Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: count up Event with hits when aggregation/correlation rule #1384

Merged
merged 15 commits into from
Jul 15, 2024
Merged

fix: count up Event with hits when aggregation/correlation rule #1384

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
79ce661
refactor: remove unused fields/params
fukusuket Jul 7, 2024
2b60013
fix: count up events when agg/correlation rule matched event
fukusuket Jul 8, 2024
12b3f6e
chg: output channel/event_id/computer when agg/correlation result
fukusuket Jul 9, 2024
ff28335
chg: output channel/event_id/computer when agg/correlation result
fukusuket Jul 9, 2024
932674d
chg: output channel/event_id/computer when agg/correlation result
fukusuket Jul 9, 2024
23fe401
chg: sort computer/event_id/channel multiple val
fukusuket Jul 9, 2024
c55e3e9
chg: sort computer/event_id/channel multiple val
fukusuket Jul 9, 2024
d1ea60e
refactor: remove duplicated code
fukusuket Jul 9, 2024
e0a90a5
chg: output evtx_file_path when agg/correlation rule
fukusuket Jul 10, 2024
a8f9236
fix: Top 5 computers with most unique detections's output
fukusuket Jul 10, 2024
80d219d
fix: Top 5 computers with most unique detections's output
fukusuket Jul 10, 2024
d69134a
fix: remove debug print
fukusuket Jul 11, 2024
b641517
update changelog
YamatoSecurity Jul 14, 2024
11dffd1
bump
YamatoSecurity Jul 14, 2024
62454b9
fix: channel abbreviation
fukusuket Jul 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 31 additions & 20 deletions src/afterfact.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,15 +495,26 @@ fn calc_statistic_info(
afterfact_info
.timestamps
.push(detect_info.detected_time.timestamp());
if !detect_info.is_condition {
afterfact_info
.detected_record_idset
.insert(CompactString::from(format!(
"{}_{}",
detect_info.detected_time, detect_info.eventid
)));
match &detect_info.agg_result {
None => {
afterfact_info
.detected_record_idset
.insert(CompactString::from(format!(
"{}_{}",
detect_info.detected_time, detect_info.eventid
)));
}
Some(agg_result) => {
agg_result.agg_record_time_info.iter().for_each(|a| {
afterfact_info
.detected_record_idset
.insert(CompactString::from(format!(
"{}_{}",
a.record_time, a.record_event_id
)));
});
}
}

if !output_option.no_summary {
let level_suffix = get_level_suffix(detect_info.level.as_str());
let author_list = afterfact_info
Expand Down Expand Up @@ -1887,7 +1898,7 @@ pub fn output_json_str(
let mut children_output_stock: HashMap<CompactString, Vec<CompactString>> =
HashMap::new();
let mut children_output_order = vec![];
if detect_info.is_condition {
if detect_info.agg_result.is_some() {
if details_target_stock[0] == "-" {
output_stock.push(_create_json_output_format(
key,
Expand Down Expand Up @@ -2463,7 +2474,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand All @@ -2487,7 +2498,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand Down Expand Up @@ -2810,7 +2821,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand All @@ -2834,7 +2845,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand Down Expand Up @@ -3137,7 +3148,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand All @@ -3161,7 +3172,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand Down Expand Up @@ -3474,7 +3485,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map,
},
&profile_converter,
Expand All @@ -3498,7 +3509,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
},
&profile_converter,
Expand Down Expand Up @@ -3883,7 +3894,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map,
},
&profile_converter,
Expand Down Expand Up @@ -4237,7 +4248,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map,
},
&profile_converter,
Expand Down Expand Up @@ -4517,7 +4528,7 @@ mod tests {
eventid: CompactString::from(test_eventid),
detail: CompactString::default(),
ext_field: output_profile.to_owned(),
is_condition: false,
agg_result: None,
details_convert_map,
},
&profile_converter,
Expand Down
23 changes: 9 additions & 14 deletions src/detections/detection.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -742,7 +742,7 @@ impl Detection {
eventid: eid,
detail: CompactString::default(),
ext_field: stored_static.profiles.as_ref().unwrap().to_owned(),
is_condition: false,
agg_result: None,
details_convert_map: HashMap::default(),
};

Expand Down Expand Up @@ -965,7 +965,7 @@ impl Detection {
eventid: CompactString::from("-"),
detail: output,
ext_field: stored_static.profiles.as_ref().unwrap().to_owned(),
is_condition: true,
agg_result: Some(agg_result),
details_convert_map: HashMap::default(),
};
let binding = STORED_EKEY_ALIAS.read().unwrap();
Expand Down Expand Up @@ -1313,7 +1313,7 @@ mod tests {
fn test_output_aggregation_output_with_output() {
let default_time = Utc.with_ymd_and_hms(1977, 1, 1, 0, 0, 0).unwrap();
let agg_result: AggResult =
AggResult::new(2, "_".to_string(), vec![], default_time, ">= 1".to_string());
AggResult::new(2, "_".to_string(), vec![], default_time, vec![]);
let rule_str = r#"
enabled: true
detection:
Expand Down Expand Up @@ -1341,7 +1341,7 @@ mod tests {
fn test_output_aggregation_output_no_filed_by() {
let default_time = Utc.with_ymd_and_hms(1977, 1, 1, 0, 0, 0).unwrap();
let agg_result: AggResult =
AggResult::new(2, "_".to_string(), vec![], default_time, ">= 1".to_string());
AggResult::new(2, "_".to_string(), vec![], default_time, vec![]);
let rule_str = r#"
enabled: true
detection:
Expand All @@ -1368,7 +1368,7 @@ mod tests {
fn test_output_aggregation_output_with_timeframe() {
let default_time = Utc.with_ymd_and_hms(1977, 1, 1, 0, 0, 0).unwrap();
let agg_result: AggResult =
AggResult::new(2, "_".to_string(), vec![], default_time, ">= 1".to_string());
AggResult::new(2, "_".to_string(), vec![], default_time, vec![]);
let rule_str = r#"
enabled: true
detection:
Expand Down Expand Up @@ -1400,7 +1400,7 @@ mod tests {
"_".to_string(),
vec!["7040".to_owned(), "9999".to_owned()],
default_time,
">= 1".to_string(),
vec![],
);
let rule_str = r#"
enabled: true
Expand Down Expand Up @@ -1430,7 +1430,7 @@ mod tests {
"lsass.exe".to_string(),
vec!["0000".to_owned(), "1111".to_owned()],
default_time,
">= 1".to_string(),
vec![],
);
let rule_str = r#"
enabled: true
Expand All @@ -1454,13 +1454,8 @@ mod tests {
#[test]
fn test_output_aggregation_output_with_by() {
let default_time = Utc.with_ymd_and_hms(1977, 1, 1, 0, 0, 0).unwrap();
let agg_result: AggResult = AggResult::new(
2,
"lsass.exe".to_string(),
vec![],
default_time,
">= 1".to_string(),
);
let agg_result: AggResult =
AggResult::new(2, "lsass.exe".to_string(), vec![], default_time, vec![]);
let rule_str = r#"
enabled: true
detection:
Expand Down
8 changes: 4 additions & 4 deletions src/detections/message.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
extern crate lazy_static;
use super::configs::EventKeyAliasConfig;
use super::utils::remove_sp_char;
use crate::detections::configs::CURRENT_EXE_PATH;
use crate::detections::field_data_map::{convert_field_data, FieldDataMap, FieldDataMapKey};
use crate::detections::rule::AggResult;
use crate::detections::utils::{self, get_serde_number_to_string, write_color_buffer};
use crate::options::profile::Profile::{
self, AllFieldInfo, Details, ExtraFieldInfo, Literal, SrcASN, SrcCity, SrcCountry, TgtASN,
Expand All @@ -23,9 +26,6 @@ use std::path::Path;
use std::sync::Mutex;
use termcolor::{BufferWriter, ColorChoice};

use super::configs::EventKeyAliasConfig;
use super::utils::remove_sp_char;

/*
* This struct express log record
*/
Expand All @@ -40,7 +40,7 @@ pub struct DetectInfo {
pub eventid: CompactString,
pub detail: CompactString,
pub ext_field: Vec<(CompactString, Profile)>,
pub is_condition: bool,
pub agg_result: Option<AggResult>,
pub details_convert_map: HashMap<CompactString, Vec<CompactString>>,
}

Expand Down
Loading
Loading