This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Feed configuration -Yara Rule

Posted 2 weeks ago
Rached1996
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello community , i want to ask if there is any possibility to develop a yara rule that detect if any change have been made on FEEDs , for example if a user changes a feed secret key.
Thanks for help

Solved Solved
1 2 107
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

You would focus principal.user.attribute.permissions.name on the below values.

cmorris_0-1744900659175.png

So for a basic rule just focused on updating feeds, you might start with something like this and then update it to include additional info via an outcome section:

rule secops_feed_updated {
  meta:
    author = "gcs"
    description = "Detect updates to SecOps feeds"
    severity = "Low"

  events:
    $e.metadata.log_type = "GCP_CLOUDAUDIT"
    $e.metadata.product_name = "Google Cloud Platform"
    $e.principal.user.attribute.permissions.name = "chronicle.feeds.update"

  condition:
    $e
}

 

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

This is a stats search I shared with a customer in the past to look for admin actions. I believe you could take this, focus it on feed actions, and then modify it for use in a rule. I can give that a shot later today as well.

metadata.log_type = "GCP_CLOUDAUDIT"
metadata.product_name = "Google Cloud Platform"
metadata.product_event_type = /chronicle/
principal.user.user_display_name = $user
principal.user.attribute.permissions.name = $perm
timestamp.get_timestamp(metadata.event_timestamp.seconds) = $date
match:
  $user, $date
outcome:
  $permUsed = array_distinct($perm)
order:
  $date desc

 

Jump to Solution

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

You would focus principal.user.attribute.permissions.name on the below values.

cmorris_0-1744900659175.png

So for a basic rule just focused on updating feeds, you might start with something like this and then update it to include additional info via an outcome section:

rule secops_feed_updated {
  meta:
    author = "gcs"
    description = "Detect updates to SecOps feeds"
    severity = "Low"

  events:
    $e.metadata.log_type = "GCP_CLOUDAUDIT"
    $e.metadata.product_name = "Google Cloud Platform"
    $e.principal.user.attribute.permissions.name = "chronicle.feeds.update"

  condition:
    $e
}

 

Jump to Solution
Top Solution Authors
View all