Chrome - Known Malware Downloaded

This rule alerts on dangerous file download.

Google Chrome MEDIUM EXECUTION

Details

ID8c9024e2-3d25-471a-a7de-938335c1a38d
From Version8.4.0
Execution ModeREAL_TIME
Datasetalerts

MITRE ATT&CK

  • TA0002 - Execution
    • T1204.002 - User Execution: Malicious File

XQL Query

datamodel dataset = google_workspace_chrome_raw 
| filter xdm.event.type = "MALWARE_TRANSFER" and xdm.observer.action = "BYPASSED"
| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url, xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size

Investigation Query

datamodel dataset = google_workspace_chrome_raw 
| filter xdm.event.type = "MALWARE_TRANSFER" and xdm.observer.action = "BYPASSED"
| filter xdm.source.user.username = $xdm.source.user.username and xdm.source.host.hostname = $xdm.source.host.hostname and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.target.file.filename = $xdm.target.file.filename