Detection rules › YARA-L
IOC Domain Internal Policy
Detect DNS events that communicate with gaming sites in MISP. These violate policy.
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
Rule body yaral
/*
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule ioc_domain_internal_policy {
meta:
author = "Google Cloud Security"
description = "Detect DNS events that communicate with gaming sites in MISP. These violate policy."
rule_id = "mr_853bfafe-3049-43b5-a077-6a5f4a24ea3c"
rule_name = "IOC Domain Internal Policy"
type = "alert"
tags = "threat indicators"
assumption = "Assumes MISP data has been ingested into entity graph; this rule can be modified to utilize other TI indicators"
data_source = "microsoft sysmon"
severity = "Low"
priority = "Low"
events:
$dns.metadata.event_type = "NETWORK_DNS"
$dns.network.dns.questions.name = $dns_query
// Correlates with MISP data; can be modified based on your MISP parser or other TI
$ioc.graph.metadata.product_name = "MISP"
$ioc.graph.metadata.entity_type = "DOMAIN_NAME"
$ioc.graph.metadata.source_type = "ENTITY_CONTEXT"
// Summary is used to focus on a specific subset of MISP indicators, can modify as needed
$ioc.graph.metadata.threat.summary = "Gaming Sites"
// Threat Feed Name is used to focus on a specific subset of MISP indicators, can modify as needed
$ioc.graph.metadata.threat.threat_feed_name = "Internal"
$ioc.graph.entity.hostname = $dns_query
// Regex used to extract subset of data from field description, optional
re.capture($ioc.graph.metadata.threat.description, "additional info: (.*)") = $info
match:
$dns_query over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($dns.metadata.id)
// If not doing any additional extractions to $info placeholder variable, the following outcome variable can be removed
$threat_info = array_distinct($info)
$network_dns_questions_name = array_distinct($dns.network.dns.questions.name)
$network_dns_answers_data = array_distinct($dns.network.dns.answers.data)
// added to populate alert graph with additional context
$principal_ip = array_distinct($dns.principal.ip)
$target_ip = array_distinct($dns.target.ip)
$principal_process_pid = array_distinct($dns.principal.process.pid)
$principal_process_file_full_path = array_distinct($dns.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($dns.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($dns.principal.user.userid)
$principal_process_command_line = array_distinct($dns.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($dns.principal.process.file.sha256)
$principal_process_parent_process_product_specific_process_id = array_distinct($dns.principal.process.parent_process.product_specific_process_id)
condition:
$dns and $ioc
}
Detection logic
Fires when at least one $dns event in the 5m window and $ioc matches entity context.
Events
$dns
$ioc
graph.metadata.product_name = "MISP"graph.metadata.entity_type = "DOMAIN_NAME"graph.metadata.source_type = "ENTITY_CONTEXT"graph.metadata.threat.summary = "Gaming Sites"graph.metadata.threat.threat_feed_name = "Internal"
$re.capture()
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | 35 |
event_count | count_distinct($dns.metadata.id) |
threat_info | array_distinct($info) |
network_dns_questions_name | array_distinct($dns.network.dns.questions.name) |
network_dns_answers_data | array_distinct($dns.network.dns.answers.data) |
principal_ip | array_distinct($dns.principal.ip) |
target_ip | array_distinct($dns.target.ip) |
principal_process_pid | array_distinct($dns.principal.process.pid) |
principal_process_file_full_path | array_distinct($dns.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($dns.principal.process.product_specific_process_id) |
principal_user_userid | array_distinct($dns.principal.user.userid) |
principal_process_command_line | array_distinct($dns.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($dns.principal.process.file.sha256) |
principal_process_parent_process_product_specific_process_id | array_distinct($dns.principal.process.parent_process.product_specific_process_id) |