Trying to understand sliding window in YARA L

Johnny246

Hello Team

New to YARA L and i am trying to understand how to get a rule to alert if there is a "new" event NOT followed by a "resolved" event in a 5 min window.

This is what I have currently :

rule testAlert {
events:
$new.metadata.event_status = "new"
$new.metadata.vendor_name = "Microsoft"
$new.target.user.userid = $targetUser

$resolved.metadata.event_type = "resolved"
$resolved.metadata.vendor_name = "Microsoft"
$resolved.target.user.userid = $targetUser
match:
targetUser over 5m

condition:
$new and #resolved < 1
}

However this still seems to be alerting when there has been a resolved event.

jpetitg

Hi,

#resolved is to be superior or equal to 0 (#resolved > n where n>=0)

You are checking for event absence and you might want to look into non-existence (!$resolved).

You can find documentation and example here: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#bounded_and_unbounded_conditions

AymanC

A hypothetical use case where the logic you're referring to could be used could be where a scheduled task has been modified, but a scheduled task hasn't been enabled thereafter within a 30 minute period period. Where the condition $modified is triggered, but the condition $enable isn't.

rule Condition_Not_Mach_Identification {
 meta:
   author = "Ayman C"
    events:
        $PrincipalHost = $modified.principal.hostname
        $modified.metadata.log_type = "WINEVTLOG"
        $modified.metadata.event_type = "SCHEDULED_TASK_MODIFICATION"

        $PrincipalHost = $enable.principal.hostname
        $enable.metadata.log_type = "WINEVTLOG"
        $enable.metadata.event_type = "SCHEDULED_TASK_ENABLE"

    match:
    $PrincipalHost over 30m

outcome:

    $EnableCount = count_distinct($enable.metadata.id)

condition:
$modified and !$enable
}

It is also worth noting that the UDM field within your original rule logic 'metadata.event_status ' is not valid