Detection rule won't match IOC domains uploaded to... - Page 2

mmenegon · 10-01-2024 08:59 AM

Hey there,

I'm posting this hoping to find answers (and possibily a solution): In the last weeks I've been trying to upload IOC domains to SecOps using the method described here (https://medium.com/@thatsiemguy/ioc-matching-in-chronicle-siem-45a97c0b91a8) but I really can't get the POST request to work.

Allow me to elaborate. I'm posting to the endpoint "https://malachiteingestion-pa.googleapis.com/v2/entities:batchCreate" (documented here https://cloud.google.com/chronicle/docs/reference/ingestion-api#createentities) and passing a hostname-valued entity as the article suggested but although the API request is successful, I can't find the domain using a raw log search and our YARA-L rule won't match any log containing that domain.

Now, what got the domain uploaded to SecOps was to use a different structure. Instead of this:

"entity": {

"hostname": "test.com"

}

I've added the domain in a domain object while keeping the original hostname key (although this doesn't seem to change anything, the domain object is enough):

"entity": {

"domain": {

"name": "test.com"

},

"hostname": "test.com"

}

Now I can find test.com using a raw log search and see it being matched in the "Alerts & IOC" page. The real issue here is that our test rule (on which will be based all our production rules awaiting to be deployed ASAP) doesn't match any log.

I've already made sure that our rule is correct and all credentials have the right permissions. I'm sure we're talking about an issue related to the event structure but don't know which way to turn.

Would anyone be so kind to give me a hint on this? Your help would be greatly appreciated.

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Detection rule won't match IOC domains uploaded to Entity Graph