Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore referenced rules in sigma correlation rules #1367

Closed
YamatoSecurity opened this issue Jun 15, 2024 · 3 comments · Fixed by #1372
Closed

Ignore referenced rules in sigma correlation rules #1367

YamatoSecurity opened this issue Jun 15, 2024 · 3 comments · Fixed by #1372
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
v2.17.0

Comments

@YamatoSecurity
Copy link
Collaborator

If there is a rule like this:

title: Value Count TEST
id: 0e95725d-7320-415d-80f7-004da920fc11
level: informational
correlation:
  type: value_count
  rules:
    - rule-a
    - rule-b
  group-by:
    - Computer
  timespan: 5m
  condition:
    gte: 2
    field: SubStatus
---
title: Logon Failure (User Does Not Exist)
name: rule-a

logsource:
  product: windows
  service: security
detection:
  selection_basic:
    Channel: Security
    EventID: 4625
  selection_user_not_exist:
    SubStatus: "0xc0000064" #Username does not exist error
  condition: selection_basic and selection_user_not_exist
---
title: Logon Failure (Wrong Password)
name: rule-b

logsource:
  product: windows
  service: security
detection:
  selection_basic:
    Channel: Security
    EventID: 4625
  selection_wrong_password:
    SubStatus: "0xc000006a" #Wrong password
  condition: selection_basic and selection_wrong_password

we should ignore rules rule-a and rule-b as separate rules as we already have them in separate rules. This also lets us only display results for the correlation rule instead of having to also display/save the results for the referenced rules as well.
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Jun 15, 2024
@YamatoSecurity YamatoSecurity added this to the v2.17.0 milestone Jun 15, 2024
@fukusuket
Copy link
Collaborator

@YamatoSecurity
I have a question!

In the following cases (where a rule in another yml file is referenced), do you output both detection results (correlated rule and referenced rule)?🤔

title: Value Count TEST
id: 0e95725d-7320-415d-80f7-004da920fc11
level: informational
correlation:
  type: value_count
  rules:
    - e87bd730-df45-4ae9-85de-6c75369c5d29 # Logon Failure (Wrong Password)
    - 8afa97ce-a217-4f7c-aced-3e320a57756d # Logon Failure (User Does Not Exist)
  group-by:
    - Computer
  timespan: 5m
  condition:
    gte: 2
    field: SubStatus

In other words, I believe that a reference rule will not output a detection result only if all of the following are met.

  • The rule is correlation
  • The reference rule is written within the one yml file
  • Reference rules are not written in another yml file

Am I correct...?🤔

@YamatoSecurity
Copy link
Collaborator Author

@fukusuket I don't think we should care about if the rules are written in the same file or different files. (we should be able to support both). so when loading rules, we can check if it is a correlation rule, and if it is we check the IDs of the rules it references and then don't output the rules that are referenced, only the correlation rule results.

@YamatoSecurity
Copy link
Collaborator Author

@fukusuket Sorry I didn't notice it was explained here: https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527
By default, we do not output the referenced rules as I wrote, except when generate: true is set.

@fukusuket fukusuket mentioned this issue Jun 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.17.0
2 participants
@fukusuket @YamatoSecurity