In this post, we’re going to build a multi event rule in Chronicle SIEM with a focus on ordering events to trigger a detection.
In previous videos, we touched on joins in a multi event rule, but this time we are going to take those events and order them so that event A must occur before event B to trigger.
By default, Chronicle uses a windowing technique called a hop. A hop essentially gathers all of the events that meet our rule criteria, no matter the order that it occurred. Now that may be fine in some circumstances, but in some detections, we need a specific event to occur and then another and so on. Using UDM time fields and event operators can make this happen.
Follow along in the video below to see in action how to order events in a multi event rule.
Remember that Chronicle's default windowing is a hop that gathers events within the defined window, but doesn't order them. To order events, use UDM time fields like metadata.event_timestamp.seconds along with operators like greater than and less than. Remember that the hop window in the match section has a range from 1 minute to 48 hours.
Check out these additional resources with more information and learning opportunities:
LinkedIn
Twitter