Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow multiple fields in value_count #163

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow multiple fields in value_count #163

wants to merge 1 commit into from

Conversation

vruello
Copy link

@vruello vruello commented Dec 8, 2024

In value_count rules, it can be useful to count the number of different field value tuples (such as (TargetDomainName, TargetUserName) to represent a user).

pySigma already accepts a list of strings for condition.field.

After discussion with @frack113 , this PR adds a sentence to state the expected behavior when providing multiple fields in condition.field. It also updates the correlation rules schema.

insdami
insdami reviewed Dec 10, 2024
View reviewed changes
json-schema/sigma-correlation-rules-schema.json
@@ -185,9 +185,20 @@
},
{
"field": {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't the name indicate that it can contain multiple values? As in fields?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, but it would require changing all the existing rules. Perhaps both could be accepted?

insdami
insdami reviewed Dec 10, 2024
View reviewed changes
specification/sigma-correlation-rules-specification.md
@@ -386,6 +386,8 @@ Counts values in a field defined by `field`.
The resulting query must count field values separately for each group specified by group-by.
The condition finally defines how many values must occur to generate a search hit.

When you use multiple values in `field` they are linked by an **AND**.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it help to add a snippet to showcase multiple fields?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@insdami insdami insdami left review comments

@frack113 frack113 frack113 approved these changes

@thomaspatzke thomaspatzke Awaiting requested review from thomaspatzke

@nasbench nasbench Awaiting requested review from nasbench

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vruello @insdami @frack113