Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: output Events with hits when agg/correlation rule #1376

Closed
wants to merge 1 commit into from
Closed

fix: output Events with hits when agg/correlation rule #1376

wants to merge 1 commit into from

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Jun 25, 2024
edited
Loading

What Changed

This PR only fix the following problem 2.

  1. Events with hits / Total events: 0 / 26,341 (Data reduction: 26,341 events (100.00%)) should say Events with hits / Total events: 2 / 26,341 (Data reduction: 26,339 events (99.99%))

I would appreciate it if the following problem 1 could be fixed in a separate PR, as it would be better to fix it with #1342.

  1. Top 5 computers with most unique detections shows only n/a but should include the correlation rule results

Evidence

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -r rules/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml -w -q
Start time: 2024/06/25 23:57

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.


Stable rules: 1 (100.00%)

Hayabusa rules: 1
Total detection rules: 1

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 241
Detection rules enabled after channel filter: 1

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 241 / 241   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Timestamp · RuleTitle · Level · Computer · Channel · EventID · RecordID · Details · ExtraFieldInfo
2016-09-20 01:50:06.513 +09:00 · PW Guessing · med · - · - · - · - · Count: 3558 ¦ IpAddress: 192.168.198.149 · -


Rule Authors:

╭─────────────────╮
│ Zach Mathis (1) │
╰─────────────────╯

Results Summary:

Events with hits / Total events: 1 / 26,341 (Data reduction: 26,340 events (100.00%))

Total | Unique detections: 1 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (0.00%)
Total | Unique medium detections: 1 (100.00%) | 1 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (100.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

Dates with most total detections:
critical: n/a, high: n/a, medium: 2016-09-20 (1), low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: n/a
informational: n/a

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket self-assigned this Jun 25, 2024
@fukusuket fukusuket added the bug Something isn't working label Jun 25, 2024
@fukusuket fukusuket added this to the v2.17.0 milestone Jun 25, 2024
@fukusuket
Copy link
Collaborator Author

hayabusa-sample-evtx

I confirmed that there is no difference compared to main.

% ./hayabusa-main csv-timeline -d ../hayabusa-sample-evtx -w -q -D -n -u -C -o old.csv
% ./hayabusa-new csv-timeline -d ../hayabusa-sample-evtx -w -q -D -n -u -C -o new.csv
% diff new.csv old.csv
%

@fukusuket fukusuket marked this pull request as ready for review June 25, 2024 15:08
@fukusuket fukusuket mentioned this pull request Jun 25, 2024
Open
@fukusuket fukusuket marked this pull request as draft June 25, 2024 23:07
@fukusuket
Copy link
Collaborator Author

Sorry, I will check the correlation count and the aggregation count as they are different...

@fukusuket
Copy link
Collaborator Author

This one is closed because it looks like a different implementation would be better than this pull request implementation.

@fukusuket fukusuket closed this Jun 26, 2024
@fukusuket fukusuket deleted the 1373-agg-correlation-rule-not-countup branch July 7, 2024 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hitenkoku hitenkoku Awaiting requested review from hitenkoku

@YamatoSecurity YamatoSecurity Awaiting requested review from YamatoSecurity

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.17.0
1 participant
@fukusuket