Dear All,
I wanted to inquire about any new features or updates that have been recently enabled in Yara-L, mainly threat intel feeds or the features which can be used to develop rules or to define new severity. Could you please provide me with information regarding the latest enhancements or functionalities added to the system?
Thank you for your attention to this matter.
Best regards,
Aravind S
This site provides a good reference for items that have reached general
availability within Chronicle from a SIEM perspective.
https://cloud.google.com/chronicle/docs/release-notes
We continue to build and improve upon all of the items you mention and have
some of these in various preview stages that we look forward to getting to
general availability as well.
The yara-l reference doc is also a good resource to have handy and is
updated as new capabilitiess are made available within the rules engine
https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax
Thanks
-john
This site provides a good reference for items that have reached general
availability within Chronicle from a SIEM perspective.
https://cloud.google.com/chronicle/docs/release-notes
We continue to build and improve upon all of the items you mention and have
some of these in various preview stages that we look forward to getting to
general availability as well.
The yara-l reference doc is also a good resource to have handy and is
updated as new capabilitiess are made available within the rules engine
https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax
Thanks
-john
Otherthan Virus total, MISP, GCTI anyother threat intel feeds were integrated?
From a purely external data feed perspective, there is the VirusTotal Relationships, the GCTI Tor Exit Nodes, GCTI Remote Access Tools. Additionally, there is enriched data including geolocation, safe browsing, whois and VT enrichment.
From a derived perspective, prevalence and first/last seen are also available.
Guidance on using these data sets in rules can be found here: https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules
From a purely external data feed perspective, there is the VirusTotal Relationships, the GCTI Tor Exit Nodes, GCTI Remote Access Tools. Additionally, there is enriched data including geolocation, safe browsing, whois and VT enrichment.
From a derived perspective, prevalence and first/last seen are also available.
Guidance on using these data sets in rules can be found here: https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules
could you please provise detailed documentation for derived perpective or a sample rule?
could you please provise detailed documentation for derived perpective or a sample rule?
The two derived context examples we have are prevalence, which spans ip, file hashes and domains as well as first/last seen which cover the same but also first time for assets and users.
Here are some decent resources for prevalence:
How prevalence stats are generated: https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#calculate_prevalence_statistics
New To Chronicle Prevalence blog: https://chronicle.security/blog/posts/new-to-chronicle-adding-prevalence-to-your-analysis/
Prevalence doc rule example: https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules#identify_low_prevalence_domain_access
Here are some decent resources for first/last seen:
First/Last seen times are calculated (and where they are stored): https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#calculate_the_first-seen_and_last-seen_time_of_entities
New To Chronicle First Seen blog: https://chronicle.security/blog/posts/new-to-chronicle-first-and-last-seen/
First/Last Seen doc rule example: https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules#first-seen-rule
The two derived context examples we have are prevalence, which spans ip, file hashes and domains as well as first/last seen which cover the same but also first time for assets and users.
Here are some decent resources for prevalence:
How prevalence stats are generated: https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#calculate_prevalence_statistics
New To Chronicle Prevalence blog: https://chronicle.security/blog/posts/new-to-chronicle-adding-prevalence-to-your-analysis/
Prevalence doc rule example: https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules#identify_low_prevalence_domain_access
Here are some decent resources for first/last seen:
First/Last seen times are calculated (and where they are stored): https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#calculate_the_first-seen_and_last-seen_time_of_entities
New To Chronicle First Seen blog: https://chronicle.security/blog/posts/new-to-chronicle-first-and-last-seen/
First/Last Seen doc rule example: https://cloud.google.com/chronicle/docs/detection/use-enriched-data-in-rules#first-seen-rule
Thank You,
I have an additional question: Is the "whois" data pushed to Chronicle by Chronicle itself, or does the tenant need a premium subscription or some other service for this purpose?
The whois data is provided as part of our Chronicle solution. It does not have a subscription add-on associated with it
The whois data is provided as part of our Chronicle solution. It does not have a subscription add-on associated with it
what about virus total?
VirusTotal has a few different tiering options of its own and Chronicle has started to roll out bundling to provide additional VirusTotal features sets. As noted here https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#enrich_entities_with_virustotal_relationship_data there are certain licenses that provide this. I would suggest engaging with your account team around the question of entitlements and package tiering. Hope that helps.
Thank You
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.