I would like to create rule for detect data following data table which is principal.hostname = data_table.columnA and principal.ip = data_table.coloumnB with the same row in columnA. How can I do it?
Page 1 / 1
Here is an example using IP and port not hostname and IP but the general concept is the same.
Data tables provide both column matching and row matching. Column matching uses IN (like a reference table) but it just cares if it is in the list, not if there is a row with other data that also needs to exist.
Row matching uses equality (and inequality signs). There must always be one equality with a row to create that first join but after that you could also use < > != and so forth.
So to do what you want to do, you would have something like
$net.principal.hostname = %datatablename.data_table_hostname_column
$net.principal.ip = %datatablename.data_table_ip_column
Here is a broader example that I've built using IP and port in the same manner.
rule network_dt_row_matching {
meta:
author = "Google Cloud Security"
description = "Detects network connection events matching a listing of IP and Port combinations"
severity = "Low"
priority = "Low"
type = "Detection"
data_source = "Zeek"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.metadata.vendor_name = "Zeek"
$net.target.ip = %ip_port.ip
strings.concat($net.target.port,"") = %ip_port.port
$net.principal.ip = $principal_ip
match:
$principal_ip over 5m
condition:
$net
}
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.