Hi Team ,How to write Yara-L rule to detect this .
* Unusual IP - This IP address has not or has rarely been seen in last 30 days.
* Unusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.
* New user & New Device - A new user logs in from an IP address and geo location, and device which are not expected to be seen in the last 30 days.
You can use enriched data in the rules. Documentation with some examples on both prevalence and Geolocation-enriched fields here - https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules.
Additionally - the community rules from this page should help - https://github.com/chronicle/detection-rules/tree/main/rules/community/threat_intel. Ex. the ip_target_prevalence rule will look for events showing communications to an IP with low prevalence.
You may also have enrichment from within your log source e.g. a SAML / SSO solution will often have “threat” / contextual added info like new IP.
Of course checkout cmorris’ suggestion above about using the threat graph.
Keep in mind that location info is derived from IP address and not in a very clean or consistent way either - often just based on information from ISPs and publicly available registration data.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.