Metrics usage in Yara L

rahul7514 · 10-29-2024 07:03 AM

Hi Team

I am trying to replicate an alert that was built in Splunk .
1) Use case is to check an anomaly in the SMB traffic . For this in Splunk we were using firewall traffic over port 139 and 445 and calculating the average and std dev between src and dest in a day and using the outlier concept which is if if traffic observed at a given point is above the (avg +2 std dev ) then an alert should trigger .
can we built this alert in YARA L ?

dnehoda

Is it possible to share your splunk rule?

rahul7514

@dnehoda / @jstoner : Sure here is the Splunk Query :
https://research.splunk.com/network/7f5fb3e1-4209-4914-90db-0ec21b936378/

| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src 
| `drop_dm_object_name("All_Traffic")` 
| eventstats max(_time) as maxtime 
| stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) as count avg(eval(if(_time<relative_time(maxtime, "-70m@m"), count, null))) as avg stdev(eval(if(_time<relative_time(maxtime, "-70m@m"), count, null))) as stdev by src 
| eval upperBound=(avg+stdev*2), isOutlier=if(count > upperBound AND num_data_samples >=50, 1, 0) 
| where isOutlier=1 
| table src count 
| `smb_traffic_spike_filter`

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Metrics usage in Yara L