Hi,
I would like to show the "outcome" variables from YARA-R rule on the UI. (preferably the alert screen under cases). Please suggest how this can be achieved.
Page 1 / 1
Hi,
Maybe from the events you can do it via detection fields.
Hi,
Maybe from the events you can do it via detection fields.
sorry, could you please elebaorate ? I would like to show the outcome variables from YARA-L rules somewhere on the UI (may be in alerts tab).
sorry, could you please elebaorate ? I would like to show the outcome variables from YARA-L rules somewhere on the UI (may be in alerts tab).
Hey,
you can do the following
- Make sure that your Detection Rules have the "outcome" variables that you think is helpful for an analyst.
- use easy naming based on Event Source. For example if you are using Sysmon for Windows Logging than use the "raw" field names because that is known by the most of the analyst : CommandLine instead of udm_target_process
- go to SOAR and create a View for the Alert like "Event Fields" or "Process Fields"
- use a condition that only shows the view for a specific event type like "Process Creation"
- Build a summary as Context for the analyst
Examples:
$ioc_details = array_distinct($gcti.graph.metadata.threat.category_details)
$ioc_vendor = array_distinct($gcti.graph.metadata.vendor_name)
$ioc_severity = array_distinct($gcti.graph.metadata.threat.severity_details)
$analyst_info = array_distinct(
strings.concat(
" The Client with the followling IP: ", strings.coalesce($network.principal.ip ,"-"), " | ",
" connected to a suspicious IP: ", strings.coalesce($network.target.ip,"-"), " | ",
SOAR - Alert Details with HTML widget
some example lines
<div class="infoItem"><strong>Log Type:</strong> [Event.event_metadata_logType]</div>
<div class="infoItem"><strong>Event Type:</strong> [Event.event_type]</div>
<div class="infoItem"><strong>Image:</strong> [Event.event_target_process_file_fullPath]</div>
<div class="infoItem"><strong>ParentImage:</strong> [Event.event_principal_process_file_fullPath]</div>
Set Conditions
eEvent.event_metadata_eventType] = PROCESS_LAUNCH
you can find more great example in this blog article or here
hope this helps
Regards,
George
Hey,
you can do the following
- Make sure that your Detection Rules have the "outcome" variables that you think is helpful for an analyst.
- use easy naming based on Event Source. For example if you are using Sysmon for Windows Logging than use the "raw" field names because that is known by the most of the analyst : CommandLine instead of udm_target_process
- go to SOAR and create a View for the Alert like "Event Fields" or "Process Fields"
- use a condition that only shows the view for a specific event type like "Process Creation"
- Build a summary as Context for the analyst
Examples:
$ioc_details = array_distinct($gcti.graph.metadata.threat.category_details)
$ioc_vendor = array_distinct($gcti.graph.metadata.vendor_name)
$ioc_severity = array_distinct($gcti.graph.metadata.threat.severity_details)
$analyst_info = array_distinct(
strings.concat(
" The Client with the followling IP: ", strings.coalesce($network.principal.ip ,"-"), " | ",
" connected to a suspicious IP: ", strings.coalesce($network.target.ip,"-"), " | ",
SOAR - Alert Details with HTML widget
some example lines
<div class="infoItem"><strong>Log Type:</strong> [Event.event_metadata_logType]</div>
<div class="infoItem"><strong>Event Type:</strong> [Event.event_type]</div>
<div class="infoItem"><strong>Image:</strong> [Event.event_target_process_file_fullPath]</div>
<div class="infoItem"><strong>ParentImage:</strong> [Event.event_principal_process_file_fullPath]</div>
Set Conditions
eEvent.event_metadata_eventType] = PROCESS_LAUNCH
you can find more great example in this blog article or here
hope this helps
Regards,
George
Thanks @gsec that was very useful. One last question:
i belive below are the outcome variables from the rule:
$ioc_details
$ioc_vendor
How you refer them in the HTML code ? (in the example you shared above, those are event fields right ? How do i display the "outcome" fields (that are not on event) in the html grid ? Thanks
Thanks @gsec that was very useful. One last question:
i belive below are the outcome variables from the rule:
$ioc_details
$ioc_vendor
How you refer them in the HTML code ? (in the example you shared above, those are event fields right ? How do i display the "outcome" fields (that are not on event) in the html grid ? Thanks
Hey,
just use a develop playbook and use action "comment" or "insight" and try to find how you get the fields back based on the Alert. Sometimes that could be tricky.
In Generell due to the JSON Format it will be like: [Event.metadata.vendor_name] I would ingest a test case and the check the event fields before I continue to build the whole playbook.
In that case "vendor_name" in the search mask and you should find a similar event field
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
Check "OUTCOME" as value under Events tab
this can be used in widget and other views.
How do i display the "outcome" fields (that are not on event) in the html grid ?
good question I think there is no "100% right way" for me I only show event fields that are required for this alert nothing else and that is based on condition in the widget or in playbook steps. I learned a lot from investigating the similar events widget and align this to my playbooks.
Hope this helps
Regards,
George
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.