Skip to main content
Hi guys,

I am creating a yara rule to find the lateral movement of the users. But i am stuck at assigning risk score dynamically (according to the country from user logged in). could you guys please share any reference's (read through documentation i couldn't find it my bad) or examples if possible

Thanks

Example:
if country is "A" or "B" or "C" i want to assign risk score 80. for remaining country's i want to assign 20.

rule Lateral_Movement {

 

  meta:
    author = "IronMan"
    description = "Finding the lateral movement when trying to access the finance domain"
    severity = "Medium"

 

  events:
//    $login.metadata.event_type = "USER_LOGIN"
    $login.security_result.action = "BLOCK"
    //$login.principal.ip_geo_artifact.ip = $ip
    $login.principal.user.user_display_name = $user
    $login.principal.location.country_or_region = $country

 

     $login.target.url  = "https://abc.com/"

 

  match:
    $user over 30m



  outcome:
 
    $country_array = array_distinct($login.principal.location.country_or_region)
    $risk_score =   arrays.contains($country_array, "A") // here i want to assign risk score dynamically
    $severity = array_distinct($login.security_result[0].severity)
    $Reason = array_distinct($login.security_result[0].summary)
    $is_enrolled_in_2sv = array_distinct($login.principal.user.attribute.labels[7].value)
    $is_enforced_in_2sv = array_distinct($login.principal.user.attribute.labels[8].value)
    $Ip_origin_country = array_distinct($login.principal.ip_geo_artifact[0].location.country_or_region)




  condition:
    #country > 1
}

Here's an example of a dynamic risk_score based on geo information, using some of the math you provided. Easy enough to tweak if required!


$risk_score = max(
// Baseline
20 +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 60)
)

 -mike

Mike's example above is a good one for risk score based on country. I did want to add a few more thoughts about geo ip as I've noticed there are a few different things going on in the rule as well as provide some broader resources around the original question on dynamic risk scores and finally throw a few more ideas into a sample rule below that might ease writing the rule.


This blog discussed the geo ip fields and how they can be used. https://chronicle.security/blog/posts/Using-Automated-GeoIP-Enrichment-in-Chronicle/ The one comment I want to make here is to be mindful of the fields within the <NOUN>.ip_geo_artifact section versus the <NOUN>.location section. The ip_geo_artifact section are enrichments that Google provides during the ingest and enrichment process. The geo_ip may not be as precise as the location section due to privacy concerns so we have not dialed in the geo_ip to the highest level of precision. Probably not a big deal in most cases but worth a mention. Also if your security solution feeding Chronicle has geo location built into it, we will populate the location section of the log with that information. So, if you have both data from the security control and from us, you can choose which one you want to use, that's really up to you.


Rule outcome examples including using risk score in outcome and arrays in condition https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Rule-Outcomes/ba-p/724854 


Video on risk score: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-Outcomes-Risk-Score-Conditional-Logic/ta-p/714517


The additional ideas that I wanted to throw out there are based some of the things you asked as well as some of the concepts introduced above. I added comments into the sample rule below, but here are the key points.



  • strings.coalesce can be used to choose one field and then another (or another) if the first one doesn't have data in it. So, for example if the location isn't populated from the endpoint, the system would use geo_ip instead. One word of caution there is make sure you know the country outputs could be different in geo_ip v location. In my instance, I have United States in the ip_geo but the location for one of my log sources is US, so I put both into my reference list to cover my bases.

  • For the risk score, we can consolidate our countries of similar concern into a list and use the IN statement with a reference to assign scores using that method. 


 


rule Geo_IP_Login_Risk_Score_Example {
meta :
author = "Google Cloud Security"
description = "GeoIP Example with Coalesce function and Risk Score Reference Lists"
severity = "Medium"

events :
$login.metadata.event_type = "USER_LOGIN"
$login.principal.ip_geo_artifact.ip = $ip
$login.principal.user.user_display_name = $user
//strings.coalsce returns the first non-null field value to the placeholder variable
strings.coalesce($login.principal.location.country_or_region, $login.principal.ip_geo_artifact.location.country_or_region) = $country

match :
$user over 30m

outcome :
//use the placeholder variable from the events section to contain the countries from the events
$country_array = array_distinct ($country)
//risk score (and other outcome variables) can use refernce lists so group countries into reference lists to streamline risk scoring like this
$risk_score = max(if($country in %countries_high_risk, 60) + if($country in %countries_med_risk, 40))

condition:
$login
}

 


 

Thank you @mimi and @jstoner for giving me detailed explanation and guidance

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.