Skip to main content

Hi community, 

Our team is relatively new to the Yara rules, would highly appreciate any leads or pointers on how to achieve our requirements: we are trying to find  3  different country events from a single user in 24 hrs of time, on which we are excluding certain events in detection on condition that-

1. we don't want events from sequence window of 5 mins before "OpenID Connect Client" value
ex: if we have "session requested" and/or "session approved " and/or "session started" etc  within 5 mins of event "OpenID Connect Client", then we shouldn't have the alert triggered

2. But if the "OpenID Connect Client" value is getting generated after 5 mins of any event , we need them to populate.
Ex: if we have "session requested" and/or "session approved " and/or "session started" etc and "OpenID Connect Client" after 5 min window - we should have an alert.

For added clarity -
a. session approved, session requested all generates before openID connect client event 
b. we need to 2 match conditions  - one for spanning in 24 hours rolling window and other one spanning for 5 mins window   

 

 

 

rule okta_geo_hopping{

meta:
author = "ff"
description = "Detects when an user signing in from different countries in last 24hrs"
rule_id = "ff"
rule_name = "okta geo_hopping_"
reference = "test"
type = "Alert"

events:
$login.metadata.vendor_name = "Okta"
($login.metadata.product_event_type = "user.session.start" nocase or
$login.metadata.product_event_type = /user.authentication/ )
($login.extracted.fields["actor.alternateId"] != "Okta Dashboard" nocase or
$login.extracted.fields["actor.alternateId"] != "unknown" nocase or
$login.extracted.fields["actor.alternateId"] != "Okta Browser Plugin" nocase or
$login.extracted.fields["actor.alternateId"] != "xxy" nocase or
$login.extracted.fields["actor.alternateId"] != "xxt" nocase or
$login.extracted.fields["actor.alternateId"] != "Okta System" nocase)
$login.principal.user.userid = $userid
$t1.target.resource.name = "OpenID Connect Client"
$beforeopenID.target.resource.name= $allothervalue

match:
$allothervalue over 5m before $t1, $userid over 24h

outcome:

$target_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)

$principal_ip_city = array_distinct($login.principal.location.city)
$principal_user_email_addresses = array_distinct ($login.principal.user.email_addresses)
$country_count = count_distinct($login.principal.location.country_or_region)
$security_result_summary = array_distinct($login.security_result.summary)

condition:
($login and $beforeopenID and $t1) and $country_count > 2
}

 

 

 

 This seem like a very challenging one our team, since we are new to Yara and chronicle - Any help is greatly appreciated.

thanks!

Hi @chronicleDDsr 


I don't have the exact answer offhand, but while looking around, I found this previous community discussion that touches on a very similar topic and importantly, has an accepted solution marked:


https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Detection-Rule-Creation/m-p/846232


Perhaps take a look when you get a chance? Even if it's not a perfect match, sometimes seeing how a similar problem was tackled can spark the right idea.


Hope this resource proves helpful!

There are a couple of things that immediately jump out that hopefully will help get you going.


The first is that while you can have multiple match variables within the match section the time aggregation is going to be the same for all of them. Keep in mind the match section is essentially an aggregation or group by over a time period.


Another thing to be mindful of here is that while you can use before and after in the match section, it creates a sliding window and if there are a large number of anchor values, in your case $t1, this can be a very expensive rule. Another approach to this is to use a hop window and then use greater than/less than with the time values to sequence them. An example of this is in the link below.


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Multi-Event-Rules/ba-p/722663


Using that might help with the point 1 to eliminate things that happen within 5 minutes of the OpenID Connect Client.


Related to all of this, it sounds like there are two kinds of events:


-Event1, $login would be the event variable and then all of the session and auth events


-Event2, $openconnect (arbitrary event variable name) would be the specific event you are interested in measuring around.


Then you could use something like this to knock out events where the sequencing doesn't line up:


$openconnect.metadata.event_timestamp.seconds - $login.metadata.event_timestamp.seconds > 300


These would both be in the condition section as well


Hope this helps, I don't have a load of okta data to simulate this but we do have some community rules for Okta that might also be helpful for reference: https://github.com/chronicle/detection-rules/tree/main/rules/community/okta


 


 

thank you @jstoner @ErikaB . We figured out a way based on the inputs shared

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.