[Playbooks] Sigma and Aggregations #5162

ckmk14 · 2021-08-16T08:51:32Z

ckmk14
Aug 16, 2021

Hi all,

i have tried to convert the following sigma rule containing a count():
https://github.com/SigmaHQ/sigma/blob/master/rules/network/net_dns_c2_detection.yml

Looks like aggregations are unsupported:

An unsupported feature is required for this Sigma rule (/tmp/tmpxc6u7f2l): Aggregations not implemented for this backend
Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma

A discussion has also been started on this topic (#3538)
Thereby, an issue with the RDP/IP field was fixed, but I can't find an answer to the question if aggregations are supported?

What made me start the discussion here again was a play using a count() that is already in my installation by default. When I copy/paste the sigma rule shown in the picture (can also be found here https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_failed_logons_single_source.yml) to a new play and try to convert it, I also get the above error.

Does anyone have an idea why converting aggragation functions when creating a play does not work but plays with aggregation functions in SO are available by default?

SO-Version: 2.3.61

Best regards
Markus

Answered by defensivedepth

Aug 17, 2021

Aggs as they are currently implemented in Sigma are not supported. However, count() is deprecated, and will be replaced shortly by something else with a more comprehensive implementation.

View full answer

defensivedepth · 2021-08-17T15:13:51Z

defensivedepth
Aug 17, 2021
Maintainer

Aggs as they are currently implemented in Sigma are not supported. However, count() is deprecated, and will be replaced shortly by something else with a more comprehensive implementation.

1 reply

ckmk14 Aug 17, 2021
Author

Thanks for the answer!

stormdosertao · 2023-10-10T19:48:10Z

stormdosertao
Oct 10, 2023

Hello @defensivedepth

I have a similar behavior, login failures in the VPN Remote Access check point, I would like to count and if it is greater than 5, generate an alert, as count() still does not work. Would you have a recommendation to be able to generate this type of alert based on an event counter?

Thank you!

1 reply

dougburks Oct 16, 2023
Maintainer

@guiausechi You're replying to an old discussion from 2021. Please start a new discussion rather than replying to old discussions. From #1720:

Start a new discussion instead of replying to somebody else's discussion
Please search to see if you can find similar discussions that may help you. However, in order to avoid confusion, please do NOT reply to somebody else's discussion with your own issue. Instead, please start a new discussion and in that new discussion you can provide a hyperlink to the related discussion.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Playbooks] Sigma and Aggregations #5162

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

[Playbooks] Sigma and Aggregations #5162

Uh oh!

Uh oh!

ckmk14 Aug 16, 2021

Replies: 2 comments · 2 replies

Uh oh!

defensivedepth Aug 17, 2021 Maintainer

Uh oh!

ckmk14 Aug 17, 2021 Author

Uh oh!

Uh oh!

stormdosertao Oct 10, 2023

Uh oh!

dougburks Oct 16, 2023 Maintainer

ckmk14
Aug 16, 2021

Replies: 2 comments 2 replies

defensivedepth
Aug 17, 2021
Maintainer

ckmk14 Aug 17, 2021
Author

stormdosertao
Oct 10, 2023

dougburks Oct 16, 2023
Maintainer