• Kathleen Maxted

Chronicle Detect Rules

Chronicle Detect is a threat detection tool built on the power of Google's infrastructure. Learn more about Chronicle here.


With Chronicle Detect, you can use advanced rules out-of-the-box, create your own, or migrate rules over from legacy tools. The rules engine incorporates one of the most flexible and widely-used detection languages globally, YARA, which makes it easy to build detections for tactics and techniques found in the commonly used MITRE ATT&CK security framework.


In this post, we talk through Chronicle Detect rules including the "rules dashboard", how to create new rules and a quick look at the real-time threat indicators from Chronicle's threat research team Uppercase, to help automate your search for security issues.


The dashboard

Here you can see how the "rules dashboard" looks. Rules are ordered by the greatest number of detections over the past three weeks, the rule at the top of the list will be the one most detected. It also displays each rule's activity to see when the rules have been detected and the rule severity. The layout of the dashboard means that you can save time searching for detections and instead Chronicle has already presented you with the order of the most important rules.


To view more about specific rule detections, clicking on the rule name opens a new view, giving more information such as a timeline of events.


Creating a rule

By creating your own rules and using the out-of-the-box rules, you can easily detect activity which might be a security issue.

  • To create your own rule, click New from the Rules Editor to open the Rules Editor Window and Chronicle automatically populates it with the default rule template.

  • Chronicle also automatically generates a unique name for the rule. Create your new rule in YARA-L.

  • When you have finished, click SAVE NEW RULE. Chronicle checks the syntax of your rule. If the rule is valid, it is saved and automatically enabled. If the syntax is invalid, it returns an error. To delete the new rule, click DISCARD.

  • When you create and enable a new rule, the rule begins searching for detections based on the events being received by your Chronicle account in real-time.

The following illustrates the generic structure of a rule:


rule <rule Name>

{

meta:

// Stores arbitrary key-value pairs of rule details, such as who wrote

// it, what it detects on, version control, etc.

// Identical to the meta section in YARA-L.

//

// For example:

// author = "Analyst #2112"

// date = "08/09/2020"

// description = "suspicious domain detected"


events:

// Conditions to filter events and the relationship between events.

match:

// Values to return when matches are found.

condition:

// Condition to check events and the variables used to find matches.

}


Real-time threat indicators

Chronicle Detect features a stream of high-risk attack campaign indicators and rules from Chronicles threat research team, Uppercase. This means that there is a regular stream of new rules and indicators built.


The Uppercase researchers create rules from the latest crimeware, APTs, and unwanted malicious programs. The Uppercase-provided IOCs are analysed against all security telemetry in your Chronicle system, and will notify you immediately if high-risk threat indicators are present in your environment. This means that both past and present data will be used to show if you have been historically hit by the threat.


Want more information or to see Chronicle in action? Book a demo!


Don't forget to subscribe to our Cyber Weekly Digest.

14 views