Solved! Go to Solution.
Mike's example above is a good one for risk score based on country. I did want to add a few more thoughts about geo ip as I've noticed there are a few different things going on in the rule as well as provide some broader resources around the original question on dynamic risk scores and finally throw a few more ideas into a sample rule below that might ease writing the rule.
This blog discussed the geo ip fields and how they can be used. https://chronicle.security/blog/posts/Using-Automated-GeoIP-Enrichment-in-Chronicle/ The one comment I want to make here is to be mindful of the fields within the <NOUN>.ip_geo_artifact section versus the <NOUN>.location section. The ip_geo_artifact section are enrichments that Google provides during the ingest and enrichment process. The geo_ip may not be as precise as the location section due to privacy concerns so we have not dialed in the geo_ip to the highest level of precision. Probably not a big deal in most cases but worth a mention. Also if your security solution feeding Chronicle has geo location built into it, we will populate the location section of the log with that information. So, if you have both data from the security control and from us, you can choose which one you want to use, that's really up to you.
Rule outcome examples including using risk score in outcome and arrays in condition https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Rule-Outcomes/ba-p/72485...
Video on risk score: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-Outcomes-...
The additional ideas that I wanted to throw out there are based some of the things you asked as well as some of the concepts introduced above. I added comments into the sample rule below, but here are the key points.
rule Geo_IP_Login_Risk_Score_Example {
meta :
author = "Google Cloud Security"
description = "GeoIP Example with Coalesce function and Risk Score Reference Lists"
severity = "Medium"
events :
$login.metadata.event_type = "USER_LOGIN"
$login.principal.ip_geo_artifact.ip = $ip
$login.principal.user.user_display_name = $user
//strings.coalsce returns the first non-null field value to the placeholder variable
strings.coalesce($login.principal.location.country_or_region, $login.principal.ip_geo_artifact.location.country_or_region) = $country
match :
$user over 30m
outcome :
//use the placeholder variable from the events section to contain the countries from the events
$country_array = array_distinct ($country)
//risk score (and other outcome variables) can use refernce lists so group countries into reference lists to streamline risk scoring like this
$risk_score = max(if($country in %countries_high_risk, 60) + if($country in %countries_med_risk, 40))
condition:
$login
}
Here's an example of a dynamic risk_score based on geo information, using some of the math you provided. Easy enough to tweak if required!
$risk_score = max(
// Baseline
20 +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 60) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 60)
)
-mike
Mike's example above is a good one for risk score based on country. I did want to add a few more thoughts about geo ip as I've noticed there are a few different things going on in the rule as well as provide some broader resources around the original question on dynamic risk scores and finally throw a few more ideas into a sample rule below that might ease writing the rule.
This blog discussed the geo ip fields and how they can be used. https://chronicle.security/blog/posts/Using-Automated-GeoIP-Enrichment-in-Chronicle/ The one comment I want to make here is to be mindful of the fields within the <NOUN>.ip_geo_artifact section versus the <NOUN>.location section. The ip_geo_artifact section are enrichments that Google provides during the ingest and enrichment process. The geo_ip may not be as precise as the location section due to privacy concerns so we have not dialed in the geo_ip to the highest level of precision. Probably not a big deal in most cases but worth a mention. Also if your security solution feeding Chronicle has geo location built into it, we will populate the location section of the log with that information. So, if you have both data from the security control and from us, you can choose which one you want to use, that's really up to you.
Rule outcome examples including using risk score in outcome and arrays in condition https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Rule-Outcomes/ba-p/72485...
Video on risk score: https://www.googlecloudcommunity.com/gc/Chronicle-Best-Practices/Getting-to-Know-Chronicle-Outcomes-...
The additional ideas that I wanted to throw out there are based some of the things you asked as well as some of the concepts introduced above. I added comments into the sample rule below, but here are the key points.
rule Geo_IP_Login_Risk_Score_Example {
meta :
author = "Google Cloud Security"
description = "GeoIP Example with Coalesce function and Risk Score Reference Lists"
severity = "Medium"
events :
$login.metadata.event_type = "USER_LOGIN"
$login.principal.ip_geo_artifact.ip = $ip
$login.principal.user.user_display_name = $user
//strings.coalsce returns the first non-null field value to the placeholder variable
strings.coalesce($login.principal.location.country_or_region, $login.principal.ip_geo_artifact.location.country_or_region) = $country
match :
$user over 30m
outcome :
//use the placeholder variable from the events section to contain the countries from the events
$country_array = array_distinct ($country)
//risk score (and other outcome variables) can use refernce lists so group countries into reference lists to streamline risk scoring like this
$risk_score = max(if($country in %countries_high_risk, 60) + if($country in %countries_med_risk, 40))
condition:
$login
}