Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sigma correlations support: Value Count #1338

Open
YamatoSecurity opened this issue May 3, 2024 · 1 comment
Open

Sigma correlations support: Value Count #1338

YamatoSecurity opened this issue May 3, 2024 · 1 comment
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
v2.16.0

Comments

@YamatoSecurity
Copy link
Collaborator

@fukusuket This one is similar to Event Count by also looks for when fields are different so you probably should do this issue after Event Count.

Value Count sample:

title: Many failed logons to different users
id: 0e95725d-7320-415d-80f7-004da920fc12
correlation:
  type: value_count
  rules:
    - 8afa97ce-a217-4f7c-aced-3e320a57756d # Logon Failure (User Does Not Exist)
  group-by:
    - Computer
  timespan: 1h
  condition:
    field: TargetUserName
    gte: 10

This rule would alert if there are 10 or more different target user names within 1 hour for the same Computer

It would be similar to condition: selection | count(TargetUserName) by Computer >= 10

Here is an example of multiple group-bys

title: Many failed logons to different users
id: 0e95725d-7320-415d-80f7-004da920fc12
correlation:
  type: value_count
  rules:
    - 8afa97ce-a217-4f7c-aced-3e320a57756d # Logon Failure (User Does Not Exist)
  group-by:
    - Computer
    - IpAddress
  timespan: 1h
  condition:
    field: TargetUserName
    gte: 10

It would be similar to condition: selection | count(TargetUserName) by Computer,IpAddress >= 10 , however, it is not possible to specify multiple fields in by with count.

This rule would alert if there are 10 or more target user names with the same Computer and IpAddress fields.
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label May 3, 2024
@YamatoSecurity YamatoSecurity added this to the v2.16.0 milestone May 3, 2024
@fukusuket
Copy link
Collaborator

I would love to implement this issue as well💪

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.16.0
Development

No branches or pull requests
2 participants
@fukusuket @YamatoSecurity