Chrome - Known Malicious Site Visit
This rule alerts on events related to bad navigation, that resulted in bypass action.
Google Chrome MEDIUM EXECUTION
Details
| ID | 5fa4d7d2-3b4c-4876-bc0f-b170fa49afe6 |
|---|---|
| From Version | 8.4.0 |
| Execution Mode | REAL_TIME |
| Dataset | alerts |
XQL Query
datamodel dataset = google_workspace_chrome_raw
| filter xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED"
| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url, xdm.source.user_agent, xdm.target.resource.name, xdm.target.resource.id
Investigation Query
datamodel dataset = google_workspace_chrome_raw
| filter xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED"
| filter xdm.source.user.username = $xdm.source.user.username and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.network.http.url = $xdm.network.http.url and xdm.source.host.hostname = $xdm.source.host.hostname