This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Hello everyone,I'm building the rule that will detects malicious
domains, by matching them against VirusTotal.However, there is a big
issue about it.I ingested 26 logs to Chronicle in order to test the
rule.25 logs contain malicious domains and just ...
Hello everyone!I am creating a custom parser for json logs and I need to
convert domains_list into principal.user.attribute.labels udm event.
"activity_metadata": { "settings_new_value": { "block_type":
"whitelist", "domains_list": [ "test.com", "att...
Hello everyone!I am having a doubt regarding the deprecated label; i.e.,
$ioc.graph.entity.labels.key, which has to be populated as
$ioc.graph.entity.user.attribute.labels.key nowadays.I am using this new
label in the rule, however, all logs contain ...
Hello everyone!Im currently struggling with the regex usage in the
rule.I need to create a regex in order to detect the logs with an Admin
privilege from "PermissionGroup": "Admins" or "SocRole":
"Administrator"security_result.detection_fields.value ...
Hello everyone!I recently started using Fluent Bit to send DNS logs from
Windows Server to Google Chronicle Forwarder which then forwards them to
Google Chronicle SIEM.But I have a doubt.Im able to send dns logs in
JSON raw format, using the followin...
Thank you for the example you gave!But I used not
$e.network.dns.questions.name in %Safe_domains in the events section and
the dns requests are defined as $e.network.dns.questions.name event
variable. I think, the problem here is with the VT relation...
Hello John,"The events will be in the detection as expected Was there a
separatesection under entities?"When I tested the rule before adding the
VT relationships, only the events section was there and no entities
section was present. But after having...
First of all, thank you for your help.Regarding the questions.1. Yes, I
tested the rule before adding the VT relationships. And it was detecting
all 26 events.2. I searched the domains against the VT and got this
result: 25 domains are malicious and ...
This code also worked perfectly for me, thank you!In my case, I just
used different labels #Get domains_list for index, _domain in
activity_metadata.settings_new_value.domains_list { statedump
{label=>"asd"} mutate { replace => { "domains_list.key" ...