This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

How to refer to reference list in Google Chronicle?

Posted on 07-17-2024 09:57 AM
CyberSnacker82
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello! I'm working on a query in Sumo Logic and need some guidance on how to refer to reference lists. I've created a reference list that updates daily with a list of known beaconing servers. Here's the query I have so far:

$e.metadata.event_type = "NETWORK_DNS"
$e.principal.hostname = $host
$e.network.dns.questions.name in %reference_list

match:
$host over 4h

condition:
$e

My goal is to check if hosts are connecting to the domains listed in the reference list. It shows that no detections are being found -- I feel like I am missing an aspect on this query. I have tried to change the match to be $host, %reference_list over 4h, but it doesn't seem to be working. 

Thank you!

0 1 553
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
chrisd2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello CyberSnacker82, you can take a DNS raw log as received in Google SecOps, copy & manually edit it (modify hostname with a value to easily find it afterwards, modify the DNS question with something that is in your RefList) and re-ingest it in SecOps.

Boom you just tested your detection rule ! ๐Ÿ™‚

Top Solution Authors
View all