在规则中使用经过丰富上下文的数据

支持以下语言:

为了帮助安全分析师在调查期间开展工作,Google Security Operations 会提取来自不同来源的上下文数据,对提取的数据进行分析,并提供有关客户环境中工件的实用上下文信息。本文档提供了一些示例,说明分析师如何在 Detection Engine 规则中使用经过情境丰富的数据。

如需详细了解数据丰富功能,请参阅 Google Security Operations 如何丰富事件和实体数据

在规则中使用普遍性扩充字段

以下示例演示了如何在检测引擎中使用与流行病学相关的丰富字段。如需参考信息,请参阅与普及性相关的丰富字段列表。

识别低普及率网域访问

找到匹配项时,此检测规则会生成检测事件,而不是检测提醒。它主要作为一个辅助指标 调查资产。例如,还有其他严重程度更高的提醒触发了突发事件。

$enrichment.graph.metadata.entity_type = "FILE"
$enrichment.graph.metadata.product_name = "VirusTotal Relationships"
$enrichment.graph.metadata.vendor_name = "VirusTotal"

如需详细了解如何添加过滤条件以提升规则性能,请参阅添加事件类型过滤条件

如需了解每种类型的丰富功能,请参阅 Google 安全运营团队如何丰富事件和实体数据

在规则中使用普遍性扩充字段

以下示例演示了如何在检测引擎中使用与流行病学相关的丰富字段。如需参考,请参阅与患病率相关的丰富字段列表。

识别对普及率分数较低的网域的访问权限

此规则可用于检测对普及率分数较低的网域的访问。 为了保证有效性,必须存在工件的普遍性分数基准。以下示例使用参考列表来调整结果,并应用阈值患病率值。

rule network_prevalence_low_prevalence_domain_access {
  meta:
    author = "Google Security Operations"
    description = "Detects access to a low prevalence domain. Requires baseline of prevalence be in place for effective deployment."
    severity = "LOW"

  events:
        $e.metadata.event_type = "NETWORK_HTTP"
        $e.principal.ip = $ip

        // filter out URLs with RFC 1918 IP addresses, i.e., internal assets
        not re.regex($e.target.hostname, `(127(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$)|(10(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$)|(192\.168(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)|(172\.(?:1[6-9]|2\d|3[0-1])(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})`)

        // used an explicit exclusion reference list
        not $e.target.hostname in %exclusion_network_prevalence_low_prevalence_domain_access

        // only match valid FQDN, filter out background non-routable noise
        re.regex($e.target.hostname, `(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]`)

        $domainName = $e.target.hostname

        //join event ($e) to entity graph ($d)
        $e.target.hostname = $d.graph.entity.domain.name

        $d.graph.metadata.entity_type = "DOMAIN_NAME"

        // tune prevalence as fits your results
        $d.graph.entity.domain.prevalence.rolling_max > 0
        $d.graph.entity.domain.prevalence.rolling_max <= 10

  match:
        $ip over 1h

  outcome:
    $risk_score = max(
        // increment risk score based upon rolling_max prevalence
        if ( $d.graph.entity.domain.prevalence.rolling_max >= 10, 10) +
        if ( $d.graph.entity.domain.prevalence.rolling_max >= 2 and $d.graph.entity.domain.prevalence.rolling_max <= 9 , 20) +
        if ( $d.graph.entity.domain.prevalence.rolling_max = 1, 30)
    )

    $domain_list = array_distinct($domainName)
    $domain_count = count_distinct($domainName)

  condition:
    $e and #d > 10
}

通过 IOC 匹配识别低发生率域

此检测规则会生成检测提醒,并提供高保真度 匹配。

rule network_prevalence_uncommon_domain_ioc_match {

  meta:
    author = "Google Security Operations"
    description = "Lookup Network DNS queries against Entity Graph for low prevalence domains with a matching IOC entry."
    severity = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.name = $hostname

    //only match FQDNs, e.g., exclude chrome dns access tests and other internal hosts
    $e.network.dns.questions.name = /(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]/

    //prevalence entity graph lookup
    $p.graph.metadata.entity_type = "DOMAIN_NAME"
    $p.graph.entity.domain.prevalence.rolling_max > 0
    $p.graph.entity.domain.prevalence.rolling_max <= 3
    $p.graph.entity.domain.name = $hostname

    //ioc entity graph lookup
    $i.graph.metadata.vendor_name = "ET_PRO_IOC"
    $i.graph.metadata.entity_type = "DOMAIN_NAME"
    $i.graph.entity.hostname = $hostname

  match:
    $hostname over 10m

  outcome:
    $risk_score = max(
        //increment risk score based upon rolling_max prevalence
        if ( $p.graph.entity.domain.prevalence.rolling_max = 3, 50) +
        if ( $p.graph.entity.domain.prevalence.rolling_max = 2, 70) +
        if ( $p.graph.entity.domain.prevalence.rolling_max = 1, 90)
    )

  condition:
    $e and $p and $i
}

在规则中使用实体的首次出现时间

您可以编写包含 first_seen_timelast_seen_time 字段的规则 检索实体记录。

first_seen_timelast_seen_time 字段填充的是 来描述域名、IP 地址和文件(哈希)。对于用于描述用户或素材资源的实体,系统只会填充 first_seen_time 字段。系统不会针对描述其他类型(例如群组或资源)的实体计算这些值。

如需查看已填充的 UDM 字段列表,请参阅计算实体的首次出现时间和上次出现时间

以下示例展示了如何在规则中使用 first_seen_time

rule first_seen_data_exfil {
    meta:
        author = "Google Security Operations"
        description = "Example usage first_seen data"
        severity = "LOW"

    events:
        $first_access.metadata.event_type = "NETWORK_HTTP"
        $ip = $first_access.principal.ip

        // Join first_access event with entity graph to use first/last seen data.
        $ip = $first_last_seen.graph.entity.ip
        $first_last_seen.graph.metadata.entity_type = "IP_ADDRESS"

        // Check that the first_access UDM event is the first_seen occurrence in the enterprise.
        $first_last_seen.graph.entity.artifact.first_seen_time.seconds = $first_access.metadata.event_timestamp.seconds
        $first_last_seen.graph.entity.artifact.first_seen_time.nanos   = $first_access.metadata.event_timestamp.nanos

        // Check for another access event that appears shortly after the first_seen event,
        // where lots of data is being sent.
        $next_access_data_exfil.metadata.event_type = "NETWORK_CONNECTION"
        // Next access event goes to the same IP as the first.
        $next_access_data_exfil.principal.ip = $ip

        // Next access occurs within 60 seconds after first access.
        $next_access_data_exfil.metadata.event_timestamp.seconds > $first_access.metadata.event_timestamp.seconds
        60 > $next_access_data_exfil.metadata.event_timestamp.seconds  - $first_access.metadata.event_timestamp.seconds

        // Lots of data is being sent over the next access event.
        $next_access_data_exfil.network.sent_bytes > 10 * 1024 * 1024 * 1024 // 10GB

        // Extract hostname of next access event, for match section.
        $hostname = $next_access_data_exfil.principal.hostname

    match:
        $hostname over 1h

    condition:
        $first_access and $next_access_data_exfil and $first_last_seen
}

在规则中使用包含地理定位信息的字段

可以在检测引擎规则中使用存储丰富地理位置数据的 UDM 字段。 如需查看已填充的 UDM 字段列表,请参阅 利用地理位置数据丰富活动信息

以下示例展示了如何检测用户实体是否在多个不同的状态下进行身份验证。

rule geoip_user_login_multiple_states_within_1d {

  meta:
    author = "Google Security Operations"
    description = "Detect multiple authentication attempts from multiple distinct locations using geolocation-enriched UDM fields."
    severity = "INFORMATIONAL"

  events:
    $geoip.metadata.event_type = "USER_LOGIN"
    (
      $geoip.metadata.vendor_name = "Google Workspace" or
      $geoip.metadata.vendor_name = "Google Cloud Platform"
    )
    /* optionally, detect distinct locations at a country */
    (
      $geoip.principal.ip_geo_artifact.location.country_or_region != "" and
      $geoip.principal.ip_geo_artifact.location.country_or_region = $country
    )
    (
      $geoip.principal.ip_geo_artifact.location.state != "" and
      $geoip.principal.ip_geo_artifact.location.state = $state
    )

    $geoip.target.user.email_addresses = $user

  match:
    $user over 1d

  condition:
    $geoip and #state > 1
}

在规则中使用安全浏览丰富字段

Google Security Operations 会从与文件哈希相关的威胁列表中注入数据。 这些经过丰富的信息会以实体形式存储在 Google Security Operations 中。

如需查看填充的 UDM 字段列表,请参阅使用安全浏览威胁列表中的信息丰富实体

您可以创建检测引擎规则以识别与实体的匹配项 从安全浏览中提取而来。下面是一个检测引擎示例 根据丰富信息查询构建情境感知分析的规则。

rule safe_browsing_file_execution {
    meta:
        author = "Google Security Operations"
        description = "Example usage of Safe Browsing data, to detect execution of a file that's been deemed malicious"
        severity = "LOW"

    events:
        // find a process launch event, match on hostname
        $execution.metadata.event_type = "PROCESS_LAUNCH"
        $execution.principal.hostname = $hostname

        // join execution event with Safe Browsing graph
        $sb.graph.entity.file.sha256 = $execution.target.process.file.sha256

        // look for files deemed malicious
        $sb.graph.metadata.entity_type = "FILE"
        $sb.graph.metadata.threat.severity = "CRITICAL"
        $sb.graph.metadata.product_name = "Google Safe Browsing"
        $sb.graph.metadata.source_type = "GLOBAL_CONTEXT"

    match:
        $hostname over 1h

    condition:
        $execution and $sb
}

在规则中使用 WHOIS 扩充字段

您可以编写规则,以在符合以下条件的实体中进行搜索 WHOIS 丰富字段: 代表一个域。这些实体的 entity.metadata.entity_type 字段设置为 DOMAIN_NAME。如需查看填充的 UDM 字段列表,请参阅使用 WHOIS 数据丰富实体

以下是一个示例规则,展示了如何执行此操作。此规则在 events 部分包含以下过滤器字段,以帮助优化规则的性能。

$whois.graph.metadata.entity_type = "DOMAIN_NAME"
$whois.graph.metadata.product_name = "WHOISXMLAPI Simple Whois"
$whois.graph.metadata.vendor_name = "WHOIS"
rule whois_expired_domain_executable_download {
 meta:
   author = "Google Security Operations"
   description = "Example usage of WHOIS data, detecting an executable file download from a domain that's recently expired"
   severity = "LOW"

 events:
        $access.metadata.event_type = "NETWORK_HTTP"
        $hostname = $access.principal.hostname

        // join access event to entity graph to use WHOIS data
        $whois.graph.entity.domain.name = $access.target.hostname

        // use WHOIS data to look for expired domains
        $whois.graph.metadata.entity_type = "DOMAIN_NAME"
        $whois.graph.metadata.product_name = "WHOISXMLAPI Simple Whois"
        $whois.graph.metadata.vendor_name = "WHOIS"
        $whois.graph.entity.domain.expiration_time.seconds < $access.metadata.event_timestamp.seconds

        // join access event with executable file creation event by principal hostname
        $creation.principal.hostname = $access.principal.hostname
        $creation.metadata.event_type = "FILE_CREATION"
        $creation.target.file.full_path = /exe/ nocase

        // file creation comes after expired domain access
        $creation.metadata.event_timestamp.seconds >
           $access.metadata.event_timestamp.seconds

   match:
       $hostname over 1h

 condition:
        $access and $whois and $creation
}

查询 Google Cloud 威胁情报数据

Google 安全运营中心会从 Google Cloud 威胁情报 (GCTI) 数据源提取数据,为您提供背景信息,以便您在调查环境中的活动时使用。您可以查询以下数据源:

  • GCTI Tor 退出节点
  • GCTI 良性二进制
  • GCTI 远程访问工具

如需了解这些威胁 Feed 以及填充的所有字段,请参阅提取和存储 Google Cloud 威胁情报数据

在本文档中,占位符 <variable_name> 表示规则中用于标识 UDM 记录的唯一变量名称。

查询 Tor 退出节点 IP 地址

以下示例规则会在出现 NETWORK_CONNECTION 时返回检测结果, 事件包含存储在 target.ip 字段中的 IP 地址,该 IP 地址也可找到 (位于 GCTI Tor Exit Nodes 数据源中)。确保包含 <variable_name>.graph.metadata.threat.threat_feed_name<variable_name>.graph.metadata.vendor_name、 和<variable_name>.graph.metadata.product_name字段。

这是基于时间的数据源。事件将与以下数据源的快照匹配: 。

rule gcti_tor_exit_nodes {
  meta:
    author = "Google Cloud Threat Intelligence"
    description = "Alert on known Tor exit nodes."
    severity = "High"

  events:
    // Event
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.target.ip = $tor_ip

    // Tor IP search in GCTI Feed
    $tor.graph.entity.artifact.ip = $tor_ip
    $tor.graph.metadata.entity_type = "IP_ADDRESS"
    $tor.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
    $tor.graph.metadata.source_type = "GLOBAL_CONTEXT"
    $tor.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
    $tor.graph.metadata.product_name = "GCTI Feed"

  match:
    $tor_ip over 1h

  outcome:
    $tor_ips = array_distinct($tor_ip)
    $tor_geoip_country = array_distinct($e.target.ip_geo_artifact.location.country_or_region)
    $tor_geoip_state = array_distinct($e.target.ip_geo_artifact.location.state)

  condition:
    $e and $tor
}

查询良性操作系统文件

以下示例规则会组合使用 Benign BinariesTor Exit Nodes 数据源,以便在良性二进制文件与 Tor 出口节点联系时返回提醒。该规则计算的是 风险评分(使用地理位置数据) Google Security Operations 使用目标 IP 地址扩充了该地址。请务必在规则中为 Benign BinariesTor Exit Nodes 数据源添加 <variable_name>.graph.metadata.vendor_name<variable_name>.graph.metadata.product_name<variable_name>.graph.metadata.threat.threat_feed_name

这是一个永不过时的数据源。事件始终与最新快照相匹配 不考虑数据源的任何时间

rule gcti_benign_binaries_contacts_tor_exit_node {
 meta:
   author = "Google Cloud Threat Intelligence"
   description = "Alert on Benign Binary contacting a Tor IP address."
   severity = "High"

 events:
   // Event
   $e.metadata.event_type = "NETWORK_CONNECTION"
   $e.principal.process.file.sha256 = $benign_hash
   $e.target.ip = $ip
   $e.principal.hostname = $hostname

   // Benign File search in GCTI Feed
   $benign.graph.entity.file.sha256 = $benign_hash
   $benign.graph.metadata.entity_type = "FILE"
   $benign.graph.metadata.threat.threat_feed_name = "Benign Binaries"
   $benign.graph.metadata.source_type = "GLOBAL_CONTEXT"
   $benign.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
   $benign.graph.metadata.product_name = "GCTI Feed"

   // Tor IP search in GCTI Feed
   $tor.graph.entity.artifact.ip = $ip
   $tor.graph.metadata.entity_type = "IP_ADDRESS"
   $tor.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
   $tor.graph.metadata.source_type = "GLOBAL_CONTEXT"
   $tor.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
   $tor.graph.metadata.product_name = "GCTI Feed"

 match:
   $hostname over 1h

 outcome:
   $risk_score = max(
       if($tor.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
       // Unauthorized target geographies
       if($e.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
       if($e.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
       if($e.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
       if($e.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
       if($e.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
   )
   $benign_hashes = array_distinct($benign_hash)
   $benign_files = array_distinct($e.principal.process.file.full_path)
   $tor_ips = array_distinct($ip)
   $tor_geoip_country = array_distinct($e.target.ip_geo_artifact.location.country_or_region)
   $tor_geoip_state = array_distinct($e.target.ip_geo_artifact.location.state)

 condition:
   $e and $benign and $tor
}

查询与远程访问工具相关的数据

以下示例规则会在 PROCESS_LAUNCH 事件类型包含 Google Cloud 威胁情报远程访问工具数据源中也存在的哈希时返回检测结果。

这是一个永不过时的数据源。事件一律与以下事件的最新快照相匹配: 无论时间如何

rule gcti_remote_access_tools {
 meta:
   author = "Google Cloud Threat Intelligence"
   description = "Alert on Remote Access Tools."
   severity = "High"

 events:
    // find a process launch event
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.sha256 != ""
    $rat_hash = $e.target.process.file.sha256

    // join graph and event hashes
    $gcti.graph.entity.file.sha256 = $rat_hash

    // look for files identified as likely remote access tools
    $gcti.graph.metadata.entity_type = "FILE"
    $gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
    $gcti.graph.metadata.product_name = "GCTI Feed"
    $gcti.graph.metadata.threat.threat_feed_name = "Remote Access Tools"

  match:
    $rat_hash over 5m

 outcome:
   $remote_hash = array_distinct($e.target.process.file.sha256)

  condition:
    $e and $gcti

}

在规则中使用 VirusTotal 丰富的元数据字段

以下规则可检测特定文件的文件创建或进程启动 类型,表示系统上有一些已加入监控的哈希。当文件使用 VirusTotal 文件元数据丰富功能标记为 exploit 时,系统会设置风险信号。

如需查看已填充的所有 UDM 字段的列表,请参阅 使用 VirusTotal 文件元数据丰富事件

rule vt_filemetadata_hash_match_ioc {
 meta:
   author = "Google Cloud Threat Intelligence"
   description = "Detect file/process events that indicate watchlisted hashes are on a system"
   severity = "High"

 events:
   // Process launch or file creation events
   $process.metadata.event_type = "PROCESS_LAUNCH" or $process.metadata.event_type ="FILE_CREATION"
   $process.principal.hostname = $hostname
   $process.target.file.sha256 != ""
   $process.target.file.sha256 = $sha256
   $process.target.file.file_type = "FILE_TYPE_DOCX"

   // IOC matching
   $ioc.graph.metadata.product_name = "MISP"
   $ioc.graph.metadata.entity_type = "FILE"
   $ioc.graph.metadata.source_type = "ENTITY_CONTEXT"
   $ioc.graph.entity.file.sha256 = $sha256

 match:
   $hostname over 15m

 outcome:
   $risk_score = max(
       // Tag enrichment from VirusTotal file metadata
       if($process.target.file.tags = "exploit", 90)
   )
   $file_sha256 = array($process.target.file.sha256)
   $host = array($process.principal.hostname)

 condition:
   $process and $ioc
}

在规则中使用 VirusTotal 关联数据

Google Security Operations 会从 VirusTotal 相关连接中提取数据。这些数据可提供有关文件哈希与文件、网域、IP 地址和网址之间关系的信息。这些经过丰富的信息会以实体形式存储在 Google 安全运营中。

您可以创建检测引擎规则,以根据注入的实体识别匹配项 来自 VirusTotal以下规则会在下载已知文件哈希值时发送提醒 来自具有 VirusTotal 关系的已知 IP 地址。风险信号基于 VirusTotal 文件元数据中的文件类型和标记。

此数据仅适用于某些 VirusTotal 和 Google Security Operations 许可。 请与客户经理确认您的使用权。对于列表 请参阅 利用 VirusTotal 关系数据丰富实体

rule virustotal_file_downloaded_from_url {
  meta:
    author = "Google Cloud Threat Intelligence"
    description = "Alerts on downloading a known file hash from a known IP with VirusTotal relationships. The risk score is based on file type and tags from VirusTotal file metadata."
    severity = "High"

  events:
    // Filter network HTTP events
    $e1.metadata.event_type = "NETWORK_HTTP"
    $e1.principal.user.userid = $userid
    $e1.target.url = $url

    // Filter file creation events
    $e2.metadata.event_type = "FILE_CREATION"
    $e2.target.user.userid = $userid
    $e2.target.file.sha256 = $file_hash

    // The file creation event timestamp should be equal or greater than the network http event timestamp
    $e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds

    // Join event file hash with VirusTotal relationships entity graph
    $vt.graph.metadata.entity_type = "FILE"
    $vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
    $vt.graph.metadata.vendor_name = "VirusTotal"
    $vt.graph.metadata.product_name = "VirusTotal Relationships"
    $vt.graph.entity.file.sha256 = $file_hash

    // Join network HTTP target URL with VirusTotal relationships entity graph
    $vt.graph.relations.entity_type = "URL"
    $vt.graph.relations.relationship = "DOWNLOADED_FROM"
    $vt.graph.relations.entity.url = $url

  match:
    $userid over 1m

  outcome:
      $risk_score = max(
        // Tag enrichment from VirusTotal file metadata
        if($e2.target.file.tags = "via-tor" or $e2.target.file.tags = "malware" or $e2.target.file.tags = "crypto", 50) +
        // File types enrichment from VirusTotal file metadata
        if($e2.target.file.file_type = "FILE_TYPE_HTML", 5) +
        if($e2.target.file.file_type = "FILE_TYPE_ELF", 10) +
        if($e2.target.file.file_type = "FILE_TYPE_PE_DLL",15) +
        if($e2.target.file.file_type = "FILE_TYPE_PE_EXE", 20)
    )

  condition:
    $e1 and $e2 and $vt and $risk_score >= 50
}

后续步骤

了解如何将丰富数据与其他 Google Security Operations 结合使用 请参阅以下内容: