Hello everyone,

I am currently working on implementing a Chronicle SIEM Use Case using YARA-L to detect data exfiltration and large uploads, but I am struggling to find a reliable approach.

Challenges & Observations:

• A threshold-based approach (e.g., simply alerting on high outbound data volume) is too imprecise and results in excessive false positives.
• YARA-L metrics, such as metrics.network_bytes_outbound, seem promising, but I am unsure how to structure the rule effectively to differentiate between legitimate large uploads and actual data exfiltration attempts.
• My benchmark is the data exfiltration detection capability in Cortex (Palo Alto), which works very well and reliably. I would like to achieve similar detection quality in Chronicle.

Questions for the Community:

1. Has anyone successfully implemented a data exfiltration detection rule in Chronicle SIEM?
2. Are there best practices for leveraging YARA-L metrics to improve detection accuracy?
3. Any recommendations on additional signals or anomaly detection techniques that could be used to reduce false positives?

I would really appreciate any insights or experiences you can share!

Thanks in advance for your help.

Best regards,
Max