Skip to main content

Hello,

thanks to @cmmartin_google I came across the idea to import Misp data into Chronicle. For several reasons I was not able to do it the exact way he describes but I´ve got it working with an csv export and then the import via nxlog and a forwarder.  That is all working fine.  Now I was trying to adjust his rules. But this is the part I´m not able to get working. So here is the rule as I thought it should work:

 

rule misp_ioc_network_domain_dns_question {

meta:


events:
$event.metadata.event_type = "NETWORK_DNS"
$event.network.dns.questions.name = $domain
$event.principal.asset.hostname = $hostname

$misp.graph.metadata.vendor_name = "MISP"
$misp.graph.metadata.entity_type = "DOMAIN_NAME"
$misp.graph.entity.hostname = $domain

match:
$hostname over 1m

condition:
$event and $misp

}

 

 And this is the MISP Log:

And this is the log that should get detected

Any Idea what I´m doing wrong here?

If you are importing your domains into UDM events from MISP, I'm wondering if there is a time issue you are running into, that is you are grouping over a 1 minute window. Maybe widen that and see if that helps in this example.


If you are loading data into the entity graph, then the rule syntax could look a bit different. Here is an example rule for MISP data loaded into the entity graph https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/ioc_domain_C2.yaral and a blog that talks through that scenario.

I pretty sure that the data got loaded into the entity graph, since there there are field that are missing in the udm events like metadata.threat.summary.  And at the top it sais "Entity Information" and "COPY ENTITY" But how can determine that it got loaded into the graph?

I´ve also found your blogpost. But it is not working as it should.  I´ve tested the rule you posted on the blog and in GitHub. I left everything as it was, just changed the metadata.threat.summary so it fits. Still no detections.

Any Suggestion?

Looking at a few additional fields, it sure does seem like the misp data is in entity. The interval time range for the indicator is dec 2023 to infinity so that should cover it. I would mention that i noticed that the misp domain was ingested about three hours ago...There could be bit of convergence lag on indicator being in the entity graph to correlate with the event. If you are willing, can we give it a few more hours and see if it gets found a bit later this afternoon?


 

Sure. I´m still in a testing phase here. So, there is no rush. I will run the rule later again.

 That was it. Both rules, yours and the one I´ve posted work perfectly fine. I just had to wait.

awesome, glad to hear it...we are putting additional effort into shortening these timeframes but good to see it is working!


Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.