Skip to main content

Hello everyone! I just started working with Chronicle SIEM and I need some help with a YARA-L rule.

I need to create a rule that will filter Corelight logs with files containing malicious hashes and match the hashes against Virus Total.

Appreciate any help in advance!🙂

We're here to help with questions like this. Do you have a portion of the rule built that you can share? Chronicle has a few integrations with VT but they have some specific licensing requirements associated with it. If you are putting VT data into some sort of reference list, that might change things a bit, so understanding how you are gathering the VT data would be helpful as well.

We're here to help with questions like this. Do you have a portion of the rule built that you can share? Chronicle has a few integrations with VT but they have some specific licensing requirements associated with it. If you are putting VT data into some sort of reference list, that might change things a bit, so understanding how you are gathering the VT data would be helpful as well.


Thank you for the quick reply!
Here is the rule I built:
 

rule test_corelight_logs_with_malicious_hash_Virus_Total {
  meta:
    author = "NastyaS"
    description = "Detects files with malicious hash, by matching against Virus Total"
    short_description = "IoC Virus Total Match files"
    severity = "Medium"
    priority = "Medium"
    status = "Testing"
    created_date = "2023-09-14T00:00:00Z"
    rule_version = "1.3"
    yara_version = "YL2.0"
    data_source = "Firewall events"
    confidence_threshold = "50"

    events:
    $e1.metadata.event_type = "NETWORK_CONNECTION"
    $e1.target.ip = $ip
    $e1.principal.user.userid = $userid

    $e2.principal.user.userid = $userid
    $e2.target.process.file.sha256 = $hash

    /*$e3.metadata.log_type = "CORELIGHT"
    $e3.security_result.action = "ALLOW"
    $e3.principal.hostname = $host
    $e3.target.ip  = $ip*/

    // get virus total data
    $vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
    $vt.graph.metadata.entity_type = "FILE"
    $vt.graph.metadata.vendor_name = "VirusTotal"
    $vt.graph.metadata.product_name = "VirusTotal Relationships"
    $vt.graph.entity.file.sha256  = $hash
    //find relation between ip address and file hash from VT duet
    $vt.graph.relations.entity_type = "IP_ADDRESS"
    $vt.graph.relations.entity.ip = $ip
    match:
        $ip,$hash over 15m
  outcome:
    $soar_rule_entities = array_distinct($userid)
    // standard outcomes
    $risk_score = 60
    $event_count = count_distinct($e1.metadata.id)
    // principal
    $principal_ip = array_distinct($e1.principal.ip)
    $principal_hostname = array_distinct($e1.principal.hostname)
    $principal_user_userid = array_distinct($e1.principal.user.userid)
    $principal_resource_name = array_distinct($e1.principal.resource.name)
    // target
    $target_ip = array_distinct($e1.target.ip)
    $target_hostname = array_distinct($e1.target.hostname)
    $target_user_userid = array_distinct($e1.target.user.userid)
    $target_resource_name = array_distinct($e1.target.resource.name)
    $target_url = array_distinct($e1.target.url)

  condition:
    $e1 and $e2 and $vt
}

I need to specify that I am looking for Corelight logs.
I tried to add this code:
$e3.metadata.log_type = "CORELIGHT"
$e3.security_result.action = "ALLOW"
$e3.principal.hostname = $host
$e3.target.ip  = $ip ,

but it didn't work out, since the rule doesn't detect any logs.

Thanks for sending this along. The $e2 event needs to be something more specific. As I read this, we have network connection events in $e1. Narrowing this down to a specific kind of network traffic might be nice to improve the rule, but for now we are ok.


Is the Corelight data the $e1 Network Connection events or is it something else? If we just want to look for Corelight data and VT data, the first portion of the event section might be able to be narrowed to just this:



$e1.metadata.event_type = "NETWORK_CONNECTION"

$e1.target.ip = $ip

$e1.principal.user.userid = $userid

$e1.metadata.log_type = "CORELIGHT"

$e1.security_result.action = "ALLOW"

 

and then the condition section is narrowed to 



$e1 and $vt




I would suggest removing $e2 because at the moment $e2 is basically everything in your environment.


This rule looks similar to a template rule we created here.


https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/vt_relationships_file_contacts_ip.yaral


 

hey team

based the same rule which i build when i search the hash and ip in vt am getting zero rating then how come  it is alerting  as vt rates it has clean .

could you please explain

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.