chronicle / detection-rules Goto Github PK

View Code? Open in Web Editor NEW

264.0 35.0 59.0 542 KB

Collection of YARA-L 2.0 sample rules for the Chronicle Detection API

Home Page: https://chronicle.security

License: Apache License 2.0

YARA 2.64% Python 97.36%

detection-rules's Introduction

Google Security Operations Detection Rules

This repository contains sample detection rules and dashboards for use within Google Security Operations.

Rules within the community directory were created by the Google Security Operations Security team and members of the Google Security Operations user community. These rules take advantage of the latest YARA-L syntax, provide a starter set of rules that can be used with Google Security Operations' entity graph as well as for other use cases or as inspiration for new use cases.

Rules within the soc_prime_rules directory were created by SOC Prime and made available to Google Security Operations Customers.

Before deploying any rules, using Google Security Operations' test rule functionality is considered a best practice and provides the opportunity for users to tune rules to their environment before creating alerts for them.

Dashboard YAML files can be imported into Google Security Operations dashboards using the Add - Import Dashboard capability found next to the Personal Dashboards or Shared Dashboards section of the UI. The intent of this is to provide sample dashboards that can serve as templates, inspiration or starting points for your own dashboards and can be modified as you see fit.

Getting Started

Rules can be created within your Google Security Operations instance by using the Rules Editor. Simply download the rule from the repository and copy the content of the rule to the rule editor when creating a new rule.

To automate rule creation, APIs are available to create/update/delete rules.

Detailed instructions can be found in your Google Security Operations instance under documentation.

How to Contribute

Interested in contributing to this project? We'd love to hear from you! Example contributions include new detection rules and updates to existing rules.

Please refer to our contribution guide for further information.

Our style guide for authoring YARA-L detection rules can be found here.

Documentation

Detection API and UI

YARA-L 2.0 rules and UDM:

Code Samples

https://github.com/chronicle/api-samples-python/tree/master/detect/v2

detection-rules's People

Contributors

Stargazers

Watchers

detection-rules's Issues

chronicle_auth.py doesn't read in dotenv environment variable

Version 3.12.2
Arch: 64
Packages:
annotated-types, 0.6.0
cachetools, 5.3.3
certifi 2024.2.2
charset-normalizer, 3.3.2
google-auth, 2.29.0
idna, 3.7
pip, 24.0
pyasn1, 0.6.0
pyasn1_module, 0.4.0
pydantic, 2.6.4
pydantic_core, 2.16.3
pydantic-dotenv, 1.0.1
PyYAML, 6.0.1
requests, 2.31.0
rsa, 4.9
ruamel.yaml, 0.18.6
ruamel.yaml.clib, 0.2.8
typing_extensions, 4.11.0
urllib, 2.2.1

(venv312) PS \\rule_manager_c> python -m rule_cli --pull-latest-rules
14-May-24 13:28:16 Eastern Daylight Time | INFO | <module> | Rule CLI started
14-May-24 13:28:16 Eastern Daylight Time | INFO | <module> | Attempting to pull latest version of all rules from Chronicle and update local files
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "\\venv312\rule_manager_c\rule_cli\__main__.py", line 407, in <module>
    pull_latest_rules()
  File "\\venv312\rule_manager_c\rule_cli\__main__.py", line 63, in pull_latest_rules
    http_session = initialize_http_session()
                   ^^^^^^^^^^^^^^^^^^^^^^^^^
  File venv312\rule_manager_c\rule_cli\__main__.py", line 53, in initialize_http_session
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "\\venv312\rule_manager_c\rule_cli\__main__.py", line 407, in <module>
    pull_latest_rules()
  File "\\venv312\rule_manager_c\rule_cli\__main__.py", line 63, in pull_latest_rules
    http_session = initialize_http_session()
                   ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "\\venv312\rule_manager_c\rule_cli\__main__.py", line 53, in initialize_http_session
    os.environ["CHRONICLE_API_CREDENTIALS"]
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen os>", line 685, in __getitem__
KeyError: 'CHRONICLE_API_CREDENTIALS'
(venv312) PS \\rule_manager_c>

Additionally following the setup directions there is a .env file at the root of the rule_manager_c named ruleimport.env with all the correct fields from SecOps and GCP Instance IDs.

Rule_manager - Unable to rename remote rules

@threat-punter Is renaming a remote rule not possible via the rule_cli? I tried to rename a rule in our system (changed from "office365_LogTypes" to "Office365_LogTypes") and got the below error. I updated the yaral rule_name, the file name and the rule config entry.

13-Mar-24 07:09:41 UTC | INFO | load_rules | Loaded 7 rules from /opt/actions-runner/_work/chronicle-siem-detection-rules-dev
13-Mar-24 07:09:41 UTC | INFO | update_remote_rules | Attempting to retrieve latest version of all rules from Chronicle
13-Mar-24 07:09:41 UTC | INFO | get_remote_rules | Attempting to retrieve all rules from Chronicle
13-Mar-24 07:09:42 UTC | INFO | get_remote_rules | Retrieved 57 rules
13-Mar-24 07:09:42 UTC | INFO | get_remote_rules | Retrieved a total of 57 rules
13-Mar-24 07:09:42 UTC | INFO | get_remote_rules | Attempting to retrieve rule deployment state for 57 rules
13-Mar-24 07:10:21 UTC | INFO | update_remote_rules | Checking if any rule updates are required
13-Mar-24 07:10:21 UTC | INFO | update_remote_rules | Local rule name Office365_LogTypes not found in remote rules
Traceback (most recent call last):
File "/opt/actions-runner/_work/_tool/Python/3.10.12/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/opt/actions-runner/_work/_tool/Python/3.10.12/x64/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/opt/actions-runner/_work/chronicle-siem-detection-rules-dev/rule_cli/main.py", line 268, in
update_remote_rules()
File "/opt/actions-runner/_work/chronicle-siem-detection-rules-dev/rule_cli/main.py", line 85, in update_remote_rules
rule_updates = Rules.update_remote_rules(http_session=http_session)
File "/opt/actions-runner/_work/chronicle-siem-detection-rules-dev/rule_cli/rules.py", line 557, in update_remote_rules
rule_id = local_rule.rule_id
AttributeError: 'Rule' object has no attribute 'rule_id'

Rule_Manager - Skip archived Rules flag

@threat-punter would it be possible in the Rule Manager to add in a feature to allow the skipping of Archived rules for all the processes (get/update/etc)? I tried to poke around and find where to update the code but couldn't figure it out, would be a great feature.

Would be nice when running python -m rule_cli something like --skip-archive.

Detailed instructions URLs are no longer valid

Hi there,

It looks like these two URLs are 404'ing:

Detection UI: https://<your chronicle instance>/docs/detection-engine/detection-engine-ui.html
Detection API: https://<your chronicle instance>/docs/detection-engine/detection-engine-api.html

Thanks for publishing these!