Hi
I am thinking of building a query in which i am going to use file.hash or process.hash to be compared with reference list containing IOC (custom hash) , then i also want that file.hash/process.hash to check with google safe browsing global context. Is this feasible?
Here is a sample rule we wrote in the community rules that does the safebrowsing bit https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/google_safebrowsing_file_process_creation.yaral
And here is a blog on the safebrowsing capabilities that SecOps highlights.
Always important to tune and test in your environment, but this should get you going in the right direction.
Here is a sample rule we wrote in the community rules that does the safebrowsing bit https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/google_safebrowsing_file_process_creation.yaral
And here is a blog on the safebrowsing capabilities that SecOps highlights.
Always important to tune and test in your environment, but this should get you going in the right direction.
@jstoner yes i have seen this alert and this gave me the idea to build similar alert in my environment. However my question is if i wish to use another threat feed which i am in ingesting via reference list along with GCTI feed is it possible?
So in short hash from my logs is to be compared with
1) Reference list IOC feed
2) GCTI safe browsing feed.
Can i do this both in a single query
@jstoner yes i have seen this alert and this gave me the idea to build similar alert in my environment. However my question is if i wish to use another threat feed which i am in ingesting via reference list along with GCTI feed is it possible?
So in short hash from my logs is to be compared with
1) Reference list IOC feed
2) GCTI safe browsing feed.
Can i do this both in a single query
If I’m understanding correctly - yes.
In your events section you would use a AND statement unless you wanted them to be separate then it would be a OR statement
If I’m understanding correctly - yes.
In your events section you would use a AND statement unless you wanted them to be separate then it would be a OR statement
@dnehoda / @jstoner
So my event section should like this , is this correct ?
events:
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 ) or
$sha256 in %suspicious_hash or
// join execution event with Safe Browsing graph
($safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT")
@dnehoda / @jstoner
So my event section should like this , is this correct ?
events:
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 ) or
$sha256 in %suspicious_hash or
// join execution event with Safe Browsing graph
($safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT")
The above would be 3 separate ORs.
I believe you want this below but I may be off a little on your exact use case.
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 ) AND
$sha256 in %suspicious_hash
OR
// join execution event with Safe Browsing graph
($safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT")
The above would be 3 separate ORs.
I believe you want this below but I may be off a little on your exact use case.
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 ) AND
$sha256 in %suspicious_hash
OR
// join execution event with Safe Browsing graph
($safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT")
@dnehoda / @jstoner/ @AymanC :
i added as mentioned above but its throwing an error "
semantic analysis: match variable sha256 is not assigned to an event field
This compiles. The or after the list doesn't really make sense and may have been where the error was popping up. I haven't tested against a data set but this will compile.
At this time, you can't say is it on the list or is it in safebrowsing because the only join supported right now is the inner join between udm and entity graph. So with the UDM and the reference list and the safebrowsing you are really saying it's in UDM AND it's in my watchlist AND it's in safebrowsing....
events:
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 )
$sha256 in %suspicious_hash
$execution.principal.hostname = $host
// join execution event with Safe Browsing graph
$safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
This compiles. The or after the list doesn't really make sense and may have been where the error was popping up. I haven't tested against a data set but this will compile.
At this time, you can't say is it on the list or is it in safebrowsing because the only join supported right now is the inner join between udm and entity graph. So with the UDM and the reference list and the safebrowsing you are really saying it's in UDM AND it's in my watchlist AND it's in safebrowsing....
events:
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 )
$sha256 in %suspicious_hash
$execution.principal.hostname = $host
// join execution event with Safe Browsing graph
$safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
@jstoner Okay ,so it means we will not able to compare the logs with both of them in the same query
1) Reference list IOC feed
2) GCTI safe browsing feed.
We would need separate use case . Is my understanding correct here ?
Hi @rahul7514,
Unable to test with the data, however please see if the below works 🙂
rule rule_rahul_test {
meta:
author = "Ayman C"
events:
($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 )
$execution.principal.hostname = $host
// join execution event with Safe Browsing graph
$safebrowse.graph.entity.file.sha256 = $sha256
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$sha256 over 1h
outcome:
$ValueInReferenceList = sum(if($sha256 in %suspicious_hash, 1, 0))
condition:
$execution and $safebrowse and $ValueInReferenceList > 0
}
It really depends on what you are trying to accomplish. The initial statement was
i am going to use file.hash or process.hash to be compared with reference list containing IOC (custom hash) , then i also want that file.hash/process.hash to check with google safe browsing global context. Is this feasible?
Based on that statement, the reference list is the first check in the events section and the second check was if we have that, then i ALSO want to check safebrowing. What I highlighted is that, but the caveat is that all 3 things need to occur, the event exists, the hash in the reference list and the join to safebrowsing.
If you want something else, then perhaps @AymanC example fits the use case, or you need different rules to fulfill the use case. My point is that if you want to do all 3 you can you perform the join like i highighted in the example rules and you can certainly use a reference list. You cannot perform an or for a join however.
Thanks @AymanC / @jstoner : sorry for putting my question incorrectly at the start .
Yes i wanted to compare my logs with 2 separate feeds (one via reference list and other Safebrowsing) and wanted to trigger an alert if any of it gets matched . Since join does not work in that fashion i think i will need to create 2 separate alerts
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.