Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only enable rule files that are applicable to the loaded evtx files #1317

Closed
hitenkoku opened this issue Mar 17, 2024 · 0 comments · Fixed by #1334
Closed

Only enable rule files that are applicable to the loaded evtx files #1317

hitenkoku opened this issue Mar 17, 2024 · 0 comments · Fixed by #1334
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
v2.16.0

Comments

@hitenkoku
Copy link
Collaborator

hitenkoku commented Mar 17, 2024
edited by YamatoSecurity
Loading

Scanning can be even more efficient by only enabling only rules that apply to the loaded .evtx files.
For example, if the scan is done against a single Security.evtx file then even if all rules are loaded, in the background, we should only enable rules with Channel: Security defined. Normally only a single .evtx file should only contain data of the same Channel, so we can check what Channels to scan by checking the first record of the .evtx file.

If users want to enable all rules to be applied to .evtx regardless of the defined Channel, then they can use the --enable-all-rules option.

This issue applies to csv-timeline and json-timeline commands
@hitenkoku hitenkoku added the enhancement New feature or request label Mar 17, 2024
@hitenkoku hitenkoku added this to the v3.0 milestone Mar 17, 2024
@hitenkoku hitenkoku mentioned this issue Mar 17, 2024
Closed
@YamatoSecurity YamatoSecurity modified the milestones: v3.0, v2.15.0 Mar 17, 2024
@YamatoSecurity YamatoSecurity modified the milestones: v2.15.0, v2.16.0 Apr 20, 2024
@YamatoSecurity YamatoSecurity changed the title Only load rule file which channel in evtx file is matched Only enable rule files that are applicable to the loaded evtx files Apr 27, 2024
This was referenced Apr 28, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.16.0
Development

Successfully merging a pull request may close this issue.

feat: exclude rules/evtx when target Channel does not exists in files Yamato-Security/hayabusa
3 participants
@hitenkoku @fukusuket @YamatoSecurity