fix: count up Event with hits when aggregation/correlation rule

[fukusuket]

What Changed

• Closed Sigma correlation rule count does not show up in 'Events with hits' #1373
• Closed [bug] aggregation condition rule count does not show up in Events with hits #1375
• Related Improving count rule's output #1342

Test

csv-timeline/json-timeline diff check (compared with main branch)

No difference in the result file compared to the main branch.
https://github.com/Yamato-Security/hayabusa/actions/runs/9844009215

integration-test

All commands work properly.
https://github.com/Yamato-Security/hayabusa/actions/runs/9844007839

I would appreciate it if you could check it out when you have time🙏

[fukusuket]

aggregation rule

I confirmed that the Event with hit is counted up in the case of the issue #1375 (comment)

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -r rules/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml -w -q
Start time: 2024/07/09 02:21

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.


Stable rules: 1 (100.00%)

Hayabusa rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 241
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 241 / 241   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Timestamp · RuleTitle · Level · Computer · Channel · EventID · RecordID · Details · ExtraFieldInfo
2016-09-20 01:50:06.513 +09:00 · PW Guessing · med · - · - · - · - · Count: 3558 ¦ IpAddress: 192.168.198.149 · -


Rule Authors:

╭─────────────────╮
│ Zach Mathis (1) │
╰─────────────────╯

Results Summary:

Events with hits / Total events: 3,558 / 26,341 (Data reduction: 22,783 events (86.49%))

Total | Unique detections: 1 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (0.00%)
Total | Unique medium detections: 1 (100.00%) | 1 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (100.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: 2016-09-20 (1), low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: n/a

╭──────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ PW Guessing (1)             n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
╰───────────────────────────╌──────────────────╯


Elapsed time: 00:00:00.472

[fukusuket]

correlation rule

I confirmed that the Event with hit is counted up in the case of the issue #1373 (comment)

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -r test.yml -w -q
Start time: 2024/07/09 02:27

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.


Undefined rules: 3 (100.00%)

Other rules: 3
Total detection rules: 3

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 241
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 241 / 241   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Timestamp · RuleTitle · Level · Computer · Channel · EventID · RecordID · Details · ExtraFieldInfo
2016-09-20 01:50:06.477 +09:00 · Value Count TEST · info · - · - · - · - · Count: 2 ¦ SubStatus: 0xc000006a/0xc0000064 ¦ Computer: DESKTOP-M5SN04R · -

2021-05-20 21:49:53.378 +09:00 · Value Count TEST · info · - · - · - · - · Count: 2 ¦ SubStatus: 0xc000006a/0xc0000064 ¦ Computer: fs01.offsec.lan · -



Results Summary:

Events with hits / Total events: 3,564 / 26,341 (Data reduction: 22,777 events (86.47%))

Total | Unique detections: 2 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 2 (100.00%) | 1 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: n/a, informational: 2021-05-20 (1)

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: n/a

╭──────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Value Count TEST (2)        n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
╰───────────────────────────╌──────────────────╯


Elapsed time: 00:00:00.463

[fukusuket]

Top 5 computers with most unique detections shows only n/a but should include the correlation rule results

Sorry, I forgot the above case fix...😅 I'll try to address this in the next PR🙏

[fukusuket]

I also fixed #1342 (comment) 's case 1.(Multiple Channel/Computer/EventID)

1. Is it possible to put in the Channel and EventID info? When there are multiple values, we can separate them with ¦.

{
    "Timestamp": "2021-12-12 16:15:56.716 +09:00",
    "RuleTitle": "TEST_TITLE",
    "Level": "info",
    "Computer": "fs03vuln.offsec.lan ¦ rootdc1.offsec.lan",
    "Channel": "Security",
    "EventID": 4624,
    "RecordID": "-",
    "Details": {
        "Count": 33,
        "IpAddress": "10.23.123.11",
        "SubStatus": "null",
        "LogonType": 3
    },
    "ExtraFieldInfo": "-"
}

[fukusuket]

I also fixed #1342 (comment) 's case 3.(EvtxFile)

3. EvtxFile is also - but many users ask me how they can look up the evtx file from this alert so it would be nice to get this information as well. Again, separate by ¦ when there are multiple values.

% ./hayabusa json-timeline -d ../hayabusa-sample-evtx -r rules/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml -w -q -p super-verbose

{
    "Timestamp": "2016-09-20 01:50:06.513 +09:00",
    "RuleTitle": "PW Guessing",
    "Level": "med",
    "Computer": "DESKTOP-M5SN04R",
    "Channel": "Security",
    "EventID": 4625,
    "RuleAuthor": "Zach Mathis",
    "RuleModifiedDate": "2022/05/21",
    "Status": "stable",
    "RecordID": "-",
    "Details": {
        "Count": 3558,
        "IpAddress": "192.168.198.149"
    },
    "ExtraFieldInfo": "-",
    "MitreTactics": [
        "CredAccess,08. Credential Access"
    ],
    "MitreTags": [
        "T1110.003"
    ],
    "Provider": "-",
    "RuleCreationDate": "2021/12/20",
    "RuleFile": "Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml",
    "EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx"
}

[fukusuket]

I fixed #1342 (comment) 's case6(not displayed computers summary) and #1384 (comment).

6. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results

% ./hayabusa json-timeline -d ../hayabusa-sample-evtx -r rules/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml -w -q -p super-verbose
...


Events with hits / Total events: 3,558 / 26,341 (Data reduction: 22,783 events (86.49%))

Total | Unique detections: 1 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (0.00%)
Total | Unique medium detections: 1 (100.00%) | 1 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (100.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: 2016-09-20 (1), low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: DESKTOP-M5SN04R (1)
low: n/a
informational: n/a

╭──────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ PW Guessing (1)             n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
╰───────────────────────────╌──────────────────╯

[fukusuket]

Some improvements to the output of the count rule are included in this pull request💪

[YamatoSecurity]

@fukusuket
Thanks! For the channel name, it is Security but I think it normally gets abbreviated to Sec. I think we should abbreviate things in the same way, what do you think?

{
    "Timestamp": "2016-09-20 01:50:06.513 +09:00",
    "RuleTitle": "PW Guessing",
    "Level": "med",
    "Computer": "DESKTOP-M5SN04R",
    "Channel": "Security",
    "EventID": 4625,
    "RuleAuthor": "Zach Mathis",
    "RuleModifiedDate": "2022/05/21",
    "Status": "stable",
    "RecordID": "-",
    "Details": {
        "Count": 3558,
        "IpAddress": "192.168.198.149"
    },
    "ExtraFieldInfo": "-",
    "MitreTactics": [
        "CredAccess,08. Credential Access"
    ],
    "MitreTags": [
        "T1110.003"
    ],
    "Provider": "-",
    "RuleCreationDate": "2021/12/20",
    "RuleFile": "Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml",
    "EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx"
}

[fukusuket]

Sorry🙏 I fixed channel abbreviation!

./hayabusa json-timeline -d ../hayabusa-sample-evtx -r rules/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml -w -q -p super-verbose
...

{
    "Timestamp": "2016-09-20 01:50:06.513 +09:00",
    "RuleTitle": "PW Guessing",
    "Level": "med",
    "Computer": "DESKTOP-M5SN04R",
    "Channel": "Sec",
    "EventID": 4625,
    "RuleAuthor": "Zach Mathis",
    "RuleModifiedDate": "2022/05/21",
    "Status": "stable",
    "RecordID": "-",
    "Details": {
        "Count": 3558,
        "IpAddress": "192.168.198.149"
    },
    "ExtraFieldInfo": "-",
    "MitreTactics": [
        "CredAccess,08. Credential Access"
    ],
    "MitreTags": [
        "T1110.003"
    ],
    "Provider": "-",
    "RuleCreationDate": "2021/12/20",
    "RuleFile": "Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml",
    "EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx"
}

[YamatoSecurity]

@fukusuket LGTM! Thanks so much!