Skip to main content

Hi 

I am trying to build the below rule , where in i am trying to compare the different target SHA 256hash value appearing in any product (Crowdstrike, windows,meraki ,defender etc)  with Google Safe browsing . 
If i have to do this individually for each product then i would need to build multiple alerts as the event type is different for different products 
Crowdstrike - metadata.event_type = "PROCESS_UNCATEGORIZED"
Meraki - metadata.event_type = "SCAN_FILE"
Defender - "USER_UNCATEGORIZED"

 

rule_google_safebrowsing_file_process_creation {

meta:

description = "Detection of process/file events that match Safe Browsing hashes , which are files deemed to be malicious"
severity = "Critical"
priority = "High"

events:


($execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256 ) and



// join execution event with Safe Browsing graph
$safebrowse.graph.entity.file.sha256 = $sha256

// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"


match:
$sha256 over 1h
condition:
$execution and $safebrowse
}

 

However on doing so it gives this error message

 



 

If you are looking for specific combinations, why not do something like this? I don't know if those are the right product names but hopefully it gets the idea across. Remember that inside parentheses that AND/OR are required, so you need to use them explicitly there.


 


(
  (metadata.event_type = "PROCESS_UNCATEGORIZED" and metadata.product_name = "Crowdstrike")
  or
  (metadata.event_type = "SCAN_FILE" and  "Meraki")
  or
  (metadata.event_type = "USER_UNCATEGORIZED" and metadata.product_name = "Defender")
)

  

If you are looking for specific combinations, why not do something like this? I don't know if those are the right product names but hopefully it gets the idea across. Remember that inside parentheses that AND/OR are required, so you need to use them explicitly there.


 


(
  (metadata.event_type = "PROCESS_UNCATEGORIZED" and metadata.product_name = "Crowdstrike")
  or
  (metadata.event_type = "SCAN_FILE" and  "Meraki")
  or
  (metadata.event_type = "USER_UNCATEGORIZED" and metadata.product_name = "Defender")
)

  


@jstoner :

i did try the above but it gives the error message 

 

rule Test_google_safebrowsing_file_process_creation {

meta:

description = "Detection of process/file events that match Safe Browsing hashes , which are files deemed to be malicious"
severity = "Critical"
priority = "High"

events:

(
($execution.metadata.event_type = "PROCESS_UNCATEGORIZED" and $execution.metadata.product_name = "Falcon" and $execution.target.file.sha256 = $sha256)
or
($execution.metadata.event_type = "SCAN_FILE" and $execution.metadata.product_name ="Meraki" and $execution.target.file.sha256 = $sha256)
or
($execution.metadata.event_type = "USER_UNCATEGORIZED" and $execution.metadata.product_name = "Microsoft Defender ATP:MicrosoftDefenderATP" and $execution.target.file.sha256 = $sha256)
) and



// join execution event with Safe Browsing graph
$safebrowse.graph.entity.file.sha256 = $sha256

// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"


match:
$sha256 over 1h



condition:
$execution and $safebrowse
}


 

Correct, you need to join this value with something in UDM


    // join execution event with Safe Browsing graph

    $safebrowse.graph.entity.file.sha256 = $sha256

Correct, you need to join this value with something in UDM


    // join execution event with Safe Browsing graph

    $safebrowse.graph.entity.file.sha256 = $sha256

@jstoner it is not working see the below error message 

 

my question was what are you joining that safebrowsing placeholder variable to? If you are not sure, that's ok, but then please reference the yara-l sample rule we created or the blog to show how the udm event needs to be joined to the entity graph. That is what that error is telling us.

Hi @rahul7514,

Does the below work?

rule multi_event_rule_test {

meta:
author = "Ayman C"

events:

$execution.metadata.event_type = $EventType
$execution.target.file.sha256 = $sha256
$execution.metadata.product_name = $ProductName

(($EventType = "PROCESS_UNCATEGORIZED" and $ProductName = "Falcon" and $execution.target.file.sha256 = $sha256)
or
($EventType = "SCAN_FILE" and $ProductName = "Meraki" and $execution.target.file.sha256 = $sha256)) and

$safebrowse.graph.entity.file.sha256 = $sha256

$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"

match:
$sha256 over 1h

condition:
$execution and $safebrowse
}

Kind Regards,

Ayman C

@rahul7514  I think the problem is in using OR with 3 different fields as placeholders and join at the same time.


This version works 'semantically' however I was not able to test the logic with sample events. You could use the host or SafeBrowsing hash as a match, but I think the host is better.


rule SBTest {

meta:

events:

$execution.principal.hostname = $host

$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
$safebrowse.graph.entity.file.sha256 = $sha256_sb

($execution.target.process.file.sha256 = $sha256_sb or
$execution.target.process.parent_process.file.sha256 = $sha256_sb or
$execution.target.file.sha256 = $sha256_sb )

match:
$host over 1h
// $sha256_sb over 1h

outcome:
$hashes_ = arrays.concat(array_distinct($execution.target.process.file.sha256) , array_distinct($execution.target.process.parent_process.file.sha256))
$hashes = arrays.concat($hashes_, array_distinct( $execution.target.file.sha256))
$sbHash = array_distinct($sha256_sb)

condition:
$safebrowse and $execution
}

 


I revisited this today and did a bit of testing. In my test instance I was able to generate detections from two of your three sha256 fields with different hashes so I believe this could work. I will add a few caveats, the first is that I've put the event type and product combinations in to narrow the UDM data that has to be reviewed and I narrowed the aggregation to 5m from one hour. I'm hoping that by doing those two things that the data load doesn't return the it took too long to run message. If this doesn't work, I might suggest breaking out the comparisons into three different rules and see if you get hits and how it functions to see what the difference at scale looks like.


 


rule Test_google_safebrowsing_file_process_creation {

meta:
 description = "Detection of process/file events that match Safe Browsing hashes, which are files deemed to be malicious"
 severity = "Critical"
 priority = "High"

events:
(
($execution.metadata.event_type = "PROCESS_UNCATEGORIZED" and $execution.metadata.product_name = "Crowdstrike") or
($execution.metadata.event_type = "SCAN_FILE" and $execution.metadata.product_name ="Meraki") or
($execution.metadata.event_type = "USER_UNCATEGORIZED" and $execution.metadata.product_name = "Defender")
)

(
$execution.target.process.file.sha256 = $sha256 or
$execution.target.process.parent_process.file.sha256 = $sha256 or
$execution.target.file.sha256 = $sha256
)

// join execution event with Safe Browsing graph
$safebrowse.graph.entity.file.sha256 = $sha256

// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"

match:
$sha256 over 5m

condition:
$execution and $safebrowse
}

have you considered using Coalesce?

$execution.metadata.vendor_name = "some-vendor"//good practice

$sha256 = strings.coalesce(
          $execution.target.process.parent_process.file.sha256,
          $execution.target.process.file.sha256,
          $execution.target.file.sha256
          )
$sha256 != ""

Coalesce is a great call out, the important thing to keep in mind is that coalesce will stop at the first non-null field so field order is important to consider here. 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.