Default detection rules
YARA-L rules language
YARA-L is a detection rules language developed by Google. The purpose of YARA-L is to move away from detections as just data queries to actual event-driven investigations. YARA-L is derived from the YARA language commonly used in malware analysis. The L stands for logs. YARA-L enables you to take advantage of all the information from multiple sources within detections, and correlate those events into actionable alerts. For more information, see the Overview of the YARA-L 2.0 language.
Google Security Operations sample detection rules
To help accelerate your adoption of the Google Security Operations Detection Engine, there is a GitHub repository with sample rules. This repository contains several different categories of detection rules, including the following:
- Google Cloud CloudAudit
- Google Workspace
- Informational warnings
- Malware
- MITRE ATT&CK
- SOC prime rules
- Suspicious events
Each category takes a specific approach in how it views data sources and specifies what events and matching statements to use.
Example rules and tuning
The following rule creates an event variable $e1
which is used to track the
event type. The event variable can be any value which has meaning to the data
being evaluated. The UDM field being evaluated in this event is
metadata.eventype
so it makes sense to just call it e1
. The next lines
searches for specific occurrences of regular expression matches within e1
. The condition that
creates a detection in Google Security Operations is any time the event $e1
takes
place. For tuning purposes, a not
condition is provided to exclude certain
non-malicious paths for the command line argument. Further not
conditions
could be added to this rule if you identify frequent false positives coming from
other known file paths.
rule suspicious_unusual_location_svchost_execution
{
meta:
author = "Google Cloud Security"
description = "Windows 'svchost' executed from an unusual location"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e1.principal.process.command_line, `\bsvchost(\.exe)?\b`) nocase
not re.regex($e1.principal.process.command_line, `\\Windows\\System32\\`) nocase
condition:
$e1
}
Specify more than one event variable
YARA-L enables you to have more than one event variable in a rule. In the
following example, the rule has events $e1
and $e2
. The condition states the
logical condition that triggers the detection.
rule ExcludeZeroValues {
meta:
author = "noone@google.com"
events:
$e1.metadata.event_type = "NETWORK_DNS"
$e1.principal.hostname = $hostname
// $e1.principal.user.userid may be empty string.
$e1.principal.user.userid != "Guest"
$e2.metadata.event_type = "NETWORK_HTTP"
$e2.principal.hostname = $hostname
// $e2.target.asset_id cannot be empty string as explicitly specified.
$e2.target.asset_id != ""
match:
// $hostname cannot be empty string.
$hostname over 1h
condition:
$e1 and $e2
}
Rules outcome section
Use the outcome section to set holding variables within the rule detection to
provide enrichment for downstream consumption. For example, you can add severity
scoring information that relies on data from the events being analyzed. The
following detection examines two events to attribute the $hostname
value. If
the value $hostnames
match over a 5 minute period, a severity score is
applied. When using time periods, the Google Security Operations Detection Engine only
examines the discrete blocks of time you specify.
rule OutcomeRuleMultiEvent {
meta:
author = "noone@google.com"
events:
$u.udm.principal.hostname = $hostname
$asset_context.graph.entity.hostname = $hostname
$severity = $asset_context.graph.entity.asset.vulnerabilities.severity
match:
$hostname over 5m
outcome:
$risk_score =
max(
100
+ if($hostname = "my-hostname", 100, 50)
+ if($severity = "HIGH", 10)
+ if($severity = "MEDIUM", 5)
+ if($severity = "LOW", 1)
)
$asset_id_list =
array(
if($u.principal.asset_id = "",
"Empty asset id",
$u.principal.asset_id
)
)
$asset_id_distinct_list = array_distinct($u.principal.asset_id)
$asset_id_count = count($u.principal.asset_id)
$asset_id_distinct_count = count_distinct($u.principal.asset_id)
condition:
$u and $asset_context and $risk_score > 50 and not arrays.contains($asset_id_list, "id_1234")
}
Conclusion
YARA-L is a flexible detection language which enables you to examine security events and not simply just return a data query. The event variable is used to track what field values are being used in the condition section of the rule. You can use a single event, multiple events over time, correlate sources for a single value (such as $hostname from different data sources), and even use tools such as regular expressions to provide matches. It is essential to tune the rules to your own environment and this can be done by specifying exclusions within the logic. You can also use reference lists to group items together and then reference that list in the rule. Don't forget that Google Security Operations does not need every detection to be alerted on. You can keep track of detections for multiple purposes and only alert on those you determine are most critical in your environment.