Hello community , i want to ask if there is any possibility to develop a yara rule that detect if any change have been made on FEEDs , for example if a user changes a feed secret key.
Thanks for help
Page 1 / 1
This is a stats search I shared with a customer in the past to look for admin actions. I believe you could take this, focus it on feed actions, and then modify it for use in a rule. I can give that a shot later today as well.
metadata.log_type = "GCP_CLOUDAUDIT"
metadata.product_name = "Google Cloud Platform"
metadata.product_event_type = /chronicle/
principal.user.user_display_name = $user
principal.user.attribute.permissions.name = $perm
timestamp.get_timestamp(metadata.event_timestamp.seconds) = $date
match:
$user, $date
outcome:
$permUsed = array_distinct($perm)
order:
$date desc
You would focus principal.user.attribute.permissions.name on the below values.
So for a basic rule just focused on updating feeds, you might start with something like this and then update it to include additional info via an outcome section:
rule secops_feed_updated {
meta:
author = "gcs"
description = "Detect updates to SecOps feeds"
severity = "Low"
events:
$e.metadata.log_type = "GCP_CLOUDAUDIT"
$e.metadata.product_name = "Google Cloud Platform"
$e.principal.user.attribute.permissions.name = "chronicle.feeds.update"
condition:
$e
}
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.