Hi,
I am trying to build a rule in which i am able to check if my firewall logs encounter a malicious IP. How I determine whether a IP is malicious is through another log source (which is a TI feed) which is being ingested which contains malicious IPs as events. I then, try to match the two events and see if there are any matches.
Due to the rule building restriction that we can go only look back upto 2 days in the match section, I want to leverage Data tables where the TTL is upto 90 days.
For this, i built 2 rules, one which inputs malicious IPs values into my data table, this is based on the log source which is providing me the malicious IPs. Now, here comes the issue. When i made this rule and kept the rule frequency at 10-min, it puts the value for the first time without any issues.
The issue comes at the second iteration, I don't see the data table being updated at all after the first iteration, can it be possible this is due to the fact that the number of detections has crossed 10,000? Because when I test the rule manually, I can see there being latest detections.
Any help is appreciated.
Hi @ashutoshrpareek, this sounds like an ideal use case for Composite Detections: https://cloud.google.com/chronicle/docs/detection/composite-rules - this is a feature in public preview that you may be able to add to your tenant. This should give you up to 14 days instead of 2 to go back in time. Please contact your usual account team/partner if that's a path you wanted to go down.
If you prefer to keep your approach, please paste your rule logic here, if you can. Obviously redact anything you need to. It does sound a lot like you are hitting one of the detection limits detailed here: these https://cloud.google.com/chronicle/docs/detection/detection-limits
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.