I'm planning to write a detection rule to monitor a log source. I want to be notified when the log feed stops and no logs are being received
!--scriptorstartfragment-->
events:
$e.metadata.vendor_name = string
$e.metadata.event_timestamp = int
condition:
not any $e where
$e.metadata.vendor_name == "Crowdstrike" and
$e.metadata.event_timestamp > now() - 1800
!--scriptorendfragment-->
}
Here getting errors on the - not any $e where
I looked it but I could not see any options where I can write Y-rule in SIEM. I only found the solution to create dashboards in GCP. But currently I'm exploring writing in SIEM
+10This part of the documentation gives example YARA-L rules: https://cloud.google.com/chronicle/docs/ingestion/silent-host-monitoring#example-detection-rules-for-shm
-mike
{
meta:
events:
// Scan events in the last 20 minutes (1200 seconds)
$event.metadata.event_timestamp.seconds > timestamp.current_seconds() - 1200
// Filter specifically for the target log type and vendor
$event.metadata.log_type = "MIMECAST_MAIL_V2"
$event.metadata.vendor_name = "Mimecast"
match:
// Grouping by a constant value to effectively monitor the entire log stream as one entity
$event.metadata.log_type = "MIMECAST_MAIL_V2" over 20m
outcome:
// Find the timestamp of the very last event received
$max_event_time_seconds = max($event.metadata.event_timestamp.seconds)
// Calculate the difference between the current time and the last event time in seconds
$max_diff_seconds = timestamp.current_seconds() - $max_event_time_seconds
// Optional: Include timestamps in the detection outcome for context
$max_event_timestamp = timestamp.get_timestamp($max_event_time_seconds, "SECOND")
$current_timestamp = timestamp.get_timestamp(timestamp.current_seconds(), "SECOND")
condition:
// If there was at least one event in the 20m window AND
// the time difference since the last event is greater than 10 minutes (600 seconds)
$event and $max_diff_seconds > 600
}
Error-
parsing: error with token: "."expected overline: 24 column: 10-11 Something giving error on the match part. Suggestions are always helpful.
+13Hi
Does the below work?
{
meta:
events:
// Scan events in the last 20 minutes (1200 seconds)
$event.metadata.event_timestamp.seconds > timestamp.current_seconds() - 1200
// Filter specifically for the target log type and vendor
$event.metadata.log_type = $LogType
$LogType = "MIMECAST_MAIL_V2"
$event.metadata.vendor_name = "Mimecast"
match:
// Grouping by a constant value to effectively monitor the entire log stream as one entity
$LogType over 20m
outcome:
// Find the timestamp of the very last event received
$max_event_time_seconds = max($event.metadata.event_timestamp.seconds)
// Calculate the difference between the current time and the last event time in seconds
$max_diff_seconds = timestamp.current_seconds() - $max_event_time_seconds
// Optional: Include timestamps in the detection outcome for context
$max_event_timestamp = timestamp.get_timestamp($max_event_time_seconds, "SECOND")
$current_timestamp = timestamp.get_timestamp(timestamp.current_seconds(), "SECOND")
condition:
// If there was at least one event in the 20m window AND
// the time difference since the last event is greater than 10 minutes (600 seconds)
$event and $max_diff_seconds > 600
}
Kind Regards,
Ayman
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
