Solved: Re: Yara-L Rule to detect malicious hashes

NastyaS · 09-15-2023 08:14 AM

Hello everyone! I just started working with Chronicle SIEM and I need some help with a YARA-L rule.

I need to create a rule that will filter Corelight logs with files containing malicious hashes and match the hashes against Virus Total.

Appreciate any help in advance!🙂

jstoner

Thanks for sending this along. The $e2 event needs to be something more specific. As I read this, we have network connection events in $e1. Narrowing this down to a specific kind of network traffic might be nice to improve the rule, but for now we are ok.

Is the Corelight data the $e1 Network Connection events or is it something else? If we just want to look for Corelight data and VT data, the first portion of the event section might be able to be narrowed to just this:

$e1.metadata.event_type = "NETWORK_CONNECTION"

$e1.target.ip = $ip

$e1.principal.user.userid = $userid

$e1.metadata.log_type = "CORELIGHT"

$e1.security_result.action = "ALLOW"

and then the condition section is narrowed to

$e1 and $vt

I would suggest removing $e2 because at the moment $e2 is basically everything in your environment.

This rule looks similar to a template rule we created here.

https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/vt_relationships_file_...

View solution in original post

jstoner

We're here to help with questions like this. Do you have a portion of the rule built that you can share? Chronicle has a few integrations with VT but they have some specific licensing requirements associated with it. If you are putting VT data into some sort of reference list, that might change things a bit, so understanding how you are gathering the VT data would be helpful as well.

NastyaS

Thank you for the quick reply!
Here is the rule I built:

rule test_corelight_logs_with_malicious_hash_Virus_Total {

meta:

author = "NastyaS"

description = "Detects files with malicious hash, by matching against Virus Total"

short_description = "IoC Virus Total Match files"

severity = "Medium"

priority = "Medium"

status = "Testing"

created_date = "2023-09-14T00:00:00Z"

rule_version = "1.3"

yara_version = "YL2.0"

data_source = "Firewall events"

confidence_threshold = "50"

events:

$e1.metadata.event_type = "NETWORK_CONNECTION"

$e1.target.ip = $ip

$e1.principal.user.userid = $userid

$e2.principal.user.userid = $userid

$e2.target.process.file.sha256 = $hash

/*$e3.metadata.log_type = "CORELIGHT"

$e3.security_result.action = "ALLOW"

$e3.principal.hostname = $host

$e3.target.ip = $ip*/

// get virus total data

$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"

$vt.graph.metadata.entity_type = "FILE"

$vt.graph.metadata.vendor_name = "VirusTotal"

$vt.graph.metadata.product_name = "VirusTotal Relationships"

$vt.graph.entity.file.sha256 = $hash

//find relation between ip address and file hash from VT duet

$vt.graph.relations.entity_type = "IP_ADDRESS"

$vt.graph.relations.entity.ip = $ip

match:

$ip,$hash over 15m

outcome:

$soar_rule_entities = array_distinct($userid)

// standard outcomes

$risk_score = 60

$event_count = count_distinct($e1.metadata.id)

// principal

$principal_ip = array_distinct($e1.principal.ip)

$principal_hostname = array_distinct($e1.principal.hostname)

$principal_user_userid = array_distinct($e1.principal.user.userid)

$principal_resource_name = array_distinct($e1.principal.resource.name)

// target

$target_ip = array_distinct($e1.target.ip)

$target_hostname = array_distinct($e1.target.hostname)

$target_user_userid = array_distinct($e1.target.user.userid)

$target_resource_name = array_distinct($e1.target.resource.name)

$target_url = array_distinct($e1.target.url)

condition:

$e1 and $e2 and $vt

}

I need to specify that I am looking for Corelight logs.
I tried to add this code:

$e3.metadata.log_type = "CORELIGHT"

$e3.security_result.action = "ALLOW"

$e3.principal.hostname = $host

$e3.target.ip = $ip ,

but it didn't work out, since the rule doesn't detect any logs.

jstoner

Thanks for sending this along. The $e2 event needs to be something more specific. As I read this, we have network connection events in $e1. Narrowing this down to a specific kind of network traffic might be nice to improve the rule, but for now we are ok.

Is the Corelight data the $e1 Network Connection events or is it something else? If we just want to look for Corelight data and VT data, the first portion of the event section might be able to be narrowed to just this:

$e1.metadata.event_type = "NETWORK_CONNECTION"

$e1.target.ip = $ip

$e1.principal.user.userid = $userid

$e1.metadata.log_type = "CORELIGHT"

$e1.security_result.action = "ALLOW"

and then the condition section is narrowed to

$e1 and $vt

I would suggest removing $e2 because at the moment $e2 is basically everything in your environment.

This rule looks similar to a template rule we created here.

https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/vt_relationships_file_...

NASEEF

hey team

based the same rule which i build when i search the hash and ip in vt am getting zero rating then how come it is alerting as vt rates it has clean .

could you please explain

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Yara-L Rule to detect malicious hashes