difficult ... 🤔
(The reason is that multiple reference rules cannot simply be converted into a single selection block)

Current impl memo

Current Data Struct

hayabusa/src/detections/rule/mod.rs

Lines 32 to 37 in 8e56e37

	pub struct RuleNode {
	pub rulepath: String,
	pub yaml: Yaml,
	detection: DetectionNode,
	countdata: HashMap<String, Vec<AggRecordTimeInfo>>,
	}

hayabusa/src/detections/rule/mod.rs

Lines 163 to 168 in 8e56e37

	struct DetectionNode {
	pub name_to_selection: HashMap<String, Arc<Box<dyn SelectionNode>>>,
	pub condition: Option<Box<dyn SelectionNode>>,
	pub aggregation_condition: Option<AggregationParseInfo>,
	pub timeframe: Option<TimeFrameInfo>,
	}

hayabusa/src/detections/rule/mod.rs

Lines 377 to 388 in 8e56e37

	pub struct AggResult {
	/// countなどの値
	pub data: i64,
	/// count byで指定された条件のレコード内での値
	pub key: String,
	/// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる
	pub field_values: Vec<String>,
	///検知したブロックの最初のレコードの時間
	pub start_timedate: DateTime<Utc>,
	///検知したブロックのレコードの全時間とEventID
	pub agg_record_time_info: Vec<AggRecordTimeInfo>,
	}

hayabusa/src/detections/rule/count.rs

Lines 215 to 231 in 8e56e37

	#[derive(Debug, Clone, PartialEq, Eq, Default)]
	/// countの括弧内の情報とレコードの情報を所持する構造体
	pub struct AggRecordTimeInfo {
	pub field_value: String,
	pub time: DateTime<Utc>,
	pub event_id: String,
	pub computer: String,
	pub channel: String,
	pub evtx_file_path: String,
	}
	#[derive(Debug)]
	/// timeframeに設定された情報。SIGMAルール上timeframeで複数の単位(日、時、分、秒)が複合で記載されているルールがなかったためタイプと数値のみを格納する構造体
	pub struct TimeFrameInfo {
	pub timetype: String,
	pub timenum: Result<i64, ParseIntError>,
	}

Current sequence

• https://github.com/Yamato-Security/hayabusa/blob/main/src/main.rs#L1936
• https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/detection.rs#L192
• https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/detection.rs#L200
• https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/rule/mod.rs#L112
• https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/rule/count.rs#L202
• https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/rule/count.rs#L490

[fukusuket]

New impl memo

New Data Struct

• Detection
  • rules: List(RuleNode)
  • temporalRules: List(TemporalRuleNode)
• RuleNode
  • temporal_ref_id: String(UUID)
  • count_data: HashMap<String, AggRecordTimeInfo>
  • output:bool
• TemporalRuleNode
  • ref_rule_ids: List(String(UUID))
  • time_frame
  • fn judge_satisfy_temporal_condition(count_data:HashMap<uuid, AggRecordTimeInfo>)

New Sequence