Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for Sigma Correlation Event count #1357

Merged
merged 5 commits into from
Jun 5, 2024
Merged

feat: add support for Sigma Correlation Event count #1357

merged 5 commits into from
Jun 5, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Jun 2, 2024
edited
Loading

What Changed

Limitations of current implementation

The following points are not supported because they require more time to implement.
I will consider addressing them as separate PR depending on priority.

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket added the enhancement New feature or request label Jun 2, 2024
@fukusuket fukusuket added this to the v2.16.0 milestone Jun 2, 2024
@fukusuket fukusuket self-assigned this Jun 2, 2024
@fukusuket
Copy link
Collaborator Author

fukusuket commented Jun 3, 2024
edited
Loading

Correlation(Valid rule)

I compared following rule,

Correlation rule

title: Correlation TEST
id: 0e95725d-7320-415d-80f7-004da920fc11
level: informational
correlation:
  type: event_count
  rules:
    - e87bd730-df45-4ae9-85de-6c75369c5d29 # Logon Failure (Wrong Password)
    - 8afa97ce-a217-4f7c-aced-3e320a57756d # Logon Failure (User Does Not Exist)
  group-by:
    - Computer
    - SubStatus
  timespan: 5m
  condition:
    gte: 3

ant put following 2 rules in same directory.

Agg rule

author: TEST
date: 2024/06/03
modified: 2024/06/03

title: Aggregation TEST
description: Aggregation TEST

id: e87bd730-df45-4ae9-85de-6c75369c5d20
level: informational
status: stable
logsource:
  product: windows
  service: security
detection:
  selection_basic:
    Channel: Security
    EventID: 4625
  selection_error:
    SubStatus:
      - "0xc000006a" #Wrong password
      - "0xc0000064" #Username does not exist error
  condition: selection_basic and selection_error | count() by Computer,SubStatus >= 3
  timeframe: 5m
falsepositives:
  - user mistypes password
tags:
references:
ruletype: Hayabusa

Result

then I confirmed that the result is same.

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o timeline.csv -r test -w -C
% cat timeline.csv | grep -e "Correlation" -e "Aggregation"
"2016-09-20 01:50:06.513 +09:00","Aggregation TEST","info","-","-","-","-","Count:3558 ¦ Computer:DESKTOP-M5SN04R ¦ SubStatus:0xc000006a","-"
"2016-09-20 01:50:06.513 +09:00","Correlation TEST","info","-","-","-","-","Count:3558 ¦ Computer:DESKTOP-M5SN04R ¦ SubStatus:0xc000006a","-"
"2021-05-20 21:49:52.315 +09:00","Aggregation TEST","info","-","-","-","-","Count:5 ¦ Computer:fs01.offsec.lan ¦ SubStatus:0xc0000064","-"
"2021-05-20 21:49:52.315 +09:00","Correlation TEST","info","-","-","-","-","Count:5 ¦ Computer:fs01.offsec.lan ¦ SubStatus:0xc0000064","-"
"2021-05-22 05:43:22.562 +09:00","Aggregation TEST","info","-","-","-","-","Count:5 ¦ Computer:fs01.offsec.lan ¦ SubStatus:0xc000006a","-"
"2021-05-22 05:43:22.562 +09:00","Correlation TEST","info","-","-","-","-","Count:5 ¦ Computer:fs01.offsec.lan ¦ SubStatus:0xc000006a","-"

@fukusuket
Copy link
Collaborator Author

fukusuket commented Jun 3, 2024
edited
Loading

Correlation(Invalid rule)

missing condition block rule.

title: Many failed logins to the same computer
id: 0e95725d-7320-415d-80f7-004da920fc11
level: informational
correlation:
  type: event_count
  rules:
    - e87bd730-df45-4ae9-85de-6c75369c5d29 # Logon Failure (Wrong Password)
    - 8afa97ce-a217-4f7c-aced-3e320a57756d # Logon Failure (User Does Not Exist)
  group-by:
    - Computer
    - SubStatus
  timespan: 5m

parse error msg appeared in console.

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o timeline.csv -r test -w -C -q
Start time: 2024/06/03 11:03

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Rule parsing errors: 1
...

and output error log.

% cat ./logs/errorlog-20240603_110350.log for details.
user input: ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o timeline.csv -r test -w -C -q
[WARN] Failed to parse rule. (FilePath : test/test.yml) Failed to parse condition

@fukusuket
Copy link
Collaborator Author

fukusuket commented Jun 3, 2024
edited
Loading

hayabusa-sample-evtx

I confirmed that there are no differences in the result files as follows

csv-timeline

% ./hayabusa-old csv-timeline -d ../hayabusa-sample-evtx -w -D -u -n -q -C -o old.csv
% ./hayabusa-new csv-timeline -d ../hayabusa-sample-evtx -w -D -u -n -q -C -o new.csv
% diff new.csv old.csv
%

json-timeline

% ./hayabusa-old json-timeline -d ../hayabusa-sample-evtx -w -D -u -n -q -C -o old.json
% ./hayabusa-new json-timeline -d ../hayabusa-sample-evtx -w -D -u -n -q -C -o new.json
% diff new.json old.json
%

Integration-Test

https://github.com/Yamato-Security/hayabusa/actions/runs/9343097325

@fukusuket fukusuket marked this pull request as ready for review June 3, 2024 02:26
hitenkoku
hitenkoku approved these changes Jun 3, 2024
View reviewed changes
Copy link
Collaborator

@hitenkoku hitenkoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

YamatoSecurity
YamatoSecurity approved these changes Jun 5, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks so much!

@YamatoSecurity YamatoSecurity merged commit b03fd93 into main Jun 5, 2024
5 checks passed
@YamatoSecurity YamatoSecurity deleted the 1337-sigma-correlation-event-count branch June 5, 2024 22:55
@fukusuket fukusuket mentioned this pull request Jun 6, 2024
Merged
@fukusuket fukusuket mentioned this pull request Oct 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@hitenkoku hitenkoku hitenkoku approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.16.0
Development

Successfully merging this pull request may close these issues.

Sigma correlations support: Event Count
3 participants
@fukusuket @hitenkoku @YamatoSecurity