Comments (6)
@fukusuket I talked to someone who is more familiar with importing into elastic stack and he said that elastic will create multiple logs (documents) when arrays are used and it will make parsing more difficult so I think we should avoid arrays and keep everything as strings. We should probably keep the Channel and EventID information not in Details, but in the normal fields so that it makes searching for them easier.
from hayabusa.
@YamatoSecurity
Thank you for checking :) Is the expected JSON output format like the following?
- Top-level fields are strings joined with
¦
. - Create fields such as
Count/IpAddress/SubStatus
... under the Details field and store values in each.
{
"Timestamp": "2021-10-24 06:50:11.666 +09:00",
"RuleTitle": "TEST_TITLE",
"Level": "info",
"Computer": "HOSTA ¦ HOSTB",
"Channel": "Sysmon ¦ Security",
"EventID": "4624 ¦ 4625",
"RecordID": "",
"Details": {
"Count": 2,
"IpAddress": "10.23.23.9",
"SubStatus": "0x0",
"LogonType": "10"
},
"ExtraFieldInfo": "-"
}
from hayabusa.
Or even better, if we could define in details: 'TgtUser: %TargetUserName% ¦ SrcIp: %IpAddress%' and get the following results: Count: 4 ¦ TgtUser: tanaka/Administrator/adsyncadmin/suzuki ¦ SrcIp: -
from hayabusa.
- If top level Channel has multiple values, should it be an array or string?
- If top level EventID has multiple values, should it be an array or string?
- If each field under Details has multiple values, should it be an array or string?
- Should the aggregate results of Channel and EventID be placed under Details?
from hayabusa.
@fukusuket LGTM!
from hayabusa.
Related Issues (20)
- [bug] `-T(--visualize-timeline)` option does not work
- Can't get hayabusa to use JSON as input HOT 3
- Enhancement: Duplicate detections for logon-summary HOT 5
- Bug: `windash` not working when there is a * wildcard HOT 3
- Check out WatchAD2.0 by Qihoo360 HOT 1
- aarch64 musl binary can't run HOT 1
- Consistent output for Timeline Explorer HOT 5
- Allow `-d` to be specified multiple times HOT 1
- Sigma correlations support: Event Count HOT 3
- Sigma correlations support: Value Count HOT 1
- Support multiple grouping by in `count` HOT 1
- [bug] Nothing is detected when using the `-J, --JSON-input` option with the timeline command because of `Channel` filter HOT 4
- Enable overflow checks in release mode
- Support for `Provider_name` and `Data[x]` notation to the field mapping HOT 4
- [bug] Defender is getting triggered when unpacking rules HOT 13
- Embed non-configurable files into binary
- Enable low memory mode by default
- Ignore referenced rules in sigma correlation rules HOT 3
- Investigation of increased memory usage HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hayabusa.