Quick disclaimer: Depending on your organization the UDM fields that these rules look off of may not match up directly. The rules may need some tuning. These rules are a collection of ones created by myself or by detection engineers I have worked with. Please use at your own risk. If you think there are any issues with the rules or any requests for Yara-L ones please feel free to reach out.
The following is a link to a few chronicle resources that I commonly use.
- Yara-L Syntax Google's Yara-L syntax documentation.
- New To Chronicle Series An in depth writeup on how to begin writing Yara-L rules. Cannot reccomend this series enough for someone trying to learn the language. Great example rules as well for seeing some of the newer capabilities of Yara-L.
- List of UDM fields List of all UDM fields in the platform. Good link to save as it had all field names and the values for fields which are enumerations.
- Graph data Good examples rules for using some of the context graphs on the platform.
- Rule Examples NEW UPDATES!!! Chrionicle added more examples that show the flexibility of what can be done in Yara-L. Would recommend reviewing these to understand how multi event and outcome rules work.
- More Graph Rules Thorough examples of how the graph data can be used for prevelance based detections.
For now heres what im going to put in the meta fields since its not specified:
- severity:
CRITICAL
: A detection of this rule is severe and warrants immediate response.HIGH
: Detections from this rule need to be looked into reletively soon.MEDIUM
: Rule that fingerprints interesting activity associated with TTPs. When in coordination with otherMEDIUM
rules on the same host/user the activity should be elevated.LOW
: Informational rule or rule to display activity of interest
- status:
Experimental
: Rule still needs some testing/tuning to be reliableTesting
: Rule is pretty consitent but needs some tuning and review of matches to be reliableStable
: Tuned rule and needs to be looked at it if there is a detection and itshigh
orcritical
These are a set of rules that look for possibly suspicious activty. By themselfs they are very noisy but when used in conjuction with each other they might provide good data. For example if one hostname is the cause of 3+ unique block rules it is worth investigating.
Rules for looking for certian IOCs (emails, IPs, hashes, etc.).
Yara-L provides features to let users create multi-event rules as well as a new outcomes section. The following rules are a bit more complex and are good examples of rules to look at for learning:
- Using Or For Different Behavior
- Simple multi event rule
- Three part multi event
- Fun with outcomes
- Long OR
One of the most powerful features of Chronicle is the enichment in entity data. With this we can look at data points like first seen/last seen, prevalence, enriched data, and other intel sources that get ingested into the platform. The following rules utitize these features:
Much of this entity data can be added to existing rules to raise the level of suspicion. For example, if you have a rule looking for connections out to suspicious TLDs you can overlay the prevelence and first seen time to determine how rare the domain is for your environment.