Hi Community,
I came across a use case where a Chronicle detection rule uses a reference list to check if a certain value (like a source and destination IP pair) already exists. If it does, the rule suppresses the alert; if not, it triggers an alert and then adds that value to the reference list to avoid duplicate alerts for a certain duration.
I’d also like to understand the best way to implement it - Do I need to create any playbook for this?
Below is the use case I’m referring to:
events:
$e.metadata.vendor_name = "AMAZON"
$e.metadata.product_name = "AWS VPC Flow"
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.security_result.action != "BLOCK"
$e.principal.ip = $sourceip
not $e.principal.ip in cidr %internal_ips
$e.target.ip = $targetip
not $e.target.ip in %nat_ips
not strings.concat("vpc_blacklisted_inbound_traffic", ",", $sourceip, ",", $targetip) in regex %suppress_list
$gcti.graph.entity.artifact.ip = $sourceip
$gcti.graph.metadata.threat.confidence = "LOW_CONFIDENCE" or
$gcti.graph.metadata.threat.confidence = "MEDIUM_CONFIDENCE" or
$gcti.graph.metadata.threat.confidence = "HIGH_CONFIDENCE"
match:
$sourceip, $targetip over 5m
outcome:
$risk_score = max(
if($gcti.graph.metadata.threat.confidence = "LOW_CONFIDENCE", 20) +
if($gcti.graph.metadata.threat.confidence = "MEDIUM_CONFIDENCE", 50) +
if($gcti.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70)
)
$treat_confidence = array_distinct($gcti.graph.metadata.threat.confidence)
$principal_ip = array_distinct($e.principal.ip)
$target_ip = array_distinct($e.target.ip)
$suppress_list = array_distinct(
strings.concat("vpc_blacklisted_inbound_traffic", ",", "principal.ip", ",", "target.ip", ",", "24h")
)
condition:
$e and $gcti
}
