Finding the users or devices that present the higher risk to an enterprise is not a simple task. With the Chronicle Security Operations Platform correlating the logs from multiple users and devices using BeyondCorp Enterprise (BCE), it becomes easier to detect abnormal behavior.
BCE is a cloud-based, workforce Zero Trust Network Access (ZTNA) offering that provides secure application (‘north-south’) access with built-in threat and data protection. BCE enables enterprises to eliminate unfettered lateral exposure created by traditional remote user VPN network level access, prevents sensitive data loss and protects devices from being compromised by advanced threats.
Native integration to Chronicle means logs collected by BCE are ingested into chronicle and can be used for detection rules to provide easily accessible in-product information for security analysts. This information helps simplify triage, investigation, and response activities for security analysts; thereby reducing the mean time to remediation for BCE logs.
Security outcomes with BCE native integration to Chronicle
Ingestion of BCE data enables customers to not only get more value from Chronicle but enables powerful net new use cases not available otherwise. BCE data provides real time activity logs at a very granular device and user level. This allows security teams to stitch the security workflows together with near real-time, accurate context about users and devices. It also allows security teams to understand the relationship between users, devices and applications. Security admins gain visibility into threat and data protection logs connecting those with other security telemetry to proactively detect and remediate threats.
Architecture Overview
BCE Enterprise leverages Chrome, Endpoint Verification, Cloud Identity, Access Context Manager and Identity Access Proxy to control access to critical applications.
The audit and activity logs from these components are ingested into Chronicle for detection and response.
Figure 1: Architecture Overview
Data Ingestion
The BCE and Chronicle integration allows for the ingestion of BCE activity from Identity Aware Proxy (IAP) and Chrome Management to become log events in Chronicle.
It also includes device and user context about those activities from BCE Cloud Identity Devices and Users to become context for those activities in Chronicle as shown in Table 1.
|
ID |
Log Type |
Source System |
Description |
Chronicle Destination |
Ingestion Method |
|---|---|---|---|---|---|
|
1 |
GCP Cloud Audit |
GCP |
Users login activity (allow/block) Identity Aware Proxy (IAP) Data Access Events |
UDM Events |
GCP to Chronicle Near Real Time (Min) |
|
2 |
GCP Cloud Identity Devices |
Cloud Identity |
Cloud Device Metadata from Endpoint Validation (EV) Agent |
Asset Context Entity |
Cloud identity API Pull from Chronicle Feeds every 24hr |
|
3 |
GCP Cloud Identity Device Users |
Cloud Identity |
Cloud User Identity metadata associated to devices from Endpoint Validation (EV) Agent |
User Context associated with Asset Entity |
Cloud identity API Pull from Chronicle Feeds every 24hr |
|
4 |
Chrome Management Threat Logs |
Cloud Identity |
Chrome Management Threat Events (badNavigationEvent, dangerousDownloadEvent, interstitialEvent, malwareTransferEvent, unscannedFileEvent, passwordBreachEvent, passwordReuseEvent) |
UDM Events
|
Chronicle Ingestion API Push from Cloud Identity (Min) |
|
5 |
Chrome Management DLP Logs |
Cloud Identity |
Chrome Management Data Loss Prevention (DLP) Events (contentTransferEvent, sensitiveDataTransferEvent, sensitiveDataEvent) |
UDM Events
|
Chronicle Ingestion API push from Cloud Identity (Min) |
Table 1: Ingested Log Types
Configuration
The configuration for the ingestion logs into Chronicle SIEM is specific based on each log type listed in table 1.
For more information about these configurations, please refer to:
Detection Rules
Multiple detention rules have been created to leverage the correlation power of Chronicle for BCE events or context. All these detection rules should be tailored for better outcomes in the target Chronicle instance by tuning the event filters, match windows and/or conditions.
Figure 2: Chronicle Rules Dashboard for BCE Rules
|
Name |
Implementation Details |
|---|---|
|
bce01_multiple_logins_from_ multiple_devices
(Multiple Events Rule) |
Description: Too many users login from multiple devices over a short time.
Default Configuration: Correlation Condition = principal user email Correlation Period = 30 min Login Events > 1 Asset Context Entities > 1
Referenced Log Types: GCP Cloud Audit GCP Cloud Identity Devices GCP Cloud Identity Devices Users |
|
bce02_allowed_login_after_ multiple_blocked
(Multiple Events Rule) |
Description: Repeated Login Failures before success over 1h to same target resource/url
Default Configuration: Correlation Condition = principal user email and target resource name Correlation Period = 1 hr Login Failed Events >= 10 Login Successful Event > 0
Referenced Log Types: GCP Cloud Audit |
|
bce03_multiple_accessed_ resources_per_user_in_short_time
(Multiple Events Rule) |
Description: Too many apps/resources accessed by same user over a short time
Default Configuration: Correlation Condition = principal user email and target resource name Correlation Period = 5 min Login Failed Events >= 5
Referenced Log Types: GCP Cloud Audit |
|
bce04_multiple_accessed_ resources_per_device_in_ short_time
(Multiple Events Rule) |
Description: Too many apps/resources accessed by same user and from same device over a short time
Default Configuration: Correlation Condition = device id and target resource name Correlation Period = 5 min Login Successful Events >= 5
Referenced Log Types: GCP Cloud Audit |
|
bce05_multiple_accessed_ resources_per_user_device_ in_short_time
(Multiple Events Rule) |
Description: Too many apps/resources accessed from same device over a short time
Default Configuration: Correlation Condition = principal user email, device id and target resource name Correlation Period = 5 min Login Successful Events >= 5
Referenced Log Types: GCP Cloud Audit |
|
bce06_multiple_blocked_logins_ per_resource_in_short_time
(Multiple Events Rule) |
Description: Repeated Login Failures over 5m to same target resource
Default Configuration: Correlation Condition = target resource name Correlation Period = 5 min Login Failed Events >= 100
Referenced Log Types: GCP Cloud Audit |
|
bce07_multiple_blocked_logins_ per_device_in_short_time
(Multiple Events Rule) |
Description: Repeated Login Failures over 5m from same device id
Default Configuration: Correlation Condition = device id Correlation Period = 5 min Login Failed Events >= 5
Referenced Log Types: GCP Cloud Audit |
|
bce08_multiple_blocked_logins_ per_user_email_in_short_time
(Multiple Events Rule) |
Description: Repeated Login Failures over 5m from same user email
Default Configuration: Correlation Condition = principal user email Correlation Period = 5 min Login Failed Events >= 5
Referenced Log Types: GCP Cloud Audit |
|
bce09_multiple_sensitive_file_ transfers_in_short_time
(Multiple Events Rule) |
Description: Too many sensitive files were transferred from same user over a short time
Default Configuration: Correlation Condition = principal user email Correlation Period = 30 min DLP Sensitive File Transfer Events >= 2
Referenced Log Types: Chrome Management DLP Logs |
|
bce10_multiple_transfers_for_ same_sensitive_file_in_short_time
(Multiple Events Rule) |
Description: Too many transfers for same sensitive file over a short time
Default Configuration: Correlation Condition = target file sha256 hash and target file size Correlation Period = 24 hr DLP Sensitive File Transfer Events >= 5
Referenced Log Types: Chrome Management DLP Logs |
|
bce11_multiple_dangerous_file_ transfers_in_short_time
(Multiple Events Rule) |
Description: Too many dangerous files were transferred from same user over a short time
Default Configuration: Correlation Condition = principal user email Correlation Period = 30 min Threat Dangerous File Transfer/Download Events >= 2
Referenced Log Types: Chrome Management Threat Logs |
|
bce12_multiple_transfers_for_ same_dangerous_file_in_ short_time
(Multiple Events Rule) |
Description: Too many transfers for same dangerous file over a short time
Default Configuration: Correlation Condition = target file sha256 hash and target file size Correlation Period = 24 hr Threat Dangerous File Transfer/Download Events >= 2
Referenced Log Types: Chrome Management Threat Logs |
|
bce13_multiple_dangerous_ site_visits_in_short_time
(Multiple Events Rule) |
Description: Too many dangerous sites were visited from same user over a short time
Default Configuration: Correlation Condition = principal user email Correlation Period = 30 min Threat Dangerous Site Visit/Navigation Events >= 2
Referenced Log Types: Chrome Management Threat Logs |
|
bce14_multiple_unscanned_ files_in_short_time
(Multiple Events Rule)
|
Description: Too many files were unscanned from same user over a short time
Default Configuration: Correlation Condition = principal user email Correlation Period = 30 min Threat Unscanned File Events >= 2
Referenced Log Types: Chrome Management Threat Logs |
|
bce15_multiple_events_for_ same_unscanned_file_ in_short_time
(Multiple Events Rule) |
Description: Too many transfers for same dangerous file over a short time
Default Configuration: Correlation Condition = target file sha256 hash and target file size Correlation Period = 24 hr Threat Unscanned File Events >= 2
Referenced Log Types: Chrome Management Threat Logs |
|
(Single Event Rule) |
Description: User's password was breached in a third party site or app. Password Manager must be enabled.
Default Configuration: Threat Password Breach Events >= 1
Referenced Log Types: Chrome Management Threat Logs |
|
(Single Event Rule) |
Description: User's password was reused in a third party site that’s outside of the list of allowed enterprise login URLs.
Default Configuration: Threat Password Reuse Events >= 1
Referenced Log Types: Chrome Management Threat Logs |
Table 2: BCE Detection Rules
Summary
The integration of BCE with the Chronicle is a game-changer for organizations looking to stay ahead of the curve in the fight against cyber threats. It is available now for customers of both Chronicle and BCE. For more information contact your sales representative today.
BCE Detection Rules
bce01_multiple_logins_from_multiple_devices
rule bce01_multiple_logins_from_multiple_devices {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many users login from multiple devices over a short time"
severity = "Medium"
events:
//Login Event - GCP Cloud Audit
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "ALLOW"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
//$login.target.asset.asset_id = $login_device_id
//$device_id = re.capture($login_device_id,"Device Id: (.*)")
//Asset Context - GCP Cloud Identity Devices
$asset_ctx.graph.entity.asset.asset_id = $device_id
$asset_ctx.graph.entity.asset.hardware.serial_number = $device_serial_number //not available for Linux or when blocked by the OS
$asset_ctx.graph.entity.asset.product_object_id = $asset_product_object_id //Hashcode of serial number for Corp Device, Hashcode of device_resource_id for User Owned
//User Context - GCP Cloud Identity Device Users
$user_ctx.graph.metadata.entity_type = "USER"
$user_ctx.graph.entity.user.email_addresses = $user_email
$user_ctx.graph.entity.user.product_object_id = $device_resource_id
$user_ctx.graph.relations.entity.asset.product_object_id = $asset_product_object_id
$user_ctx.graph.relations.entity_type = "ASSET"
$user_ctx.graph.relations.relationship = "MEMBER"
match:
//$user_email, $device_id, $device_resource_id over 1h
//$user_email, $device_id over 30m
$user_email over 30m
outcome:
$serial_number_list = array_distinct($device_serial_number)
$serial_number_count = count_distinct($device_serial_number)
$device_id_list = array_distinct($device_id)
$device_resource_id_list = array_distinct($device_resource_id)
$user_login_event_array = array($user_email)
$user_login_event_count = count($user_email)
condition:
#login>1 and #asset_ctx>1 and $user_ctx //$asset_ctx//#asset_ctx>1 //#e2>1
}
bce02_allowed_login_after_multiple_blocked
rule bce02_allowed_login_after_multiple_blocked {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Repeated Login Failures before success over 1h to same target resource/url"
severity = "High"
events:
$login_failed.metadata.event_type = "USER_LOGIN"
$login_failed.security_result.action = "BLOCK"
$login_failed.principal.user.email_addresses = $principal_user_email
$login_failed.target.resource.name = $target_resource_name //GCP Resource ID
//$login_failed.principal.ip = $principal_ip
//$login_failed.principal.user.user_display_name = $user
$login_success.metadata.event_type = "USER_LOGIN"
$login_success.security_result.action = "ALLOW"
$login_success.principal.user.email_addresses = $principal_user_email
$login_success.target.resource.name = $target_resource_name //GCP Resource ID
//$login_success.principal.ip = $principal_ip
//$log_out.principal.user.user_display_name = $user
$login_failed.metadata.event_timestamp.seconds <=
$login_success.metadata.event_timestamp.seconds
//$context.graph.entity.user.user_display_name = $user
//$context.graph.entity.resource.attribute.roles.type = "ADMINISTRATOR"
match:
$principal_user_email, $target_resource_name over 1h
//$principal_ip over 1h
outcome:
$login_failed_count = count($login_failed.security_result.action)
$login_success_count = count($login_success.security_result.action)
//$principal_ip_list = array_distinct($principal_ip)
condition:
#login_failed>=10 and $login_success ///and $context
}
bce03_multiple_accessed_resources_per_user_in_short_time
rule bce03_multiple_accessed_resources_per_user_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many apps/resources accessed by same user over a short time"
severity = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "ALLOW"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
$login.target.resource.name = $target_resource
match:
$user_email, $target_resource over 5m
outcome:
$device_id_distinct_list = array_distinct($device_id)
$device_id_distinct_count = count_distinct($device_id)
$login_event_count = count($target_resource)
condition:
#login >= 5
}
bce04_multiple_accessed_resources_per_device_in_short_time
rule bce04_multiple_accessed_resources_per_device_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many apps/resources accessed by same user and from same device over a short time"
severity = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "ALLOW"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
$login.target.resource.name = $target_resource
match:
$device_id, $target_resource over 5m
outcome:
$user_email_distinct_list = array_distinct($user_email)
$user_email_distinct_count = count_distinct($user_email)
$login_event_count = count($target_resource)
condition:
#login >= 5
}
bce05_multiple_accessed_resources_per_user_device_in_short_time
rule bce05_multiple_accessed_resources_per_user_device_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many apps/resources accessed from same device over a short time"
severity = "Medium"
improvement = "Multiple allows to different resource_name from same principal_email_address and/or device_id. Split in 2 rules"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "ALLOW"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
$login.target.resource.name = $target_resource
match:
$user_email, $device_id, $target_resource over 5m
outcome:
$login_event_count = count($target_resource)
condition:
#login >= 5
}
bce06_multiple_blocked_logins_per_resource_in_short_time
rule bce06_nultiple_blocked_logins_per_resource_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Repeated Login Failures over 5m to same target resource"
severity = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "BLOCK"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
$login.target.resource.name = $target_resource
match:
$target_resource over 5m
outcome:
$user_email_distinct_list = array_distinct($user_email)
$user_email_distinct_count = count_distinct($user_email)
$login_event_count = count($target_resource)
condition:
#login >= 100
}
bce07_multiple_blocked_logins_per_device_in_short_time
rule bce07_nultiple_blocked_logins_per_device_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Repeated Login Failures over 5m from same device id"
severity = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "BLOCK"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
$device_id != "" //Do consider events with no device_id
$login.target.resource.name = $target_resource
match:
$device_id over 5m
outcome:
$user_email_distinct_list = array_distinct($user_email)
$user_email_distinct_count = count_distinct($user_email)
$login_event_count = count($target_resource)
condition:
#login >= 5
}
bce08_multiple_blocked_logins_per_user_email_in_short_time
rule bce08_nultiple_blocked_logins_per_user_email_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Repeated Login Failures over 5m from same user email"
severity = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "BLOCK"
$login.principal.user.email_addresses = $user_email
re.capture($login.target.asset.asset_id,"Device Id: (.*)") = $device_id
$login.target.resource.name = $target_resource
match:
$user_email over 5m
outcome:
$login_event_count = count($target_resource)
condition:
#login >= 5
}
bce09_multiple_sensitive_file_transfers_in_short_time
rule bce09_multiple_sensitive_file_transfers_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Event Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many sensitive files were transferred from same user over a short time"
severity = "Medium"
events:
//DLP Event
$dlp.metadata.product_name = "Chrome Management"
($dlp.metadata.product_event_type = "contentTransferEvent"
or $dlp.metadata.product_event_type = "sensitiveDataTransferEvent"
or $dlp.metadata.product_event_type = "sensitiveDataEvent")
//$e.principal.user.user_id = $user_id
$dlp.principal.user.email_addresses = $user_email
$dlp.security_result.summary = $security_result_summary
$dlp.security_result.action_details = $security_result_action_details
$dlp.target.file.sha256 = $target_file_sha256
$dlp.target.file.size = $target_file_size
$dlp.target.file.full_path = $target_file_full_path
match:
$user_email over 30m
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
condition:
#dlp >= 2
}
bce10_multiple_transfers_for_same_sensitive_file_in_short_time
rule bce10_multiple_transfers_for_same_sensitive_file_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Event Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many tramsfers for same sensitive file over a short time"
severity = "Medium"
events:
//DLP Event
$dlp.metadata.product_name = "Chrome Management"
($dlp.metadata.product_event_type = "contentTransferEvent"
or $dlp.metadata.product_event_type = "sensitiveDataTransferEvent"
or $dlp.metadata.product_event_type = "sensitiveDataEvent")
$dlp.principal.user.email_addresses = $user_email
$dlp.security_result.summary = $security_result_summary
$dlp.security_result.action_details = $security_result_action_details
$dlp.target.file.sha256 = $target_file_sha256
$dlp.target.file.size = $target_file_size
$dlp.target.file.full_path = $target_file_full_path
match:
$target_file_sha256, $target_file_size over 24h
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
$target_file_full_path_distinct_list = array_distinct($target_file_full_path)
$target_file_full_path_distinct_count = count_distinct($target_file_full_path)
$user_email_distinct_list = array_distinct($user_email)
$user_email_distinct_count = count_distinct($user_email)
condition:
#dlp >= 5
}
bce11_multiple_dangerous_file_transfers_in_short_time
rule bce11_multiple_dangerous_file_transfers_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Event Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many dangerous files were transferred from same user over a short time"
severity = "Medium"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
($threat.metadata.product_event_type = "dangerousDownloadEvent"
or $threat.metadata.product_event_type = "malwareTransferEvent")
//$e.principal.user.user_id = $user_id
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
match:
$user_email over 30m
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
condition:
#threat >= 2
}
bce12_multiple_transfers_for_same_dangerous_file_in_short_time
rule bce12_multiple_transfers_for_same_dangerous_file_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Event Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many transfers for same dangerous file over a short time"
severity = "Medium"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
($threat.metadata.product_event_type = "dangerousDownloadEvent"
or $threat.metadata.product_event_type = "malwareTransferEvent")
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
match:
$target_file_sha256, $target_file_size over 24h
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
$target_file_full_path_distinct_list = array_distinct($target_file_full_path)
$target_file_full_path_distinct_count = count_distinct($target_file_full_path)
$user_email_distinct_list = array_distinct($user_email)
$user_email_distinct_count = count_distinct($user_email)
condition:
#threat >= 2
}
bce13_multiple_dangerous_site_visits_in_short_time
rule bce13_multiple_dangerous_site_visits_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Event Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many dangerous sites were visited from same user over a short time"
severity = "Medium"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
($threat.metadata.product_event_type = "interstitialEvent"
or $threat.metadata.product_event_type = "badNavigationEvent")
//$e.principal.user.user_id = $user_id
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
match:
$user_email over 30m
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
condition:
#threat >= 2
}
bce14_multiple_unscanned_files_in_short_time
rule bce14_multiple_unscanned_files_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Evemt Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many files were unscanned from same user over a short time"
severity = "Medium"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
$threat.metadata.product_event_type = "unscannedFileEvent"
//$e.principal.user.user_id = $user_id
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
match:
$user_email over 30m
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
condition:
#threat >= 2
}
bce15_multiple_events_for_same_unscanned_file_in_short_time
rule bce15_multiple_events_for_same_unscanned_file_in_short_time {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Evemt Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "Too many tramsfers for same dangerous file over a short time"
severity = "Medium"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
$threat.metadata.product_event_type = "unscannedFileEvent"
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
match:
$target_file_sha256, $target_file_size over 24h
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
$target_file_full_path_distinct_list = array_distinct($target_file_full_path)
$target_file_full_path_distinct_count = count_distinct($target_file_full_path)
$user_email_distinct_list = array_distinct($user_email)
$user_email_distinct_count = count_distinct($user_email)
condition:
#threat >= 2
}
bce16_user_password_breach
rule bce16_user_password_breach {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Event Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "User's password was breached in third party site or app. Password Manager must be enabled."
severity = "High"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
$threat.metadata.product_event_type = "passwordBreachEvent"
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
$threat.target.url = $target_url
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
condition:
$threat
}
bce17_user_password_reuse
rule bce17_user_password_reuse {
// This rule matches single events. Rules can also match multiple events within
// some time window. For details about how to write a multi-event rule, see
// https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview#single-event_versus_multi-event
// Evemt Types Information: https://support.google.com/a/answer/9393909?hl=en
meta:
// Allows for storage of arbitrary key-value pairs of rule details - who
// wrote it, what it detects on, version control, etc.
// The "author" and "severity" fields are special, as they are used as
// columns on the rules dashboard. If you'd like to be able to sort based on
// these fields on the dashboard, make sure to add them here.
// Severity value, by convention, should be "Low", "Medium" or "High"
author = "Google Cloud Security"
description = "User's password was reused in third party site that’s outside of the list of allowed enterprise login URLs."
severity = "High"
events:
//Threat Event
$threat.metadata.product_name = "Chrome Management"
$threat.metadata.product_event_type = "passwordReuseEvent"
$threat.principal.user.email_addresses = $user_email
$threat.security_result.summary = $security_result_summary
$threat.security_result.action_details = $security_result_action_details
$threat.target.file.sha256 = $target_file_sha256
$threat.target.file.size = $target_file_size
$threat.target.file.full_path = $target_file_full_path
$threat.target.url = $target_url
outcome:
$security_result_summary_distinct_list = array_distinct($security_result_summary)
$security_result_summary_distinct_count = count_distinct($security_result_summary)
$security_result_action_details_distinct_list = array_distinct($security_result_action_details)
$security_result_action_details_distinct_count = count_distinct($security_result_action_details)
condition:
$threat
}