This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Yara-L Rule to detect malicious hashes

Posted on 09-15-2023 08:14 AM
NastyaS
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello everyone! I just started working with Chronicle SIEM and I need some help with a YARA-L rule.

I need to create a rule that will filter Corelight logs with files containing malicious hashes and match the hashes against Virus Total.

Appreciate any help in advance!๐Ÿ™‚

Solved Solved
1 4 2,178
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Thanks for sending this along. The $e2 event needs to be something more specific. As I read this, we have network connection events in $e1. Narrowing this down to a specific kind of network traffic might be nice to improve the rule, but for now we are ok.

Is the Corelight data the $e1 Network Connection events or is it something else? If we just want to look for Corelight data and VT data, the first portion of the event section might be able to be narrowed to just this:

$e1.metadata.event_type = "NETWORK_CONNECTION"
$e1.target.ip = $ip
$e1.principal.user.userid = $userid
$e1.metadata.log_type = "CORELIGHT"
$e1.security_result.action = "ALLOW"
 
and then the condition section is narrowed to 
$e1 and $vt

I would suggest removing $e2 because at the moment $e2 is basically everything in your environment.

This rule looks similar to a template rule we created here.

https://github.com/chronicle/detection-rules/blob/main/community/threat_intel/vt_relationships_file_...

 

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all