Chrome - Known Malicious Site Visit

This rule alerts on events related to bad navigation, that resulted in bypass action.

Google Chrome MEDIUM EXECUTION

Details

ID5fa4d7d2-3b4c-4876-bc0f-b170fa49afe6
From Version8.4.0
Execution ModeREAL_TIME
Datasetalerts

XQL Query

datamodel dataset = google_workspace_chrome_raw 
| filter xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED"
| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url, xdm.source.user_agent, xdm.target.resource.name, xdm.target.resource.id

Investigation Query

datamodel dataset = google_workspace_chrome_raw
| filter xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED"
| filter xdm.source.user.username = $xdm.source.user.username and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.network.http.url = $xdm.network.http.url and xdm.source.host.hostname = $xdm.source.host.hostname