feat: add support expand modifier

[fukusuket]

What Changed

• Closed Support expand modifiers #1434

Evidence

Integration-Test

• https://github.com/Yamato-Security/hayabusa/actions/runs/12215234662

I would appreciate it if you could check it out when you have time🙏

[fukusuket]

Test

expand rule

title: TEST
id: f8d98d6c-7a07-4d74-b064-dd4a3c244521
status: test
description: test
author: TEST
date: 2024-12-07
logsource:
    product: windows
    service: security
    definition: TEST
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType|expand: '%LogonType%'
    condition: selection
level: informational

% less ./config/expand/LogonType.txt
10
5

Start time: 2024/12/08 03:37
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Expand rules: 1 (100.00%)
Enabled expand rules: 1 (100.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 248
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 248 / 248   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                               Rule Authors:

╭──────────╮
│ TEST (1) │
╰──────────╯

Results Summary:

Events with hits / Total events: 439 / 26,393 (Data reduction: 25,954 events (98.34%))

Total | Unique detections: 439 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 439 (100.00%) | 1 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: n/a, informational: 2013-10-24 (207)

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: MSEDGEWIN10 (1), SANS-TBT570 (1), 01566s-win16-ir.threebeesco.com (1), PC02.example.corp (1), IE8Win7 (1)

╭──────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ TEST (439)                  n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
╰───────────────────────────╌──────────────────╯

Saved file: timeline.csv (223.8 KB)

Elapsed time: 00:00:00.869

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

no expand rule

title: TEST
id: f8d98d6c-7a07-4d74-b064-dd4a3c244521
status: test
description: test
author: TEST
date: 2024-12-07
logsource:
    product: windows
    service: security
    definition: TEST
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType:
            - 10
            - 5
    condition: selection
level: informational

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r test2.yml -o timeline-old.csv -q -C
Start time: 2024/12/08 02:59
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Expand rules: 0 (0.00%)
Enabled expand rules: 0 (0.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 248
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 248 / 248   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                               Rule Authors:

╭──────────╮
│ TEST (1) │
╰──────────╯

Results Summary:

Events with hits / Total events: 439 / 26,393 (Data reduction: 25,954 events (98.34%))

Total | Unique detections: 439 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 439 (100.00%) | 1 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: n/a, informational: 2013-10-24 (207)

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: IE8Win7 (1), PC02.example.corp (1), fs01.offsec.lan (1), IE9Win7 (1), 01566s-win16-ir.threebeesco.com (1)

╭──────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ TEST (439)                  n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
│ n/a                         n/a              │
╰───────────────────────────╌──────────────────╯

Saved file: timeline-old.csv (223.8 KB)

Elapsed time: 00:00:00.864

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

[YamatoSecurity]

@fukusuket Thanks! Looks good but it is not working for me. Can you tell me what I might be doing wrong?

~/Desktop/test.yml:

title: TEST
id: f8d98d6c-7a07-4d74-b064-dd4a3c244521
status: test
description: test
author: TEST
date: 2024-12-07
logsource:
    product: windows
    service: security
    definition: TEST
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType|expand: '%LogonType%'
    condition: selection
level: informational

cat config/expand/LogonType.txt
10
5

./target/release/hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r ~/Desktop/test.yml -q
Start time: 2024/12/09 14:44
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.


Test rules: 1 (100.00%)

Expand rules: 1 (100.00%)
Enabled expand rules: 0 (0.00%)

Other rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 248
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

Scanning finished.


Results Summary:

Events with hits / Total events: 0 / 26,393 (Data reduction: 26,393 events (100.00%))

Total | Unique detections: 0 | 0
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (0.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: n/a

Enabled expand rules is still 0.

An issue beside this not working is that this expand rule is not enabled but we still get:

Evtx files loaded after channel filter: 248
Detection rules enabled after channel filter: 1

Shouldn't Detection rules enabled after channel filter also be 0 in this case?

[fukusuket]

@YamatoSecurity
Thank you for checking!
It seems that config/expand is determined to be missing because it is running in the following path.

./target/release/hayabusa 

Would it work if you put it on the same folder hierarchy as the release binary?

[YamatoSecurity]

Would it work if you put it on the same folder hierarchy as the release binary?

That was the issue, thanks so much! LGTM!

[YamatoSecurity]

@fukusuket Great job! Works perfect!