Solved: Risk Score of an alert based on number of document...

UriJ · 01-23-2025 07:30 AM

Hello,

I am looking for a way to have a more dynamic risk score value for custom detections. For an alert about downloading logs, I would like to have the $risk_score go up when there are more unique files downloaded. I am trying with min() and if() with no luck. Here is the code:

$n_files = count_distinct($udm_download.target.resource.name) //number of unique file downloads

$risk_score = $base_score + min($n_files/50 , 20) //If less than 1000 docs, add a value based on the number of unique docs, if more than 1000 docs, it will max out at 20 extra score.

This approach does not work:

parsing: invalid number of arguments for min

$risk_score = $base_score + if($n_files/50>20, 20, $n_files/100) //If less than 1000 docs, it should return the $nfiles/100 value, if more than 1000 docs it caps out at 20 extra score.

This approach also does not work:

parsing: Only placeholders, event fields, and constants are allowed in else clause

Is there any way or function that I am missing? Thanks.

AymanC

Hi @UriJ,

How about approaching it like the below method:

rule TEST_INCRMENT {
  meta:
      rule_version   = "1.7"
      author         = "Ayman C"
  events:
    $udm.principal.asset.hostname = $Hostname
    $udm.metadata.event_timestamp.seconds = $EventTimestamp
    $udm.metadata.log_type = "ZEEK"
match:
    $Hostname over 1h
outcome:
      $risk_score = max(60 +
    if (01 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) +
    if (07 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) +
    if (( timestamp.get_hour($EventTimestamp, "GMT") >= 0 and timestamp.get_hour($EventTimestamp,"GMT")<= 6), 10) +
    if (( timestamp.get_hour($EventTimestamp, "GMT") >= 18 and timestamp.get_hour($EventTimestamp,"GMT")<= 24), 10))

    $n_files = count_distinct($udm.target.resource.name)
    $OtherIncrment = if($n_files / 40 >= 20, 1, 0) +

                     if(($n_files / 40 >= 100), 2, 0)
  condition:
    $udm and ($OtherIncrment >= 1 and $risk_score > 60 or $OtherIncrment > 1)
}

Kind Regards,

Ayman

View solution in original post

AymanC

Hi @UriJ,

How about approaching it like the below method:

rule TEST_INCRMENT {
  meta:
      rule_version   = "1.7"
      author         = "Ayman C"
  events:
    $udm.principal.asset.hostname = $Hostname
    $udm.metadata.event_timestamp.seconds = $EventTimestamp
    $udm.metadata.log_type = "ZEEK"
match:
    $Hostname over 1h
outcome:
      $risk_score = max(60 +
    if (01 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) +
    if (07 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) +
    if (( timestamp.get_hour($EventTimestamp, "GMT") >= 0 and timestamp.get_hour($EventTimestamp,"GMT")<= 6), 10) +
    if (( timestamp.get_hour($EventTimestamp, "GMT") >= 18 and timestamp.get_hour($EventTimestamp,"GMT")<= 24), 10))

    $n_files = count_distinct($udm.target.resource.name)
    $OtherIncrment = if($n_files / 40 >= 20, 1, 0) +

                     if(($n_files / 40 >= 100), 2, 0)
  condition:
    $udm and ($OtherIncrment >= 1 and $risk_score > 60 or $OtherIncrment > 1)
}

Kind Regards,

Ayman

UriJ

Hello,

Thanks for the reply AymanC, this works for good enough since I can create multiple if statements and keep adding sections for a distributed risk score.

Thanks, I will mark it as solution.

Kind regards,

UriJ

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Risk Score of an alert based on number of documents (with a maxiumum cap)