Configure Detection Rules
After Cyware indicators are ingested into Google SecOps as entities, you can create detection rules to correlate Cyware threat intelligence with security telemetry in the SIEM. These rules scan Cyware indicators together with ingested security events to identify suspicious activity and generate detections and alerts.
Create and Enable a Detection Rule
To create and activate a detection rule in Google SecOps, follow these steps:
In Google SecOps SIEM, go to Detection > Rules & Detections.
Go to the Rules Editor tab and click NEW.
Copy and paste the required rule into the editor and click SAVE NEW RULE.
Click View Detections and then Rule Options, and use the following information:
Enable Alerting to generate alerts when the rule conditions are met.
Enable Live Rule to activate the detection rule.
For more information about creating and managing detection rules, see Google SecOps Detection Rules documentation.
Cyware Intel Exchange Detection Rules
The integration provides the following prebuilt detection rules that correlate Cyware Intel Exchange threat intelligence with Google SecOps telemetry to identify malicious activity.
This high-severity rule detects multiple login attempts originating from IP addresses identified as malicious by Cyware Intel Exchange within a defined time window. It triggers when login events show repeated authentication attempts from an IP address with a high risk score. By correlating login activity with Cyware threat intelligence, the rule helps you identify potential brute-force attempts originating from known malicious infrastructure.
Rule
rule cyware_intel_exchange_brute_force_attempt {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Brute Force Login Detection"
description = "Detects multiple failed login attempts from IPs flagged by Cyware threat intelligence."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1110 - Brute Force"
tags = "cloud security, threat intelligence, cyware intel exchange"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "BLOCK" or
$login.security_result.action = "FAIL"
(
strings.to_lower($login.src.ip) = $correlation_ip or
strings.to_lower($login.principal.ip) = $correlation_ip
)
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "IP_ADDRESS"
$cyware.graph.entity.ip = $correlation_ip
match:
$correlation_ip over 15m
outcome:
$principal_ip = array_distinct($login.principal.ip)
$principal_hostname = array_distinct($login.principal.hostname)
$principal_user_userid = array_distinct($login.principal.user.userid)
$principal_mac = array_distinct($login.principal.mac)
$event_count = count_distinct($login.metadata.id)
$source_ip = array_distinct($login.src.ip)
$source_hostname = array_distinct($login.src.hostname)
$source_user_userid = array_distinct($login.src.user.userid)
$source_mac = array_distinct($login.src.mac)
// Cyware-specific metadata - corrected field paths
$cyware_threat_id = array_distinct($cyware.graph.metadata.threat.threat_id)
$cyware_risk_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$cyware_severity = array_distinct($cyware.graph.metadata.threat.severity)
$cyware_description = array_distinct($cyware.graph.metadata.description)
$cyware_tags = array_distinct($cyware.graph.entity.artifact.tags)
$cyware_country = array_distinct($cyware.graph.entity.artifact.location.country_or_region)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$login and $cyware and ($event_count > 5)
}
This high-priority rule detects DNS queries attempting to resolve domains identified as malicious by Cyware Intel Exchange. It triggers when network DNS logs contain queries for domains that are classified as malicious in Cyware Intel Exchange with a high risk score. This rule helps you identify DNS activity involving domains that are flagged as malicious in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_domain_detection {
meta:
author = "Cyware Intel Exchange"
rule_name = "Cyware Intelligence - Malicious Domain DNS Resolution Detection"
description = "Detects DNS queries for domains marked as malicious by Cyware threat intelligence."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1071.004 - Application Layer Protocol: DNS"
tags = "cloud security, threat intelligence, cyware intel exchange, dns"
events:
$dns.metadata.event_type = "NETWORK_DNS"
(
strings.to_lower($dns.principal.hostname) = $correlation_domain or
strings.to_lower($dns.principal.asset.hostname) = $correlation_domain or
strings.to_lower($dns.target.hostname) = $correlation_domain or
strings.to_lower($dns.target.asset.hostname) = $correlation_domain
)
// Cyware entity match for domain
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "DOMAIN_NAME"
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.domain.name = $correlation_domain
match:
$correlation_domain over 1h
outcome:
$principal_ip = array_distinct($dns.principal.ip)
$principal_asset_hostname = array_distinct($dns.principal.asset.hostname)
$principal_hostname = array_distinct($dns.principal.hostname)
$principal_user_userid = array_distinct($dns.principal.user.userid)
$source_ip = array_distinct($dns.src.ip)
$source_hostname = array_distinct($dns.src.hostname)
$target_ip = array_distinct($dns.target.ip)
$target_hostname = array_distinct($dns.target.hostname)
$cyware_confidence_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$dns and $cyware
}This rule detects email transaction events that involve email addresses identified as malicious by Cyware Intel Exchange with a high risk score. It helps you identify email activity associated with malicious indicators classified in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_email_sender_detection {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Malicious Email Sender Detection"
description = "Detects inbound emails from sender addresses or domains classified as malicious by Cyware."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1566 - Phishing"
tags = "cloud security, threat intelligence, cyware intel exchange, email"
events:
$email.metadata.event_type = "EMAIL_TRANSACTION"
(
strings.to_lower($email.network.email.to) = $correlation_email or
strings.to_lower($email.network.email.from) = $correlation_email or
strings.to_lower($email.network.email.mail_id) = $correlation_email
)
// Cyware entity match for email
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
(
$cyware.graph.metadata.entity_type = "RESOURCE" or
$cyware.graph.metadata.entity_type = "USER"
)
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.user.email_addresses = $correlation_email
match:
$correlation_email over 1h
outcome:
$email_from = array_distinct($email.network.email.from)
$email_to = array_distinct($email.network.email.to)
$email_subject = array_distinct($email.network.email.subject)
$email_cc = array_distinct($email.network.email.cc)
$email_bcc = array_distinct($email.network.email.bcc)
$principal_ip = array_distinct($email.principal.ip)
$principal_hostname = array_distinct($email.principal.hostname)
$source_ip = array_distinct($email.src.ip)
$source_hostname = array_distinct($email.src.hostname)
$target_ip = array_distinct($email.target.ip)
$target_user_email = array_distinct($email.target.user.email_addresses)
$cyware_risk_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$email and $cyware
}
This rule detects MD5 file hashes identified as malicious by Cyware Intel Exchange in network telemetry. It triggers when a file hash observed in logs matches an MD5 hash classified as malicious in Cyware Intel Exchange with a high risk score. It helps you identify file activity involving MD5 hashes that are flagged as malicious in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_file_hash_md5_detection {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Malicious File Hash Detection"
description = "Detects file hashes classified as malicious by Cyware in network telemetry."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Execution, Lateral Movement"
mitre_attack_technique = "T1204 - User Execution, T1570 - Lateral Tool Transfer"
tags = "cloud security, threat intelligence, cyware intel exchange, malware"
events:
(
$file.metadata.event_type = "FILE_CREATION" or
$file.metadata.event_type = "FILE_MODIFICATION" or
$file.metadata.event_type = "FILE_COPY" or
$file.metadata.event_type = "FILE_OPEN"
)
(
strings.to_lower($file.target.file.md5) = $correlation_hash or
strings.to_lower($file.src.file.md5) = $correlation_hash or
strings.to_lower($file.principal.file.md5) = $correlation_hash or
strings.to_lower($file.principal.process.file.md5) = $correlation_hash
)
// Cyware entity match for file hash
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "FILE"
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.file.md5 = $correlation_hash
match:
$correlation_hash over 1h
outcome:
$principal_file_md5 = array_distinct($file.principal.process.file.md5)
$principal_asset_hostname = array_distinct($file.principal.asset.hostname)
$principal_asset_id = array_distinct($file.principal.asset.asset_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$file_path = array_distinct($file.target.file.full_path)
$file_md5 = array_distinct($file.target.file.md5)
$cyware_confidence_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$file and $cyware
}
This rule detects SHA-1 file hashes identified as malicious by Cyware Intel Exchange in network telemetry. It triggers when a file hash observed in logs matches a SHA-1 hash classified as malicious in Cyware Intel Exchange with a high risk score. It helps you identify file activity involving SHA-1 hashes that are flagged as malicious in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_file_hash_sha1_detection {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Malicious File Hash Detection"
description = "Detects file hashes classified as malicious by Cyware in network telemetry."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Execution, Lateral Movement"
mitre_attack_technique = "T1204 - User Execution, T1570 - Lateral Tool Transfer"
tags = "cloud security, threat intelligence, cyware intel exchange, malware"
events:
(
$file.metadata.event_type = "FILE_CREATION" or
$file.metadata.event_type = "FILE_MODIFICATION" or
$file.metadata.event_type = "FILE_COPY" or
$file.metadata.event_type = "FILE_OPEN"
)
(
strings.to_lower($file.target.file.sha1) = $correlation_hash or
strings.to_lower($file.src.file.sha1) = $correlation_hash or
strings.to_lower($file.principal.file.sha1) = $correlation_hash or
strings.to_lower($file.principal.process.file.sha1) = $correlation_hash
)
// Cyware entity match for file hash
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "FILE"
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.file.sha1 = $correlation_hash
match:
$correlation_hash over 1h
outcome:
$principal_file_sha1 = array_distinct($file.principal.process.file.sha1)
$principal_asset_hostname = array_distinct($file.principal.asset.hostname)
$principal_asset_id = array_distinct($file.principal.asset.asset_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$file_path = array_distinct($file.target.file.full_path)
$file_sha1 = array_distinct($file.target.file.sha1)
$cyware_confidence_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$file and $cyware
}
This rule detects SHA-256 file hashes identified as malicious by Cyware Intel Exchange in network telemetry. It triggers when a file hash observed in logs matches a SHA-256 hash classified as malicious in Cyware Intel Exchange with a high risk score. It helps you identify file activity involving SHA-256 hashes that are flagged as malicious in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_file_hash_sha256_detection {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Malicious File Hash Detection"
description = "Detects file hashes classified as malicious by Cyware in network telemetry."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Execution, Lateral Movement"
mitre_attack_technique = "T1204 - User Execution, T1570 - Lateral Tool Transfer"
tags = "cloud security, threat intelligence, cyware intel exchange, malware"
events:
(
$file.metadata.event_type = "FILE_CREATION" or
$file.metadata.event_type = "FILE_MODIFICATION" or
$file.metadata.event_type = "FILE_COPY" or
$file.metadata.event_type = "FILE_OPEN"
)
(
strings.to_lower($file.target.file.sha256) = $correlation_hash or
strings.to_lower($file.src.file.sha256) = $correlation_hash or
strings.to_lower($file.principal.file.sha256) = $correlation_hash or
strings.to_lower($file.principal.process.file.sha256) = $correlation_hash
)
// Cyware entity match for file hash
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "FILE"
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.file.sha256 = $correlation_hash
match:
$correlation_hash over 1h
outcome:
$principal_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_asset_hostname = array_distinct($file.principal.asset.hostname)
$principal_asset_id = array_distinct($file.principal.asset.asset_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$file_path = array_distinct($file.target.file.full_path)
$file_sha256 = array_distinct($file.target.file.sha256)
$cyware_confidence_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$file and $cyware
}
This rule detects network traffic involving IP addresses identified as malicious by Cyware Intel Exchange. It helps you identify network activity associated with IP addresses that are flagged as malicious in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_ip_detection {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Malicious IP Communication Detection"
description = "Detects network traffic to/from IP addresses identified as malicious by Cyware."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Command and Control, Initial Access"
mitre_attack_technique = "T1071 - Application Layer Protocol, T1190 - Exploit Public-Facing Application"
tags = "cloud security, threat intelligence, cyware intel exchange"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
(
strings.to_lower($network.src.ip) = $correlation_ip or
strings.to_lower($network.principal.ip) = $correlation_ip or
strings.to_lower($network.target.ip) = $correlation_ip
)
// Cyware entity match for IP
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "IP_ADDRESS"
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.ip = $correlation_ip
match:
$correlation_ip over 1h
outcome:
$principal_ip = array_distinct($network.principal.ip)
$principal_hostname = array_distinct($network.principal.hostname)
$principal_user_userid = array_distinct($network.principal.user.userid)
$principal_mac = array_distinct($network.principal.mac)
$source_ip = array_distinct($network.src.ip)
$source_hostname = array_distinct($network.src.hostname)
$source_mac = array_distinct($network.src.mac)
$source_port = array_distinct($network.src.port)
$target_ip = array_distinct($network.target.ip)
$target_hostname = array_distinct($network.target.hostname)
$target_mac = array_distinct($network.target.mac)
$target_port = array_distinct($network.target.port)
$network_protocol = array_distinct($network.network.ip_protocol)
$cyware_confidence_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$network and $cyware
}
This rule detects network connections that attempt to access URLs identified as malicious by Cyware Intel Exchange. It triggers when network connection or network HTTP events contain a destination URL that matches a URL in Cyware Intel Exchange. It helps you identify network activity involving URLs that are flagged as malicious in Cyware Intel Exchange.
Rule
rule cyware_intel_exchange_malicious_url_access_detection {
meta:
author = "CYWARE INTEL EXCHANGE"
rule_name = "Cyware Intelligence - Malicious URL Access Detection"
description = "Detects network connections attempting to access URLs marked as malicious by Cyware."
severity = "High"
priority = "Critical"
mitre_attack_tactic = "Initial Access, Command and Control"
mitre_attack_technique = "T1566 - Phishing, T1071 - Application Layer Protocol"
tags = "cloud security, threat intelligence, cyware intel exchange"
events:
(
$network.metadata.event_type = "NETWORK_HTTP" or
$network.metadata.event_type = "NETWORK_CONNECTION"
)
(
strings.to_lower($network.target.url) = $correlation_url or
strings.to_lower($network.principal.url) = $correlation_url or
re.regex(strings.to_lower($network.network.http.referral_url), $correlation_url)
)
$cyware.graph.metadata.event_metadata.base_labels.log_types = "CTIX"
$cyware.graph.metadata.product_name = "Cyware Intel Exchange"
$cyware.graph.metadata.entity_type = "URL"
$cyware.graph.metadata.threat.risk_score >= 70
$cyware.graph.entity.url = $correlation_url
match:
$correlation_url over 1h
outcome:
$principal_ip = array_distinct($network.principal.url)
$principal_hostname = array_distinct($network.principal.hostname)
$principal_user_userid = array_distinct($network.principal.user.userid)
$source_ip = array_distinct($network.src.url)
$source_hostname = array_distinct($network.src.hostname)
$target_ip = array_distinct($network.target.ip)
$target_hostname = array_distinct($network.target.hostname)
$target_url = array_distinct($network.target.url)
$http_user_agent = array_distinct($network.network.http.user_agent)
$http_method = array_distinct($network.network.http.method)
$cyware_confidence_score = array_distinct($cyware.graph.metadata.threat.risk_score)
$risk_score = max($cyware.graph.metadata.threat.risk_score)
condition:
$network and $cyware
}