This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Detection Rule Creation

Posted on 12-12-2024 09:53 AM
GSCoNist-
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey all, I'm attempting to create a detection rule that brings in data across 3 different log_types:

  • Azure_AD 
  • Microsoft Defender Endpoint
  • Microsoft Graph Alert

When I start to add Azure_AD in to the mix I am running into an error where it says "validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (azure_event), (graph_event), (mde_event)".

Now looking at my logic I'm not quite sure what the error is meaning. What I really want essentially is whenever Defender generates an alert this detection rule will also bring in events across the other two log types based on shared fields. Is that not possible with 3 log_types cause It works perfectly if I remove Azure_AD. Any help is appreciated!

Here is my current rule:

 

rule microsoft_security_alerts {

  meta:
    author = "Cody Brandt"
    description = "This rule looks for MDE alerts with High or Medium severity across multiple log types"
    status = "Production"
    severity = "High"

  events:
    // Pulling all alerts created by Defender, specifically looking at the below severities
    $mde_event.metadata.log_type = "MICROSOFT_DEFENDER_ENDPOINT" and
    ($mde_event.security_result.severity = "CRITICAL" or
     $mde_event.security_result.severity = "HIGH" or
     $mde_event.security_result.severity = "MEDIUM" or
     $mde_event.security_result.severity = "LOW")

    // Creating a match variable based on the threat name that is in Defender
    $mde_event.principal.user.userid = $threat

    // Pulling all alerts created by Microsoft Graph, specifically looking at the below severities
    $graph_event.metadata.log_type = "MICROSOFT_GRAPH_ALERT" and
    ($graph_event.security_result.severity = "CRITICAL" or
     $graph_event.security_result.severity = "HIGH" or
     $graph_event.security_result.severity = "MEDIUM" or
     $graph_event.security_result.severity = "LOW")

    $azure_event.metadata.log_type = "AZURE_AD" and
    $azure_event.metadata.event_type = "USER_LOGIN"

    // Comparing events that are shared across the log_types
    ($graph_event.target.user.userid = $mde_event.principal.resource.attribute.labels["AadUserId"] or
    $mde_event.security_result.threat_name = $graph_event.security_result.rule_name or 
    $azure_event.target.user.user_display_name = $mde_event.principal.resource.attribute.labels["DisplayName"] or
    $graph_event.metadata.event_type = $azure_event.metadata.event_type)

  match:
    $threat over 30m

  condition:
    $mde_event and $graph_event and $azure_event
}

 

 

0 3 483
Topic Labels
0 Likes
3 REPLIES 3
Top Solution Authors
View all