This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Cannot understand the difference between $event for event fields and $entity for entity fields

Posted on 01-02-2024 03:01 AM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

I have a query in relation to the following document:

https://cloud.google.com/chronicle/docs/reference/udm-field-list

The docs says the following:

When writing rules for Detect Engine, use the <prefix> pattern $event for Event fields and $entity for Entity fields. For example:

  • $event.metadata.event_type
  • $event.network.dhcp.opcode
  • $event.principal.user.location.city
  • $entity.graph.entity.hostname
  • $entity.graph.metadata.product_name

Now i can't understand why is `principal.user.location.city` prefixed with `$event`.

`principal` is a noun in UDM. So why is `principal.user.location.city` prefixed with `$event`.

Can you please help me fill the gap in my understanding.

Solved Solved
0 4 1,007
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

In YARA-L every field needs to be mapped. For a rule that only is looking at a single event, this may seem like overkill but as we get into rules that contain multiple events (or entities), we need a way to identify that event1 pertains to process launch events and event2 is network http events and entity1 is a safebrowsing entity and so forth.

The $event or $entity in the example above are referred to as event variables. These are seen all over rules and are sometimes shortened to $e and $u in the documentation. I personally prefer using something more descriptive, ie $process or $network as these event variables can also be seen in the detection and make it simpler to read and see which events pertain to the process portion of a detect versus the network portion, for example. 

Here is a short video I put together on YARA-L variables as well:

https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-know-Chronicle-SIEM-YARA...

Hope this helps!

View solution in original post

Jump to Solution
Reply
4 REPLIES 4
Top Solution Authors
View all