If you’re a defensive security practitioner who uses Google SecOps, you may already be familiar with our public community rules project on GitHub. This project was created a few years ago to share a collection of example rules that can be used with Google SecOps’ detection engine. These rules demonstrate the capabilities of YARA-L and provide a starting point and inspiration for folks who are looking to build custom detections to defend their organization.

These community rules are distinct from Google SecOps Curated Detections that are developed by Google Threat Intelligence and designed to generate detections & alerts that are highly actionable.

A few members of the Google Cloud Security Community recently expressed interest in sharing detection content with each other. Sharing detection content is a powerful way to foster collaboration within the community and build a stronger collective defense against threats. We’re happy to announce that we’ve revitalized this project and are ready to accept contributions from the community!

What kinds of rules are in this project?

Rules can be found in the /rules/community/ directory of the GitHub repository. All of these rules are written in YARA-L syntax and are aligned with our style guide that establishes baseline standards of quality, completeness, readability, and extensibility.

Platforms supported by these rules include Google Cloud, Google Workspace, AWS, Microsoft 365, Microsoft Entra ID, Microsoft Windows, and many more. Rules are mapped to the associated MITRE ATT&CK® techniques and specify which data source(s) are required to drive them.

Reviewing an example Microsoft Entra ID rule in the community rules GitHub repository

How do I load these rules into Google SecOps?

The content of a rule can simply be copied from GitHub into Google SecOps’ rules editor. Please note, loading all of the rules from this project into your SecOps tenant and enabling them without performing any testing and tuning is discouraged.

Every organization’s environment is different, which means that there is not a one-size-fits-all solution to detection content. Our recommendation before enabling any of these rules is to utilize the test rule feature within SecOps and customize them to fit your environment before enabling them to generate detections and/or alerts.

Testing a rule in Google SecOps rules editor

For security teams who have adopted Detection-as-Code, you can find tooling in the same GitHub repository that makes it easy to manage detection content programmatically via Google SecOps’ API.

How do I contribute?

We wholeheartedly welcome contributions to this project. Whether it's sharing a new rule that you’re proud of or suggesting improvements to an existing one, your contributions can make a real difference in strengthening the security posture of the Google SecOps community.

As a first step, please familiarize yourself with the contribution guidelines and rule style guide. We also recommend that you explore the GitHub issues and pull requests labeled as “good first issue”. These artifacts are designed to help people make their first contribution more easily.

The video below demonstrates how to contribute a new rule to this project in GitHub.

Wrapping up

We encourage you to explore the detection content in this project and are dedicated to collaborating with any contributors. By working together, we can ensure that this project remains a valuable resource for Google SecOps users.

Please feel free to open a GitHub issue or reach out in the Google Cloud Security Community with any questions.