This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Here’s where you’ll find a buzzing community of Security professionals from around the world with one common mission: bringing their Security platforms to the next level.
Recently I reviewed an article covering an attack path that an actor
took in a Google Workspace/GCP
environment.https://www.bitdefender.com/blog/businessinsights/the-chain-reaction-new-methods-for-extending-local-breaches-in-google-workspace/When
goi...
Is it possible to make a Yara-L rule that is detecting off of a specific
field in the additional section?I have data in the UDM
field:additional.fields["entity"].entity_payload.attachments.name =
"test.exe" I do not know how to access data after the ...
In the documentation it seems that the arrays.contains function can be
used like the following, arrays.contains($asset_id_list, "id_1234")Is it
possible to use the function with two variables so I can compare the
list with a value in a UDM field?The ...
Is there any way in Yara-L to check if a UDM field contains a substring
of another UDM field? The following example shows a use case for this
and the question I am trying to ask of the data: rule variable_testing
{meta: author = "amalone" description...
Does anyone have any advice or example dashboards of good ways to view
the graph data within the platform? I am looking for something like the
"main" or "IOC Matches" dashboard that provides a high level overview of
what data we have access to with t...
Thanks for passing along some of those suggestions. If you don't mind me
asking are these standards that are given by GCP for how the platform
should be monitored? If so is there a recommendation from google on
which GCP logs should be put into Chron...
Hi Rene,In our case there is data that seems to be stored in fields
after the brackets. In the event viewer we see fields like the
following:additional.fields["entity"].entity_payload.attachments.name =
"test.exe"I would like to search this field in ...
Hey Christian,Thanks for the response! When I put that snippet of code
into the rule it says there is an error on the $success part of
$success.principal.ip. The error is as follows:parsing: error with
token: "success" expected ) line: 41 column: 44-...
Thanks for the response!This solves the problem and it seems like this
works in our environment as well. In my environment it seems it will
accept 1 and not 2 due to not using a placeholder event variable: 1.
re.regex($launch.target.process.command_l...
