sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

[FR] Rules with Threshold for es-rule

Open V1D1AN opened this issue 4 years ago • 1 comments

Hi the community,

With Kibana and Elastic SIEM, you can create rules with Threshold.

When i do:

./sigmac -t es-rule --filter condition!=near -I -c config/generic/sysmon.yml -c config/winlogbeat-modules-enabled.yml --backend-config backend.yml --backend-option custom_tag="Windows" -r ../rules/windows -o windows-rules.ndjson

An unsupported feature is required for this Sigma rule (../rules/windows/process_creation/win_dnscat2_powershell_implementation.yml): Threshold rules cannot COUNT(DISTINCT process.executable)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/dns_query/sysmon_possible_dns_rebinding.yml): Threshold rules cannot COUNT(DISTINCT QueryName)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/other/win_rare_schtask_creation.yml): Threshold rules can only handle > and >= operators
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml): Threshold rules cannot COUNT(DISTINCT powershell.file.script_block_text)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml): Threshold rules cannot COUNT(DISTINCT powershell.file.script_block_text)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml): Threshold rules cannot COUNT(DISTINCT Account_Name)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml): Threshold rules cannot COUNT(DISTINCT Account_Name)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml): Threshold rules cannot COUNT(DISTINCT Logon_Account)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml): Threshold rules cannot COUNT(DISTINCT Account_Name)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_rare_schtasks_creations.yml): Threshold rules can only handle > and >= operators
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml): Threshold rules cannot COUNT(DISTINCT Logon_Account)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml): Threshold rules cannot COUNT(DISTINCT Account_Name)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_source.yml): Base backend doesn't support multiple conditions
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_rare_service_installs.yml): Threshold rules can only handle > and >= operators
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_logons_single_process.yml): Threshold rules cannot COUNT(DISTINCT Account_Name)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
An unsupported feature is required for this Sigma rule (../rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml): Threshold rules cannot COUNT(DISTINCT Account_Name)
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma

A person can develop the function ?

V1D1AN avatar Jun 10 '21 19:06 V1D1AN

Hi, I think it is more a issue to elastic as they can have only Threshold rules with > and >= operators for the moment... In the doc EQL syntax reference V7.13



Elasticsearch EQL does not support:

    Array functions:
        arrayContains
        arrayCount
        arraySearch
    The match function
    Joins

    Lineage-related keywords:
        child of
        descendant of
        event of

    The following pipes:
        count
        filter
        sort
        unique
        unique_count

frack113 avatar Jun 10 '21 19:06 frack113