V2.0.0 Meta-rule correlation Metric Conditions proposal #114

frack113 · 2023-12-19T14:58:42Z

frack113
Dec 19, 2023
Maintainer

CHANGE:

remove range
change condition to metric to avoid to avoid confusion with condition in sigma rules

--- New version ---
Attribute: metric

The metric defines when a correlation matches:

for an event_count correlation it defines the event count that must appear within the given time frame to match.
for a value_count correlation it defines the count of distinct values contained in the field specified in the
mandatory field attribute.
For a temporal or temporal_ordered correlation it specified the count of different event types (Sigma rules
matching) in the given time frame.

The field metric defines the condition that must evaluate to true to generate a match.

It is a map of exactly one condition criterion:

Example:

metric:
    gte: 100

To select a range , you can use the map AND

Example "101 to 200":

metric:
    gt: 100
    lte: 200

If you need more complex constructs, you can always chain correlation rules together.
See the examples at the far bottom, for more details.

thomaspatzke · 2023-12-31T14:55:28Z

I'm against renaming the correlation condition attribute into metric because of the following reasons:

A metric names something different, by definition it's a measure for something. Here it's indeed a condition. Therefore, the word would be semantically wrong.
I don't see much potential for a confusion. It's a different rule type and it should be obvious for the rule writer that a different syntax is required and the semantics from Sigma rules don't apply here because there are no detection definitions. Even when the rule writer tries to write a Sigma rule condition here this will cause an error.
It requires that rule writers have to memorize another attribute name.

0 replies