Detection Rules – Netenrich

Table of Contents:

This article describes the overview and procedural steps for creating, publishing and adding detection rules to content packs.

Detection Rules are defined as conditional logic applied to all ingested logs in Chronicle. Resolution Intelligence Cloud^®receives a detection or signal when a single case is matched over a given period of time that is defined in a rule.

To hunt for threats or other suspicious events in telemetry data of Chronicle, you can use more advanced rules, create your own, or customize the rules. The rules engine will use the widely used detection language called YARA-L to write rules. Resolution Intelligence Cloud enables you to tag rules based on MITRE tactics & techniques, log source type, rule confidence, and severity. For example, configuring a rule that detects an unusual user login from different locations at unusual times (12 AM to 3 AM local time).

Rules created from the parent account are published to child accounts and then to Chronicle. Users can navigate to Chronicle only from the tenant level. To publish rules to Chronicle, they must be associated with a pack. Publishing is allowed only if Chronicle integration is enabled. If Chronicle integration is not enabled, any packs containing rules will fail to publish.

Detection rules allow you to define the compliance and regulatory policies of your organization to scale your business growth at the enterprise level and improve your relationships with other security-compliant organizations.Schedule a Demo

YARA-L rules

YARA-L rules are designed to detect known threats or specific patterns associated with malware, exploits, or suspicious behaviors. These rules capture the behavioral characteristics of threats observed in the past. This allows security teams to detect similar behaviors if they reoccur, even if the specific malware or attack variant has changed. Writing and applying these rules enables the immediate detection of similar attacks that have occurred in the past.

Creating a Detection Rule

User Permissions required

A creator from these categories such as Domain, Organization, and Tenant can create rules.

To create a rule:

Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
Click Detection Policies, under Signals.
Click +Create New --> Detection Rule at the top right corner. (or)
Click Detection Rules tile --> Create New.
A detection rule creation form appears. You can view its version and status. The new rules will have the version labeled as Version 1 and the status marked as Not Saved.
Note: This flow is based on the subscription you opt for.
Enter Rule Name, and Description.
On the right of the Detection Rule page, you can do the following:
- Comments: collaborate with others by adding comments.
- Activity log: find the actions taken by different users on the rule.
- Versions: see the previous versions of a rule with the status.
Under the Rule Editor,
- define the rule syntax in the YARA-L language. The syntax has meta, event, match, and condition sections. If the condition defined in the Rule Editor is satisfied, the event is triggered and a detection is generated.
- The sample rule looks like this:

rule NewRule2
{
  meta:
     subject = "NewRule2"
     description = "NewRule2"
     tactic = "Lateral Movement"
     technique = "Remote Service Session Hijacking"
     tool = ""
     datasource = ""
     category = ""
     product = ""
     logsource = ""
     actor = ""
     malware = ""
     vulnerability = ""
     custom = ""
     confidence = "High"
     severity = "High"
     falsePositives = "None"
     externalSubject = "0"
     externalMITRE = "0"
     version = "1"
  events:
        $e.metadata.event_type = "NETWORK_CONNECTION"
        $e.security_result.category="EXPLOIT"
        (net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12") or net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8") or net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16"))
        $e.principal.ip = $principal_ip
        $e.target.ip =$target_ip
        $e.security_result.action != "BLOCK"
        $e.security_result.summary = $signature
        not $e.principal.ip in %vulnerability_scanners

    match:
        $principal_ip over 10m

    condition:
       (#target_ip >=5 and #signature =1) or (#target_ip =1 and #signature >=10 )

}

The above YARA-L rule is illustrated

Network connection rule
Meta data	Provides additional information such as the tactic, technique, sub-technique, and tool used by the attacker in the observed attack will facilitate easy identification of the type of attack being targeted by the rule.
Events	Specifies the events the rule is designed to detect.
	Event type	Specifies that the event type is "Network connection", meaning the rule focuses exclusively on network connection events.
	Security result category	Filters events to include only those categorized as exploits.
	(net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12") or net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8") or net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")) $e.principal.ip = $principal_ip	Ensures the principal IP address is within common private IP ranges: `172.16.0.0/12`: Covers IP addresses from 172.16.0.0 to 172.31.255.255. `10.0.0.0/8`: Covers IP addresses from 10.0.0.0 to 10.255.255.255. `192.168.0.0/16`: Covers IP addresses from 192.168.0.0 to 192.168.255.255.
	$e.principal.ip = $principal_ip (or) $e.principal.ip in %IPs_reference_list	Captures the principal IP address involved in the event. (or) You can also add a published reference list to the rule body, containing a list of blacklisted IPs you want to detect.
	$e.target.ip = $target_ip	Captures the target IP address involved in the event
	$e.security_result.action != "BLOCK"	Focuses on events that were not blocked, indicating potential successful exploits or attacks.
	$e.security_result.summary = $signature	Captures the summary or description of the security event
	not $e.principal.ip in %vulnerability_scanners	Excludes events originating from known vulnerability scanners, focusing only on potential malicious activities not associated with authorized scanning.
Match	principal_ip over 10m	Rule looks for matching events involving the same principal IP within a 10-minute window
condition	(#target_ip >=5 and #signature =1) or (#target_ip =1 and #signature >=10 )	Condition triggers if there are at least 5 unique target IPs and exactly 1 unique exploit or attack pattern (signature) is detected. Condition triggers if there is exactly 1 unique target IP and at least 10 unique exploit or attack patterns (signatures) are detected.

Copy the rule syntax to the clipboard using the copy icon and paste it wherever required.
Using the ellipses icon ,
- Find & Replace the content in the rule.
- Compare the rules using Compare Versions, if the previous versions are available.

7. Click Verify Rule at the top of the Rule Editor. If the rule is not verified manually, it will be verified when sent for review. Each new version you create includes the 'Verify Rule' option to either verify the rule manually or have it auto-verified during the review process. If the approval workflow is not enabled for this tenant, the user must manually verify the rule to create and publish it.

Once the rule syntax is verified, the Test Rule button is shown.

8. Click Test Rule and select from date to to date and appropriate tenant from the drop-down list.

9. Select Rule Type under When should this rule be active.

- Real-time: a live instance
- Scheduled: fixed at a specific time period

10. (Optional) Add Tags for the following fields, wherever applicable, under Metadata.

Tags	Descriptions
MITRE Attack
Tactics	Represents deliberate actions or strategies used to achieve specific goals. Refer to this article for more information.
Technique	Represents specific methods employed to carry out objectives within a tactic. Refer to this article for more information.
Sub-technique	A sub-technique is a more specific adversary action. For example, a technique such as Process Injection has 11 sub-techniques to cover (in more detail) the variations of how adversaries have injected code into processes. Note: Multiple selections are allowed.
Data Source	Represents a source of structured or semi-structured data used for analysis, reporting, or integration.
Threat
Threat Actor	Refers to a an individual, group or organization that conducts malicious activities like cyber attacks with the intent to compromise or exploit computer systems or networks. Note: Multiple selections are allowed.
Malware	Refers to, in the context of MITRE, malicious software designed to disrupt, damage or gain unauthorized access to computers or networks. Note: Multiple selections are allowed.
Tool	A type of tool or device to which a model belongs to. Note: Multiple selections are allowed.
Risk
Vulnerability	A weakness, flaw or other shortcoming in a system (infrastructure, database or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed. Note: Multiple selections are allowed.
Telemetry Source
Logsource Type	A type of source where logs originate from. Note: Multiple selections are allowed.
Product/Vendor	The type of vendor to whom this rule belongs to. Note: Multiple selections are allowed.
Custom metadata
Tag(s)	A special modification of an existing tag. Note: Multiple selections are allowed.
Additional attribute(s)	Add custom fields to detection rules using attribute-value pairs. In addition to the default fields, you can add as many custom fields as needed. All added fields will be visible in the detection rule editor after the rule is saved and sent for review.
Signal Specifications
Confidence	Denotes the percentage of probability that a signal carries risk or not.
Severity	Defines the severity of a model. Allowed values are High, Medium, and Low.
False Positive Scenario	For every behavior, there are a few scenarios in which the detection would be legitimate. So we would keep those details here and recommend to the user that they baseline the expected behavior using reference lists.
Check Box left to Subject from Native Signal	It helps you apply subject as static values for some detection rules, and for some rules that are intended to only convert native signals from devices like EDR, and antivirus where you cannot apply subject as static behavior. In such cases, leverage external subject from native signal checkbox to pickup MITRE details from UDM event in chronicle while transforming the signal.
Check Box left to Mitre from Native Signal	It helps you apply Tactic & Techniques as static values for some detection rules, and for some rules that are intended to only convert native signals from devices like EDR, and antivirus where you can not apply tactics and techniques as static behavior. In such cases, leverage the external native MITRE checkbox to pickup MITRE details from the UDM event in chronicle while transforming the signal.

11. Click Save as draft to save the changes. (or)

12. Click Send for Review. When a reference list is added to the rule body, it becomes visible on the left side after the rule is sent for review. You can click View to view the reference list on a new tab. For more information, see Linking reference lists to detection rules

The rule will be sent to Publisher for review and the rule state is moved to Under Review.

Publishing Detection Rules

User Permissions Required

A Publisher from these categories such as Domain, Organization, and Tenant can publish rules.

To publish a Rule:

Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
Click Detection Policies, under Signals.
In the Detection Policies listing page, click the rule that is Under Review state.
Verify the Rule syntax and other significant details in the rule.
Do the following:

- Click Approve if the rule syntax is appropriate.
  The rule will be moved to the Approved (for version 1 only) / Ready to Publish (versions more than one) state once it is approved.
- Click Request Changes, if the rule is not appropriate.
  The rule was sent back to the creator for changes and moved to the Request Changes state.
- Click Edit at the top, if you wish to modify any details of a rule.
- Click Save as draft.
  The status changes to draft (or)
- Click Send for Review.
  The status changes to Under Review.

Note: Approved state is only applicable for the rules with version no# 1. The rules with version no # greater than one will be moved to the Ready to Publish state once they are approved.

Adding a Content Pack to Detection Rule

To publish a detection rule to Chronicle, you must associate this rule with at least one pack. The publisher can add packs to any rule that is in an approved, or draft, or ready-to-publish state.

Content packs are added to a rule in two ways:

From Detection Rules page
From Packs page

Adding a content pack to a rule

To add a content pack to a rule,

On the Detection Rules listing page, you can only associate packs with rule(s) in few states:
- If the customer selected the Approval work flow, these states are applicable:
  - Approved state: Use Add to Packs button to associate packs to rules, on the Detection rules page.
  - Ready to Publish state: Use Edit associated packs to add more packs to rules. This option is visible only when you click the Associated Packs button, on the Detection rules page.
- If the customer has not selected the Approval workflow, then these states are applicable.
  - Draft state: Use Add to Packs button to associate packs to rules, on the Detection rules page.
  - Ready to Publish state: Use Edit associated packs to add more packs to rules. This option is visible only when you click the Associated Packs button, on the Detection rules page.
Click Add to Packs at the top right corner.
A side panel appears on the screen. In the associated pack window, you can see the following columns:.
- Pack Name: The name of a pack
- Status: The status of the pack. Possible values:
  - Unpublished changes
  - All changes published
- Rules Associated: Total number of rules associated with the pack.
- Accounts Associated: The total number of organizational or domain accounts associated with the pack.

Note:

- This column name is applicable to only organizations or domains.
- If the rule is in Ready to Publish state, you can publish this rule from the Associated packs side panel.

3. Select one or more packs to associate with a rule. For more information on packs, refer to this article.

4. Click on any of the following options:

- Associate & Publish: Packs are associated, and the rule is published.
- Associate: Packs are associated only, but the rule is not published.
  After the packs are associated with a rule, you can view the associated packs by clicking Associated Packs at the top of the rule. Also, you can add or remove the associated packs using Edit associated packs at the top of the window.

Filtering Detection rules

Use this procedure to filter the detection rules based on the search criteria.

Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
Click Detection Policies, under Signals. The Detection Rules listing page appears.
Click the filter icon to expand the filter options.
Select the label, operator and value. You can add multiple filters to filter the detection rules by the given criteria. For instance, the label is Rule Name and the operator selected is Equals and the value entered is "Chronicle rules", then this will display all the rules matching the value, that is Chronicle rules.
Click Apply Filters to see the results.

To add a content pack to a rule, refer to configuring a pack.

To create a new version of the published or disabled rules, refer to Versioning a rule

In addition to configuring, you can always simulate, clone, version, disable, edit, delete, find, and filter rules to manage your detection policies effectively.