SIEM Rules

mccrilb · 02-03-2023 10:15 AM

Curious, do people share rules here that they have developed? Based on seen activity or just rules in Dev?

For example, we are working on a C2 rule. We are regexing the IP from the command line when putty or other SSH tools are used to make an external connection.

$PuttyIP = re.capture ($e1.target.process.command_line, `(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`)

not ($PuttyIP = ""

or net.ip_in_range_cidr($PuttyIP, "X.X.X.X/X")

)

match:

$hostname, $PuttyIP over 1m

condition:

$e1

Mustache

You can, sometimes, find rules that are published online. Google actually shares a handful in their own repo.

Some folks also share them, but since Chronicle uses it's own rules, you have to find others who use Chronicle to get those rules.

You can also try to leverage Sigma if you have existing rules, but it's particular unless you pay for a product: https://blog.virustotal.com/2023/06/threat-hunting-converting-sigma-to-yara.html

You can also check out places like https://www.snapattack.com/ for a good paid for addon to chronicle.

mokatsu

The legacy sigma tools does contain a chronicle backend: https://github.com/SigmaHQ/legacy-sigmatools/blob/master/tools/sigma/backends/chronicle.py

Also chronicle does have a repo for Yara-L rules but now sure if anyone pushes their own rules there: https://github.com/chronicle/detection-rules

AymanC

I typically create rules from scratch, based on previous incidents, threat hunting (then converting it into a rule), news articles that explain the chain of compromise, as well as reviewing and mapping rules based on the MITRE ATT&CK framework.

I think it's best to manually create rules based on what logs you ingest, and their priority, as oppose to identifying external rules, copying and activating them. Unfortunately I've not shared any rules, and am not aware of anywhere that supplies these, besides what was previously mentioned in this thread.