This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Silent log source detection

Posted on 06-02-2024 06:03 PM
srijankafle
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Team,

I am looking to get an alert if I miss a log from an endpoint from a server. Since the ingestion API monitoring is not granular enough to get this info, I planned to create a dedicated Yara-L rule for the said server. The rule I had planned for looked something like this: 

 

 

 

rule silentLogFromCriticalEndpoint {

  meta:
    author = "Srijan Kafle"
    description = "Detects missing logs from server"
    severity = "MEDIUM"
    created = "2024-06-03"

  events:
    $session.principal.namespace = "prodSydney" and $session.principal.hostname = "redacted"

    $source = $session.principal.hostname
    $tenant = $session.principal.namespace

  match:
    $source,$tenant over 12h

  outcome:
    $risk_score = 3

    // logic to check delay here which is not working
    $delay = $session.metadata.event_timestamp - timestamp.current_seconds()

  condition:
    $session and $delay >= xyz
}

 

 line 23 and 26 not a working line currently but wanted to include for sharing logic. Is there any way I can calculated the delay? Another alternative was to search in shorter duration (e.g 1 hour) and if there are none trigger and alert. Since the query does not return any fields during search - this also doesn't trigger. 

Any alternative that helps detects similar granularity would help.

0 8 1,035
Topic Labels
0 Likes
8 REPLIES 8
Top Solution Authors
View all