Hello Team
New to YARA L and i am trying to understand how to get a rule to alert if there is a "new" event NOT followed by a "resolved" event in a 5 min window.
This is what I have currently :
rule testAlert {
events:
$new.metadata.event_status = "new"
$new.metadata.vendor_name = "Microsoft"
$new.target.user.userid = $targetUser
$resolved.metadata.event_type = "resolved"
$resolved.metadata.vendor_name = "Microsoft"
$resolved.target.user.userid = $targetUser
match:
targetUser over 5m
condition:
$new and #resolved < 1
}
However this still seems to be alerting when there has been a resolved event.
Hi,
#resolved is to be superior or equal to 0 (#resolved > n where n>=0)
You are checking for event absence and you might want to look into non-existence (!$resolved).
You can find documentation and example here: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#bounded_and_unbounded_conditions
A hypothetical use case where the logic you're referring to could be used could be where a scheduled task has been modified, but a scheduled task hasn't been enabled thereafter within a 30 minute period period. Where the condition $modified is triggered, but the condition $enable isn't.
rule Condition_Not_Mach_Identification {
meta:
author = "Ayman C"
events:
$PrincipalHost = $modified.principal.hostname
$modified.metadata.log_type = "WINEVTLOG"
$modified.metadata.event_type = "SCHEDULED_TASK_MODIFICATION"
$PrincipalHost = $enable.principal.hostname
$enable.metadata.log_type = "WINEVTLOG"
$enable.metadata.event_type = "SCHEDULED_TASK_ENABLE"
match:
$PrincipalHost over 30m
outcome:
$EnableCount = count_distinct($enable.metadata.id)
condition:
$modified and !$enable
}
It is also worth noting that the UDM field within your original rule logic 'metadata.event_status ' is not valid