使用集合让一切井井有条 根据您的偏好保存内容并对其进行分类。

在规则中使用内容丰富的数据

为了让安全分析师能够在调查期间提取数据,Chhronicle 会从不同的来源提取上下文数据,对提取的数据执行分析,并提供有关客户环境中工件的其他背景信息。本文档举例说明了分析师如何在检测引擎规则中使用内容丰富的数据。

如需详细了解数据扩充功能,请参阅 Chronicle 如何丰富事件和实体数据

在规则中使用丰富的扩充字段

以下示例演示了如何在检测引擎中使用与热门程度相关的丰富字段。有关参考信息,请参阅与普及性相关的丰富字段列表。

确定普及率较低的网域访问权限

当找到匹配项时,此检测规则会生成检测事件(而非检测提醒)。它主要用作调查资产的辅助指标。例如,还有其他触发突发事件的严重程度较高的提醒。

rule network_prevalence_low_prevalence_domain_access {

  meta:
    author = "Chronicle Security"
    description = "Detects access to a low prevalence domain. Requires baseline of prevalence be in place for effective deployment."
    severity = "LOW"

  events:
        $e.metadata.event_type = "NETWORK_HTTP"
        $e.principal.ip = $ip

        // filter out URLs with RFC 1918 IP addresses, i.e., internal assets
        not re.regex($e.target.hostname, `(127(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$)|(10(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$)|(192\.168(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)|(172\.(?:1[6-9]|2\d|3[0-1])(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})`)

        // only match valid FQDN, filter out background non-routable noise
        re.regex($e.target.hostname, `(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]`)
        $domainName = $e.target.hostname

        //join event ($e) to entity graph ($d)
        $e.target.hostname = $d.graph.entity.domain.name

        $d.graph.metadata.entity_type = "DOMAIN_NAME"
        // tune prevalence as fits your results
        $d.graph.entity.domain.prevalence.rolling_max <= 10

    match:
        $ip over 1h

    outcome:
      $risk_score = max(
          // increment risk score based upon rolling_max prevalence
          if ( $d.graph.entity.domain.prevalence.rolling_max >= 10, 10) +
          if ( $d.graph.entity.domain.prevalence.rolling_max >= 2 and $d.graph.entity.domain.prevalence.rolling_max <= 9 , 20) +
          if ( $d.graph.entity.domain.prevalence.rolling_max = 1, 30)
    )
    $domain_list = array_distinct($domainName)
    $domain_count = count_distinct($domainName)

  condition:
    $e and $d
}

以下示例展示了此规则生成的检测。

低域名访问 在新窗口中查看图片

确定对普及分数较低的网域的访问权限

此规则可用于检测对普及分数较低的网域的访问权限。 为有效显示工件,必须存在工件的普遍性基准。以下示例使用引用列表调整结果并应用阈值普遍性值。

rule network_prevalence_low_prevalence_domain_access {
  meta:
    author = "Chronicle Security"
    description = "Detects access to a low prevalence domain. Requires baseline of prevalence be in place for effective deployment."
    severity = "LOW"

  events:
        $e.metadata.event_type = "NETWORK_HTTP"
        $e.principal.ip = $ip

        // filter out URLs with RFC 1918 IP addresses, i.e., internal assets
        not re.regex($e.target.hostname, `(127(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$)|(10(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$)|(192\.168(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)|(172\.(?:1[6-9]|2\d|3[0-1])(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})`)

        // used an explicit exclusion reference list
        not $e.target.hostname in %exclusion_network_prevalence_low_prevalence_domain_access

        // only match valid FQDN, filter out background non-routable noise
        re.regex($e.target.hostname, `(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]`)

        $domainName = $e.target.hostname

        //join event ($e) to entity graph ($d)
        $e.target.hostname = $d.graph.entity.domain.name

        $d.graph.metadata.entity_type = "DOMAIN_NAME"

        // tune prevalence as fits your results
        $d.graph.entity.domain.prevalence.rolling_max <= 10

  match:
        $ip over 1h

  outcome:
    $risk_score = max(
        // increment risk score based upon rolling_max prevalence
        if ( $d.graph.entity.domain.prevalence.rolling_max >= 10, 10) +
        if ( $d.graph.entity.domain.prevalence.rolling_max >= 2 and $d.graph.entity.domain.prevalence.rolling_max <= 9 , 20) +
        if ( $d.graph.entity.domain.prevalence.rolling_max = 1, 30)
    )

    $domain_list = array_distinct($domainName)
    $domain_count = count_distinct($domainName)

  condition:
    $e and #d > 10
}

以下屏幕截图显示了此规则生成的检测示例。

低域名访问 在新窗口中查看图片

识别与 IOC 匹配率较低的域名

此检测规则会生成检测提醒,并提供相较低保真度(也是已知 IOC)的准确度高的匹配。

rule network_prevalence_uncommon_domain_ioc_match {

  meta:
    author = "Chronicle Security"
    description = "Lookup Network DNS queries against Entity Graph for low prevalence domains with a matching IOC entry."
    severity = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.name = $hostname

    //only match FQDNs, e.g., exclude chrome dns access tests and other internal hosts
    $e.network.dns.questions.name = /(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]/

    //prevalence entity graph lookup
    $p.graph.metadata.entity_type = "DOMAIN_NAME"
    $p.graph.entity.domain.prevalence.rolling_max <= 3
    $p.graph.entity.domain.name = $hostname

    //ioc entity graph lookup
    $i.graph.metadata.vendor_name = "ET_PRO_IOC"
    $i.graph.metadata.entity_type = "DOMAIN_NAME"
    $i.graph.entity.hostname = $hostname

  match:
    $hostname over 10m

  outcome:
    $risk_score = max(
        //increment risk score based upon rolling_max prevalence
        if ( $p.graph.entity.domain.prevalence.rolling_max = 3, 50) +
        if ( $p.graph.entity.domain.prevalence.rolling_max = 2, 70) +
        if ( $p.graph.entity.domain.prevalence.rolling_max = 1, 90)
    )

  condition:
    $e and $p and $i
}

以下示例展示了此规则生成的检测。

具有 IOC 匹配的低普及率网域

在规则中使用“安全浏览”丰富字段

Chronicle 会从与文件哈希相关的威胁列表中提取数据。 这些丰富信息会作为实体存储在 Chronicle 中。

您可以创建检测引擎规则,以识别与从安全浏览中提取的实体匹配的匹配项。以下是一个检测引擎规则示例,该规则针对这些丰富的信息进行查询,构建情境感知分析。

rule safe_browsing_file_execution {
    meta:
        author = "Chronicle Security"
        description = "Example usage of Safe Browsing data, to detect execution of a file that's been deemed malicious"
        severity = "LOW"

    events:
        // find a process launch event, match on hostname
        $execution.metadata.event_type = "PROCESS_LAUNCH"
        $execution.principal.hostname = $hostname

        // join execution event with Safe Browsing graph
        $sb.graph.entity.file.sha256 = $execution.target.process.file.sha256

        // look for files deemed malicious
        $sb.graph.metadata.entity_type = "FILE"
        $sb.graph.metadata.threat.severity = "CRITICAL"
        $sb.graph.metadata.product_name = "Google Safe Browsing"
        $sb.graph.metadata.source_type = "GLOBAL_CONTEXT"

    match:
        $hostname over 1h

    condition:
        $execution and $sb
}

在规则中使用地理位置丰富的字段

UDYM 字段可用于存储检测地理丰富数据的数据。以下示例说明了如何检测用户实体是否从多个不同的状态进行身份验证。

rule geoip_user_login_multiple_states_within_1d {

  meta:
    author = "demo"
    description = "Detect multiple authentication attempts from multiple distinct locations using geolocation-enriched UDM fields."
    severity = "INFORMATIONAL"

  events:
    $geoip.metadata.event_type = "USER_LOGIN"
    (
      $geoip.metadata.vendor_name = "Google Workspace" or
      $geoip.metadata.vendor_name = "Google Cloud Platform"
    )
    /* optionally, detect distinct locations at a country */
    (
      $geoip.principal.ip_geo_artifact.location.country_or_region != "" and
      $geoip.principal.ip_geo_artifact.location.country_or_region = $country
    )
    (
      $geoip.principal.ip_geo_artifact.location.state != "" and
      $geoip.principal.ip_geo_artifact.location.state = $state
    )

    $geoip.target.user.email_addresses = $user

  match:
    $user over 1d

  condition:
    $geoip and #state > 1
}

后续步骤

如需了解如何将丰富数据与其他 Chronicle 功能结合使用,请参阅以下内容: