Hello,

I struggle with the outcome section for a rule i'm working on at the moment. I looked in the documentation and on this forum but I could not find any solution.

The rule looks for a potential succesful bruteforce. So I defined 2 events variables : one for failure events, one for success events. Events are aggregated over username and source_ip in the match section. In the outcome section, i would like to be able to summarize all distinct user agents seen in the failure events but also in the success event  in the same outcome variable.

Here is the essential config of my rule:

rule successful_bruteforce {

  meta:
    name = "Successful Bruteforce"

  events:
    $fail.metadata.log_type = "AWS_CLOUDTRAIL"
    $fail.metadata.event_type = "USER_LOGIN"
    $fail.metadata.product_event_type = "ConsoleLogin"
    $fail.security_result.action = "BLOCK"
    $fail.target.user.user_display_name = $user
    $fail.principal.ip = $src_ip

    $success.metadata.log_type = "AWS_CLOUDTRAIL"
    $success.metadata.event_type = "USER_LOGIN"
    $success.metadata.product_event_type = "ConsoleLogin"
    $success.security_result.action = "ALLOW"
    $success.target.user.user_display_name = $user
    $success.principal.ip = $src_ip

  match:
    $user, $src_ip over 15m

  outcome:
    $source_ip = array_distinct($src_ip)
    $destination_user_name = array_distinct($user)
    // Here I can easily aggregate data for both event variables
    $event_count = count_distinct($fail.metadata.id)+count_distinct($success.metadata.id)
    // /!\ Invalid yara-L syntax but this is what I would like to achieve
    $user_agent = array_distinct($fail.network.http.user_agent, $success.network.http.user_agent)

  condition:
    #fail > 4 and $success
}

Is this currently a Yara-L limitation or am I doing something wrong ?

Thanks in advance for the help ! 🙂