New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: add optional field named CommandLine
concat of ARGV
#4
Comments
We'll consider implementing this and would certainly accept pull requests (as long as the feature has to be enabled using a config option.) Just as a note: For filtering purposes, this can be done efficiently on the SIEM side, e.g. in Splunk:
|
An Since we try to write rules that can be used by all users in the same way and the full command line is the single most important field for which we try to develop rules since day 1, a concatenated command line field would be very helpful. |
I agree with @Neo23x0 that most other SIEMs (mine too) lack functionality to combine fields at search time. For example, even in ELK you can achieve this by scripting but that is not recommended as it causes performance hit. |
The main reason why LAUREL exists in the first place - because even with splunk, decoding, combining (which requires for-each) on a dynamic list of a0, aX[] fields is not possible. However, one thing to keep in mind though: Even with a joined array, For "plaintext" commandlines, |
No functional changees. This is mostly a preparation for being able to customize behavior (see threathunters-io#4).
No functional changees. This is mostly a preparation for being able to customize behavior (see #4).
This is disabled by default. Close: threathunters-io#4
This is disabled by default. Close: threathunters-io#4
The default behavior to only produce EXECVE.ARGV is unchanged. Close: threathunters-io#4
The default behavior to only produce EXECVE.ARGV is unchanged. Close: threathunters-io#4
The default behavior to only produce EXECVE.ARGV is unchanged. Close: threathunters-io#4
The default behavior to only produce EXECVE.ARGV is unchanged. Close: #4
Please add a field (optional) that provides a concatenated full command line
To
e.g.
The text was updated successfully, but these errors were encountered: