Comments (4)
Specification memo:
- If possible, make
Provider_Name
optional - If possible, allow multiple values ββto be set for
Provider_Name
(It is preferable to have one yaml file) - Do not output the value before field value conversion to
ExtraFieldInfo
(csv/json)
from hayabusa.
- Do not output the value before field value conversion to ExtraFieldInfo (csv/json)
I have looked into the feasibility of implementation and it does not appear to be easy to achieve π€
The main reasons are the following two points:
- Under the
Data
field is an array (not simple key value) - The exclusion process for
Details
andExtraFieldInfo
is a bit complicated- e.g. #1146
- This is a different issue, but I think the fix will be as complicated as this one.
- e.g. #1146
@YamatoSecurity
I think I'm going to create the issue of output to ExtraFieldInfo
as a separate issue and hold off on implementation, what do you think?
from hayabusa.
@fukusuket I see, sure, we can hold off on the implementation for now. I'm thinking it might be better to save the Data
fields as different fields instead of in an array for JSON. For example: Data-1
, Data-2
, etc... This way it will be easier to deal with when importing records into elastic stack, etc...
from hayabusa.
Do not output the value before field value conversion to ExtraFieldInfo (csv/json)
Sorry many times, I looked into it more and found how to implement this just now(though my current implementation is even more complicated...π). I'll create PR.
I see, It would be nice if eliminating Array would make it easier to integrate with things like ElasticSearch :)
from hayabusa.
Related Issues (20)
- computer-metrics usage is different
- Only enable rule files that are applicable to the loaded evtx files
- Only load and scan evtx files based on loaded rules
- Support `windash` pipe modifier HOT 5
- Investigate chances to reduce memory, refactor code, etc...
- [bug] `-T(--visualize-timeline)` option does not work
- Can't get hayabusa to use JSON as input HOT 3
- Enhancement: Duplicate detections for logon-summary HOT 5
- Bug: `windash` not working when there is a * wildcard HOT 3
- Check out WatchAD2.0 by Qihoo360 HOT 1
- aarch64 musl binary can't run HOT 1
- Consistent output for Timeline Explorer HOT 5
- Allow `-d` to be specified multiple times HOT 1
- Sigma correlations support: Event Count HOT 3
- Sigma correlations support: Value Count HOT 1
- Support multiple grouping by in `count` HOT 1
- Improving count rule's output HOT 5
- [bug] Nothing is detected when using the `-J, --JSON-input` option with the timeline command because of `Channel` filter HOT 4
- Enable overflow checks in release mode
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hayabusa.