Re: YARA-L Rule Using External List

Cyber_Chief1999 · 03-25-2024 05:29 AM

Hi,

My reading suggests otherwise but wanted to ask on here whether anyone had successfully managed to create a rule that looks up an external list i.e an external URL which holds a list of known Cobalt Strike IP addresses. My reading suggests this is only possible via using the lists method and therefore pointing to an internally managed list (which i have used in some use cases). But for dynamic lists held by a 3rd party/vendor that update frequently, it would be easier for a Cobalt Strike IOC detection rule to point at the external list instead of an internal.

Any help or advice would be appreciated.

Thanks

David-French

Hi @Cyber_Chief1999,

Today, it's not possible to have a rule reference a list that's hosted in a location external to Chronicle.

For the use case you described, you could do the following:

Configure a scheduled job that pulls the latest version of the external list and creates a reference list in Chronicle via its REST API.

Your scheduled job can be configured to replace the existing reference list in Chronicle when a new version is pulled from the external location.

Have your rule utilize the reference list that's being kept up-to-date by your scheduled job.

I have some example code that can be used to retrieve and update reference lists via Chronicle's REST API.

Please let me know if you have any questions on that.

Cyber_Chief1999

Hi David,

Quick question. We were told not to use V1-Alpha and to use V2 instead. However V2 does not contain an endpoint for reference lists. Any suggestions?

Thanks

David-French

Here's the documentation for the v2 Reference Lists API endpoint.

I'd like to learn more about why you've been directed to use the V2 endpoints. Are you able to send me a direct message on here so we can chat more about your use case?

Cyber_Chief1999

Hi,

The use case is basically, being able to use reference lists that point to an externally managed list, such as a dynamic list of IOCS's such as malicious IP'S or C2 Domains. One of my engineering colleagues was looking to implement the feature but he was told we should only use v2 alpha which seemed like it did not have an endpoint for reference lists. However the link you provided was a massive help.

Further to that, can we create dashboards in v2 like you can in v1alpha? (https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.dashboar...)

Thanks

David-French

There isn't an API endpoint/methods for managing dashboards via the Chronicle SIEM API.

The newer Chronicle REST API (v1alpha) has methods for managing dashboards, as you pointed out. Efforts are underway to get this new REST API to General Availability (GA).

Cyber_Chief1999

Hi David-French,

Thank you for the feedback. This sounds very promising, i will review with my colleagues and revert If i have any further follow up questions.

Many thanks.

David-French

No worries. One thing I forgot to mention -- if you're a user of Chronicle SOAR, you can use that to automate reference list management as well.

Here's a blog post on the subject by Christopher Martin: Automating Chronicle SIEM Reference Lists using Chronicle SOAR

Cyber_Chief1999

Hi, yes thats right, however, we are trying to utilise external reference lists by using them within the YARA-L rule itself.