This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Feed configuration -Yara Rule

Posted 2 weeks ago
Rached1996
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello community , i want to ask if there is any possibility to develop a yara rule that detect if any change have been made on FEEDs , for example if a user changes a feed secret key.
Thanks for help

Solved Solved
1 2 108
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

You would focus principal.user.attribute.permissions.name on the below values.

cmorris_0-1744900659175.png

So for a basic rule just focused on updating feeds, you might start with something like this and then update it to include additional info via an outcome section:

rule secops_feed_updated {
  meta:
    author = "gcs"
    description = "Detect updates to SecOps feeds"
    severity = "Low"

  events:
    $e.metadata.log_type = "GCP_CLOUDAUDIT"
    $e.metadata.product_name = "Google Cloud Platform"
    $e.principal.user.attribute.permissions.name = "chronicle.feeds.update"

  condition:
    $e
}

 

View solution in original post

Jump to Solution
2 REPLIES 2
Top Solution Authors
View all