Feed configuration -Yara Rule

Question

Hello community , i want to ask if there is any possibility to develop a yara rule that detect if any change have been made on FEEDs , for example if a user changes a feed secret key.Thanks for help

cmorris · Accepted Answer

You would focus principal.user.attribute.permissions.name on the below values.

So for a basic rule just focused on updating feeds, you might start with something like this and then update it to include additional info via an outcome section:

rule secops_feed_updated {
  meta:
    author = "gcs"
    description = "Detect updates to SecOps feeds"
    severity = "Low"

  events:
    $e.metadata.log_type = "GCP_CLOUDAUDIT"
    $e.metadata.product_name = "Google Cloud Platform"
    $e.principal.user.attribute.permissions.name = "chronicle.feeds.update"

  condition:
    $e
}

cmorris · Answer

This is a stats search I shared with a customer in the past to look for admin actions. I believe you could take this, focus it on feed actions, and then modify it for use in a rule. I can give that a shot later today as well.

metadata.log_type = "GCP_CLOUDAUDIT"
metadata.product_name = "Google Cloud Platform"
metadata.product_event_type = /chronicle/
principal.user.user_display_name = $user
principal.user.attribute.permissions.name = $perm
timestamp.get_timestamp(metadata.event_timestamp.seconds) = $date
match:
  $user, $date
outcome:
  $permUsed = array_distinct($perm)
order:
  $date desc

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded