Hi All,
Is there any way in SecOps by which we can check the Reputation of a public IP through google TI in YARA L rules and calculate the risk score.
for eg: based on TI if the Risk score > 50 then the rule should trigger an alert.
Page 1 / 1
yes, you can reference the IOC feed details from GTI in your detection rule, then adjust the risk score based on those details.
rule ioc_severity_high_or_critical {
meta:
author = "dlove"
description = "Find IOC Matches with confidence score High or Critical"
severity = "High"
events:
$e.target.ip = $target_ip
$e.principal.ip = $source_ip
(
$e.metadata.event_type = "NETWORK_CONNECTION" OR $e.metadata.event_type = "NETWORK_HTTP"
)
$ioc.graph.metadata.threat.confidence_details = $conf_details
$ioc.graph.entity.ip = $target_ip
match:
$source_ip,$target_ip over 5m
outcome:
$risk_score = max(
if($conf_details = "High", 75) +
if($conf_details = "Critical", 100)
)
$confidence_details = array_distinct($conf_details)
$url_category = array_distinct($ioc.graph.metadata.threat.category)
$ioc_feed = array_distinct($ioc.graph.metadata.vendor_name)
condition:
$e and $ioc and $risk_score >=75
}These types of rules can be very noisy
Results from testing the above rule. You will need to apply more logic to help cut through the noise.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.