Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Ordered Temporal Proximity correlation #1447

Closed
YamatoSecurity opened this issue Oct 14, 2024 · 1 comment · Fixed by #1533
Closed

Support Ordered Temporal Proximity correlation #1447

YamatoSecurity opened this issue Oct 14, 2024 · 1 comment · Fixed by #1533
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
3.0 3rd Year Anni...

Comments

@YamatoSecurity
Copy link
Collaborator

YamatoSecurity commented Oct 14, 2024
edited
Loading

Support Ordered Temporal Proximity correlation

https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-correlation-rules-specification.md#ordered-temporal-proximity-temporal_ordered

Sample rule:

correlation:
    type: temporal_ordered
    rules:
        - e87bd730-df45-4ae9-85de-6c75369c5d29 # Logon Failure (Wrong Password)
        - successful_login
    group-by:
        - Computer
        - TargetUserName
    timespan: 1h
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Oct 14, 2024
@YamatoSecurity YamatoSecurity modified the milestones: 3.0.0, v3.0 Oct 14, 2024
@YamatoSecurity
Copy link
Collaborator Author

@fukusuket Since you are now the correlations rules master, 😉 can I ask you to do this one too?

I will send you a sample evtx file to test with over slack.
I created a rule that works well with temporal:

title: Successful password spray
id: 23179f25-6fce-4827-bae1-b219deaf563a
author: yamatosecurity
correlation:
  type: temporal
  rules:
    - many_failed_logins
    - successful_login
  group-by:
    - Computer
  timespan: 1m
  generate: true
level: critical
ruletype: Hayabusa
---
id: 5dbf63ae-07a2-4b47-b75d-e8430e686a29
title: Many Failed Logons!
author: author1
name: many_failed_logins
level: high
logsource:
  product: windows
  service: security
correlation:
    #generate: true
    type: value_count
    rules:
        - failed_logins
    group-by:
        - IpAddress
        - Computer
    timespan: 5m
    condition:
        gte: 5
        field: TargetUserName
---
id: 23179f25-6fce-4827-bae1-b219deaf563c
title: Failed Logon
author: author1
name: failed_logins
level: medium
logsource:
  product: windows
  service: security
detection:
  selection:
    Channel: Security
    EventID: 4625
  condition: selection
---
id: 23179f25-6fce-4827-bae1-b219deaf563x
title: Successful Login
author: author2
name: successful_login
level: informational
logsource:
  product: windows
  service: security
detection:
  selection:
    Channel: Security
    EventID: 4624
  condition: selection

Results:

╭─────────────────────────────────────────────────────────╮
│ Top critical alerts:            Top high alerts:        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Successful password spray (2)   Many Failed Logons! (1) │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:              Top low alerts:         │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Successful Login (6)            n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
│ n/a                             n/a                     │
╰───────────────────────────────╌─────────────────────────╯

Now, we just need to change temporal to temporal_ordered and make sure it works when the rules are defined in this order:

    - many_failed_logins
    - successful_login

but does not work in this order:

    - successful_login
    - many_failed_logins

since there are only 4 days left until release don't worry about rushing. We can include this in the next 3.1 release if it will take time.

@fukusuket fukusuket mentioned this issue Dec 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
3.0 3rd Year Anniversary Release
Development

Successfully merging a pull request may close this issue.

Support Ordered Temporal Proximity correlation Yamato-Security/hayabusa
2 participants
@fukusuket @YamatoSecurity