Solved: Yara - L question

SoarMike · 06-18-2024 09:45 AM

Just a question we are ingesting MISP logs through ingestion api we have the fields parsing now and we can search for them in raw log search. We cannot however find any field using udm search how would we be able to utilize this in Yara-l rules?

jstoner

Assuming those MISP indicators are in the entity graph, then they are available for rule writing. We are working to improve the visbility of these entities so that raw search is not the only method to seeing them but for the moment that is your best reference point for the entities themselves.

Here is an example of putting that data into practice. Obviously, the field placement will depend on your parsing. There are other examples in the community rules under threat intel, but here is one. In this case we have joined our DNS events with our MISP data and then looked for the value C2 domains in the entity's metadata.threat.summary field.

https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/ioc_domain_C2.yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ioc_domain_C2 {

  meta:
    author = "Google Cloud Security"
    description = "Detect DNS events that indicate communication to a C2 domain in MISP"
    type = "alert"
    tags = "threat indicators"
    assumption = "Assumes MISP data has been ingested into entity graph; this rule can be modified to utilize other TI indicators"
    data_source = "microsoft sysmon"
    severity = "High"
    priority = "High"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    $dns.network.dns.questions.name = $dns_query

    // Correlates with MISP data; can be modified based on your MISP parser or other TI
    $ioc.graph.metadata.product_name = "MISP"
    $ioc.graph.metadata.entity_type = "DOMAIN_NAME"
    $ioc.graph.metadata.source_type = "ENTITY_CONTEXT"
    //Summary is used to focus on a specific subset of MISP indicators, can modify as needed
    $ioc.graph.metadata.threat.summary = "C2 domains"
    $ioc.graph.entity.hostname = $dns_query

  match:
    $dns_query over 5m

  outcome:
    $risk_score = max(85)
    $event_count = count_distinct($dns.metadata.id)
    $network_dns_questions_name = array_distinct($dns.network.dns.questions.name)
    $network_dns_answers_data = array_distinct($dns.network.dns.answers.data)
    // added to populate alert graph with additional context
    $principal_ip = array_distinct($dns.principal.ip)
    $target_ip = array_distinct($dns.target.ip)
    $principal_process_pid = array_distinct($dns.principal.process.pid)
    $principal_process_file_full_path = array_distinct($dns.principal.process.file.full_path)
    $principal_process_product_specific_process_id = array_distinct($dns.principal.process.product_specific_process_id)
    $principal_user_userid = array_distinct($dns.principal.user.userid)
    $principal_process_command_line = array_distinct($dns.principal.process.command_line)
    $principal_process_file_sha256 = array_distinct($dns.principal.process.file.sha256)
    $principal_process_parent_process_product_specific_process_id = array_distinct($dns.principal.process.parent_process.product_specific_process_id)


  condition:
    $dns and $ioc
}

View solution in original post

David-French

Hi @SoarMike,

I'd recommend checking out this blog series by @jstoner that walks through how to utilize MISP indicators in YARA-L rules.

At the beginning of part one, John demonstrates how to validate that the MISP indicators are being ingested into Google SecOps as "entities" that can be used in YARA-L rules.

jstoner

Assuming those MISP indicators are in the entity graph, then they are available for rule writing. We are working to improve the visbility of these entities so that raw search is not the only method to seeing them but for the moment that is your best reference point for the entities themselves.

Here is an example of putting that data into practice. Obviously, the field placement will depend on your parsing. There are other examples in the community rules under threat intel, but here is one. In this case we have joined our DNS events with our MISP data and then looked for the value C2 domains in the entity's metadata.threat.summary field.

https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/ioc_domain_C2.yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ioc_domain_C2 {

  meta:
    author = "Google Cloud Security"
    description = "Detect DNS events that indicate communication to a C2 domain in MISP"
    type = "alert"
    tags = "threat indicators"
    assumption = "Assumes MISP data has been ingested into entity graph; this rule can be modified to utilize other TI indicators"
    data_source = "microsoft sysmon"
    severity = "High"
    priority = "High"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    $dns.network.dns.questions.name = $dns_query

    // Correlates with MISP data; can be modified based on your MISP parser or other TI
    $ioc.graph.metadata.product_name = "MISP"
    $ioc.graph.metadata.entity_type = "DOMAIN_NAME"
    $ioc.graph.metadata.source_type = "ENTITY_CONTEXT"
    //Summary is used to focus on a specific subset of MISP indicators, can modify as needed
    $ioc.graph.metadata.threat.summary = "C2 domains"
    $ioc.graph.entity.hostname = $dns_query

  match:
    $dns_query over 5m

  outcome:
    $risk_score = max(85)
    $event_count = count_distinct($dns.metadata.id)
    $network_dns_questions_name = array_distinct($dns.network.dns.questions.name)
    $network_dns_answers_data = array_distinct($dns.network.dns.answers.data)
    // added to populate alert graph with additional context
    $principal_ip = array_distinct($dns.principal.ip)
    $target_ip = array_distinct($dns.target.ip)
    $principal_process_pid = array_distinct($dns.principal.process.pid)
    $principal_process_file_full_path = array_distinct($dns.principal.process.file.full_path)
    $principal_process_product_specific_process_id = array_distinct($dns.principal.process.product_specific_process_id)
    $principal_user_userid = array_distinct($dns.principal.user.userid)
    $principal_process_command_line = array_distinct($dns.principal.process.command_line)
    $principal_process_file_sha256 = array_distinct($dns.principal.process.file.sha256)
    $principal_process_parent_process_product_specific_process_id = array_distinct($dns.principal.process.parent_process.product_specific_process_id)


  condition:
    $dns and $ioc
}

SoarMike

Thanks for the information @jstoner and @David-French determine the parser was fine we just were not finding matches on the logs as we are still setting them up.