This article describes the overview and procedural steps for creating, publishing and adding detection rules to content packs.
Detection Rules are defined as conditional logic applied to all ingested logs in Chronicle. Resolution Intelligence Cloud® receives a detection or signal when a single case is matched over a given period of time that is defined in a rule.
To hunt for threats or other suspicious events in telemetry data of Chronicle, you can use more advanced rules, create your own, or customize the rules. The rules engine will use the widely used detection language called YARA-L to write rules. Resolution Intelligence Cloud enables you to tag rules based on MITRE tactics & techniques, log source type, rule confidence, and severity. For example, configuring a rule that detects an unusual user login from different locations at unusual times (12 AM to 3 AM local time).
Any rule created at the domain or organization level will be published to Chronicle. Users can only navigate to the Chronicle from the tenant. Additionally, all rules must be associated with a pack to be published to Chronicle. You can only publish if Chronicle integration is enabled. If Chronicle is not enabled, any packs with rules that are published will fail.
Detection rules allow you to define the compliance and regulatory policies of your organization to scale your business growth at the enterprise level and improve your relationships with other security-compliant organizations.Schedule a Demo
YARA-L rules
YARA-L rules are designed to detect known threats or specific patterns associated with malware, exploits, or suspicious behaviors. These rules capture the behavioral characteristics of threats observed in the past. This allows security teams to detect similar behaviors if they reoccur, even if the specific malware or attack variant has changed. Writing and applying these rules enables the immediate detection of similar attacks that have occurred in the past.
Configuring Detection Rules
User Permissions required
A creator from these categories such as Domain, Organization, and Tenant can create rules.
To create a rule:
-
Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
- Click Detection Policies, under Signals.
- Click +Create New --> Detection Rule at the top right corner. (or)
- Click Detection Rules tile --> Create New.
A detection rule creation form appears. You can view its version and status. The new rules will have the version labeled as Version 1 and the status marked as Not Saved.
Note: This flow is based on the subscription you opt for. - Enter Rule Name, and Description.
- On the right of the Detection Rule page, you can do the following:
- Comments: collaborate with others by adding comments.
- Activity log: find the actions taken by different users on the rule.
- Versions: see the previous versions of a rule with the status.
- Under the Rule Editor,
- define the rule syntax in the YARA-L language. The syntax has meta, event, match, and condition sections. If the condition defined in the Rule Editor is satisfied, the event is triggered and a detection is generated.
- The sample rule looks like this:
rule NewRule2
{
meta:
subject = "NewRule2"
description = "NewRule2"
tactic = "Lateral Movement"
technique = "Remote Service Session Hijacking"
tool = ""
datasource = ""
category = ""
product = ""
logsource = ""
actor = ""
malware = ""
vulnerability = ""
custom = ""
confidence = "High"
severity = "High"
falsePositives = "None"
externalSubject = "0"
externalMITRE = "0"
version = "1"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.security_result.category="EXPLOIT"
(net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12") or net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8") or net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16"))
$e.principal.ip = $principal_ip
$e.target.ip =$target_ip
$e.security_result.action != "BLOCK"
$e.security_result.summary = $signature
not $e.principal.ip in %vulnerability_scanners
match:
$principal_ip over 10m
condition:
(#target_ip >=5 and #signature =1) or (#target_ip =1 and #signature >=10 )
}
The above YARA-L rule is illustrated
Network connection rule | ||
Meta data |
Provides additional information such as the tactic, technique, sub-technique, and tool used by the attacker in the observed attack will facilitate easy identification of the type of attack being targeted by the rule. |
|
Events |
Specifies the events the rule is designed to detect. | |
Event type | Specifies that the event type is "Network connection", meaning the rule focuses exclusively on network connection events. | |
Security result category | Filters events to include only those categorized as exploits. | |
(net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12") or net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8") or net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")) $e.principal.ip = $principal_ip |
Ensures the principal IP address is within common private IP ranges:
|
|
$e.principal.ip = $principal_ip |
Captures the principal IP address involved in the event |
|
$e.target.ip = $target_ip |
Captures the target IP address involved in the event |
|
$e.security_result.action != "BLOCK" |
Focuses on events that were not blocked, indicating potential successful exploits or attacks. |
|
$e.security_result.summary = $signature |
Captures the summary or description of the security event |
|
not $e.principal.ip in %vulnerability_scanners |
Excludes events originating from known vulnerability scanners, focusing only on potential malicious activities not associated with authorized scanning. |
|
Match | principal_ip over 10m |
Rule looks for matching events involving the same principal IP within a 10-minute window |
condition | (#target_ip >=5 and #signature =1) or (#target_ip =1 and #signature >=10 ) |
Condition triggers if there are at least 5 unique target IPs and exactly 1 unique exploit or attack pattern (signature) is detected. Condition triggers if there is exactly 1 unique target IP and at least 10 unique exploit or attack patterns (signatures) are detected. |
- Copy the rule syntax to the clipboard using the copy icon and paste it wherever required.
- Using the ellipses icon ,
- Find & Replace the content in the rule.
- Compare the rules using Compare Versions, if the previous versions are available.
7. Click Verify Rule at the top of the Rule Editor.
Once the rule syntax is verified, the Test Rule button is shown.
8. Click Test Rule and select from date to to date and appropriate tenant from the drop-down list.
9. Select Rule Type under When should this rule be active.
-
- Real-time: a live instance
- Scheduled: fixed at a specific time period
10. (Optional) Add Tags for the following fields, wherever applicable, under Metadata.
Tags |
Descriptions |
MITRE Attack |
|
Tactics |
Represents deliberate actions or strategies used to achieve specific goals. Refer to this article for more information. |
Technique |
Represents specific methods employed to carry out objectives within a tactic. Refer to this article for more information. |
Sub-technique |
A sub-technique is a more specific adversary action. For example, a technique such as Process Injection has 11 sub-techniques to cover (in more detail) the variations of how adversaries have injected code into processes. Note: Multiple selections are allowed. |
Data Source | Represents a source of structured or semi-structured data used for analysis, reporting, or integration. |
Threat | |
Threat Actor |
Refers to a an individual, group or organization that conducts malicious activities like cyber attacks with the intent to compromise or exploit computer systems or networks. Note: Multiple selections are allowed. |
Malware |
Refers to, in the context of MITRE, malicious software designed to disrupt, damage or gain unauthorized access to computers or networks. Note: Multiple selections are allowed. |
Tool |
A type of tool or device to which a model belongs to. Note: Multiple selections are allowed. |
Risk |
|
Vulnerability |
A weakness, flaw or other shortcoming in a system (infrastructure, database or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed. Note: Multiple selections are allowed. |
Telemetry Source | |
Logsource Type |
A type of source where logs originate from. Note: Multiple selections are allowed. |
Product/Vendor |
The type of vendor to whom this rule belongs to. Note: Multiple selections are allowed. |
Custom | |
Custom |
A special modification of an existing tag. Note: Multiple selections are allowed. |
Signal Specifications | |
Confidence | Denotes the percentage of probability that a signal carries risk or not. |
Severity |
Defines the severity of a model. Allowed values are High, Medium, and Low. |
False Positive Scenario |
For every behavior, there are a few scenarios in which the detection would be legitimate. So we would keep those details here and recommend to the user that they baseline the expected behavior using reference lists. |
Check Box left to Subject from Native Signal |
It helps you apply subject as static values for some detection rules, and for some rules that are intended to only convert native signals from devices like EDR, and antivirus where you cannot apply subject as static behavior. In such cases, leverage external subject from native signal checkbox to pickup MITRE details from UDM event in chronicle while transforming the signal. |
Check Box left to Mitre from Native Signal |
It helps you apply Tactic & Techniques as static values for some detection rules, and for some rules that are intended to only convert native signals from devices like EDR, and antivirus where you can not apply tactics and techniques as static behavior. In such cases, leverage the external native MITRE checkbox to pickup MITRE details from the UDM event in chronicle while transforming the signal. |
11. Click Save as draft to save the changes. (or)
12. Click Send for Review.
The rule will be sent to Publisher for review and the rule state is moved to Under Review.
Publishing Detection Rules
User Permissions Required
A Publisher from these categories such as Domain, Organization, and Tenant can publish rules.
To publish a Rule:
-
Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
- Click Detection Policies, under Signals.
- In the Detection Policies listing page, click the rule that is Under Review state.
- Verify the Rule syntax and other significant details in the rule.
- Do the following:
-
- Click Approve if the rule syntax is appropriate.
The rule will be moved to the Approved (for version 1 only) / Ready to Publish (versions more than one) state once it is approved. - Click Request Changes, if the rule is not appropriate.
The rule was sent back to the creator for changes and moved to the Request Changes state. - Click Edit at the top, if you wish to modify any details of a rule.
- Click Save as draft.
The status changes to draft (or) - Click Send for Review.
The status changes to Under Review.
- Click Approve if the rule syntax is appropriate.
Note: Approved state is only applicable for the rules with version no# 1. The rules with version no # greater than one will be moved to the Ready to Publish state once they are approved.
Adding a Content Pack to Detection Rule
To publish a rule, you must add at least one content pack that you have subscribed to. The publisher can add packs to any rule that is in an approved, or draft, or ready-to-publish state.
Content packs are added to a rule in two ways:
Adding a content pack to a rule
To add a content pack to a rule,
- On the Detection Rules listing page, you can only associate packs with rule(s) in few states:
- If the customer selected the Approval work flow, these states are applicable:
- Approved state: Use Add to Packs button to associate packs to rules, on the Detection rules page.
- Ready to Publish state: Use Edit associated packs to add more packs to rules. This option is visible only when you click the Associated Packs button, on the Detection rules page.
- If the customer did not select the Approval workflow, then these states are applicable.
- Draft state: Use Add to Packs button to associate packs to rules, on the Detection rules page.
- Ready to Publish state: Use Edit associated packs to add more packs to rules. This option is visible only when you click the Associated Packs button, on the Detection rules page.
- If the customer selected the Approval work flow, these states are applicable:
- Click Add to Packs at the top right corner.
A side panel appears on the screen. In the associated pack window, you can see the following columns:.
- Pack Name: The name of a pack
-
Status: The status of the pack. Possible values:
- Unpublished changes
- All changes published
- Rules Associated: Total number of rules associated with the pack.
- Accounts Associated: The total number of organizational or domain accounts associated with the pack.
Note:
-
- This column name is applicable to only organizations or domains.
- If the rule is in Ready to Publish state, you can publish this rule from the Associated packs side panel.
3. Select one or more packs to associate with a rule. For more information on packs, refer to this article.
4. Click on any of the following options:
-
- Associate & Publish: Packs are associated, and the rule is published.
-
Associate: Packs are associated only, but the rule is not published.
After the packs are associated with a rule, you can view the associated packs by clicking Associated Packs at the top of the rule. Also, you can add or remove the associated packs using Edit associated packs at the top of the window.
Filtering Detection rules
Use this procedure to filter the detection rules based on the search criteria.
-
Do one of the following to access Configurations:
- Click the Configurations icon at the top navigation bar.
- Click the hamburger menu on the left and select CONFIGURATIONS.
- Click Detection Policies, under Signals. The Detection Rules listing page appears.
- Click the filter icon to expand the filter options.
- Select the label, operator and value. You can add multiple filters to filter the detection rules by the given criteria. For instance, the label is Rule Name and the operator selected is Equals and the value entered is "Chronicle rules", then this will display all the rules matching the value, that is Chronicle rules.
- Click Apply Filters to see the results.
To add a content pack to a rule, refer to configuring a pack.
To create a new version of the published or disabled rules, refer to Versioning a rule
In addition to configuring, you can always simulate, clone, version, disable, edit, delete, find, and filter rules to manage your detection policies effectively.
Comments
0 comments
Please sign in to leave a comment.