Chronicle yara-l not failing on IP list

Question

Trying to create a rule in Google SecOps (Chronicle) to detect that an unknown user and/or an unknown IP has successfully logged into a server. If a known user logs in from an unknown IP, that should fire the detection rule.

 events:
    //implicit "and" between lines
    //looking for user login events in auditd
    $event.metadata.log_type = "AUDITD"
    $event.metadata.event_type = "USER_LOGIN"

    //put the user ID and IP in the event header
    $userID = strings.to_lower($event.about[0].user.user_display_name)
    $userIP = $event.principal.ip[0]

    //looking for the sshd command
    $event.principal.process.file.full_path = "/usr/sbin/sshd"

    //IP needs to be populated, and not in known IPs list
    ($event.principal.ip[0] != "" and not ($event.principal.ip[0] in cidr %known_ips))

    //successful login, there are tons of failed attempts
    $event.security_result[0].action_details = "success"

    //user not in the known users list
    not ($userID in %known_users)

  match:
      $userID, $userIP over 1m

  condition:
    $event

If I comment out the user ID from the known_users list, the rule will fire and display the userID and userIP on the detection line. If the user is in the list, and the IP is removed from the known_ips list, the rule does not detect it.

I have tried the following, did not work:

• not ($event.principal.ip[0] in cidr %known_ips)

I even made a list of strings, put a random IP in there, not the one I am testing from, that also does not fire the rule.

• not ($userIP in %known_ip_str)

Answer 1

Solved it.

I separated the detection of unknown user ID and unknown login IP. Two rules with everything the same, one looking for userID not in list. The other for user IP not in the list. Both work!!