LinkedIn
Twitter
Hello everyone,
I'm building the rule that will detects malicious domains, by matching them against VirusTotal.
However, there is a big issue about it.
I ingested 26 logs to Chronicle in order to test the rule.
25 logs contain malicious domains and just one of them is not malicious.
The problem is that my rule detects 22 domains (1 of them is not malicious), but ignoring 4 malicious domains.
Can you please take a look at my rule and tell me if there is something wrong about it?
Thank you in advance!
rule ioc_cisco_umbrella_dns {
meta:
author = "NastyaS"
description = "Detects DNS requests to malicious domains with Cisco Umbrella"
short_description = "Cisco Umbrella alert on DNS Malicous Domains"
severity = "Medium"
priority = "Medium"
status = "Testing"
created_date = "2023-12-11T17:30:00Z"
rule_version = "1.1"
yara_version = "YL2.0"
data_source = "Firewall events"
confidence_threshold = "50"
category = "Traffic"
subcategory = "Local to Remote"
events:
$e.metadata.log_type = "UMBRELLA_DNS"
$e.metadata.event_type = "NETWORK_DNS"
$e.network.application_protocol = "DNS"
$e.network.dns.questions.name = $dns_query
$e.network.dns.questions.name != ""
not $e.network.dns.questions.name in %Safe_domains
not $e.principal.ip in %General_safe_IPs
$e.principal.ip = $ip
// get virus total data
$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
$vt.graph.metadata.vendor_name = "VirusTotal"
$vt.graph.metadata.product_name = "VirusTotal Relationships"
(
$vt.graph.relations.relationship = "CONTACTS"
and $vt.graph.relations.entity.domain.name = $dns_query
and $vt.graph.relations.entity_type = "DOMAIN_NAME"
)
match:
$dns_query over 10m
outcome:
$risk_score = max(85)
$soar_rule_entities = array_distinct($dns_query)
$network_dns_questions_name = array_distinct($e.network.dns.questions.name)
$principal_ip = array_distinct($e.principal.ip)
condition:
$e and $vt
}
