Improving count rule's output about hayabusa HOT 5 OPEN

@fukusuket I talked to someone who is more familiar with importing into elastic stack and he said that elastic will create multiple logs (documents) when arrays are used and it will make parsing more difficult so I think we should avoid arrays and keep everything as strings. We should probably keep the Channel and EventID information not in Details, but in the normal fields so that it makes searching for them easier.

from hayabusa.

@YamatoSecurity
Thank you for checking :) Is the expected JSON output format like the following?

• Top-level fields are strings joined with ¦.
• Create fields such as Count/IpAddress/SubStatus... under the Details field and store values ​​in each.

{
    "Timestamp": "2021-10-24 06:50:11.666 +09:00",
    "RuleTitle": "TEST_TITLE",
    "Level": "info",
    "Computer": "HOSTA ¦ HOSTB",
    "Channel": "Sysmon ¦ Security",
    "EventID": "4624 ¦ 4625",
    "RecordID": "",
    "Details": {
        "Count": 2,
        "IpAddress": "10.23.23.9",
        "SubStatus": "0x0",
        "LogonType": "10"
    },
    "ExtraFieldInfo": "-"
}

from hayabusa.

#1339 (comment)

Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -

from hayabusa.

#1341 (comment)

• If top level Channel has multiple values, should it be an array or string?
• If top level EventID has multiple values, should it be an array or string?
• If each field under Details has multiple values, should it be an array or string?
• Should the aggregate results of Channel and EventID be placed under Details?

from hayabusa.

@fukusuket LGTM!

from hayabusa.