This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

YARA detection rule assist

Posted 3 weeks ago
chronicleDDsr
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi community, 

Our team is relatively new to the Yara rules, would highly appreciate any leads or pointers on how to achieve our requirements: we are trying to find  3  different country events from a single user in 24 hrs of time, on which we are excluding certain events in detection on condition that-

1. we don't want events from sequence window of 5 mins before "OpenID Connect Client" value
ex: if we have "session requested" and/or "session approved " and/or "session started" etc  within 5 mins of event "OpenID Connect Client", then we shouldn't have the alert triggered

2. But if the "OpenID Connect Client" value is getting generated after 5 mins of any event , we need them to populate.
Ex: if we have "session requested" and/or "session approved " and/or "session started" etc and "OpenID Connect Client" after 5 min window - we should have an alert.

For added clarity -
a. session approved, session requested all generates before openID connect client event 
b. we need to 2 match conditions  - one for spanning in 24 hours rolling window and other one spanning for 5 mins window   

 

 

 

rule okta_geo_hopping{

  meta:
    author = "ff"
    description = "Detects when an user signing in from different countries in last 24hrs"
    rule_id = "ff"
    rule_name = "okta geo_hopping_"
    reference = "test"
    type = "Alert"

  events:
    $login.metadata.vendor_name = "Okta"
    ($login.metadata.product_event_type = "user.session.start" nocase or 
     $login.metadata.product_event_type = /user.authentication/ )
    ($login.extracted.fields["actor.alternateId"] != "Okta Dashboard" nocase or
    $login.extracted.fields["actor.alternateId"] != "unknown" nocase or
    $login.extracted.fields["actor.alternateId"] != "Okta Browser Plugin" nocase or
    $login.extracted.fields["actor.alternateId"] != "xxy" nocase or
    $login.extracted.fields["actor.alternateId"] != "xxt" nocase or
    $login.extracted.fields["actor.alternateId"] != "Okta System" nocase)
    $login.principal.user.userid = $userid
    $t1.target.resource.name = "OpenID Connect Client"
    $beforeopenID.target.resource.name= $allothervalue
    
  match:
    $allothervalue over 5m before $t1, $userid over 24h 

  outcome:

    $target_user_agent = array_distinct($login.network.http.user_agent)
    $principal_ip = array_distinct($login.principal.ip)

    $principal_ip_city = array_distinct($login.principal.location.city)
    $principal_user_email_addresses = array_distinct ($login.principal.user.email_addresses)
    $country_count = count_distinct($login.principal.location.country_or_region)
    $security_result_summary = array_distinct($login.security_result.summary)

  condition:
    ($login and $beforeopenID and $t1) and $country_count > 2
}

 

 

 

 This seem like a very challenging one our team, since we are new to Yara and chronicle - Any help is greatly appreciated.

thanks!

0 2 194
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ErikaB
Staff
Reply posted on --/--/---- --:-- AM

Hi @chronicleDDsr 

I don't have the exact answer offhand, but while looking around, I found this previous community discussion that touches on a very similar topic and importantly, has an accepted solution marked:

https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Detection-Rule-Creation/m-p/846232

Perhaps take a look when you get a chance? Even if it's not a perfect match, sometimes seeing how a similar problem was tackled can spark the right idea.

Hope this resource proves helpful!

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

There are a couple of things that immediately jump out that hopefully will help get you going.

The first is that while you can have multiple match variables within the match section the time aggregation is going to be the same for all of them. Keep in mind the match section is essentially an aggregation or group by over a time period.

Another thing to be mindful of here is that while you can use before and after in the match section, it creates a sliding window and if there are a large number of anchor values, in your case $t1, this can be a very expensive rule. Another approach to this is to use a hop window and then use greater than/less than with the time values to sequence them. An example of this is in the link below.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Multi-Event-Rules/ba-p/7...

Using that might help with the point 1 to eliminate things that happen within 5 minutes of the OpenID Connect Client.

Related to all of this, it sounds like there are two kinds of events:

-Event1, $login would be the event variable and then all of the session and auth events

-Event2, $openconnect (arbitrary event variable name) would be the specific event you are interested in measuring around.

Then you could use something like this to knock out events where the sequencing doesn't line up:

$openconnect.metadata.event_timestamp.seconds - $login.metadata.event_timestamp.seconds > 300

These would both be in the condition section as well

Hope this helps, I don't have a load of okta data to simulate this but we do have some community rules for Okta that might also be helpful for reference: https://github.com/chronicle/detection-rules/tree/main/rules/community/okta

 

 

Top Solution Authors
View all