Community Blog

Implementing a Modern Detection Engineering Workflow (Part 1)

Level up your Detection Engineering capability by implementing a modern workflow that uses free tools to automate the management of detection rules in Chronicle.

New to Google SecOps: Fall is the perfect time for CIDR, particularly in functions & reference lists

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on December 14th, 2022 and introduces the network function net.ip_in_range_cidr for use in YARA-L rules to focus our rules on specific CIDR netblocks and then applies this to CIDR reference lists.

Turn Intelligence into Action with Google Chronicle Security Operations

Organizations can now uncover more threats with less effort with Applied Threat Intelligence in Google Chronicle Security Operations. Our intelligence-driven security operations takes on the burden of operationalizing Google’s threat intelligence to unlock deeper threat hunting and investigation workflows, helping teams become more efficient.

New to Google SecOps: Regular Expressions and Reference Lists

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on December 1st, 2022 and builds on our base64 and regular expression functions by adding reference lists to our rule.

New to Google SecOps: A New View for Search

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on November 16th, 2022 and introduces the UDM search interface.

Fastest Two Minutes in SecOps: Threat Hunting [Part 2] [Video]

You give us two minutes, we'll give you the world of SecOps. In Part Two of our "threat hunting" episode, Google Cloud Principal Security Strategist John Stoner offers three approaches you can consider when jumping into a hunt and why having a strategy — including the day you start the hunt — matters.

Fastest Two Minutes in SecOps: Threat hunting [Part 1] [Video]

You give us two minutes, we'll give you the world of SecOps. In this episode, Google Cloud Principal Security Strategist John Stoner breaks down the merits of threat hunting and shares why, depending on the maturity of your detection and response capabilities, the practice may not be right for everybody.

New to Google SecOps: Using Metrics in YARA-L Rules (Part 2)

Building on our introduction of metrics and their functions, we look at various aggregation options and apply these to a sample detection rule to identify outlier network traffic.

New to Google SecOps: The Replacements

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on November 7th, 2022 and introduces the re.replace function for use in YARA-L rules and demonstrates its use with other regex and base64 decode functions.

Fastest Two Minutes in SecOps: Cloud Security [Video]

You give us two minutes, we'll give you the world of security operations. This episode of "Fastest Two Minutes in SecOps" boils down a very big conversation -- cloud security -- into something digestible. Google Cloud Head of Adoption Engineering Dave Herrald explains how the changing security boundaries of the cloud prompt the need for new security controls, shares how your team needs to be built, and discusses why IAM is so critical.

Fastest Two Minutes in SecOps: Incident Response [Video]

You give us two minutes, we'll give you the world of SecOps. In this episode, Google Cloud Principal Consultant Rishalin Pillay distills the practice of incident response and zeroes in on the security operations team's role, specifically around the detection and analysis phase. SOC practitioners are called on to help comb through multitudes of data and logs that may be relevant to an incident, yet many teams struggle here because of the scale of the effort required.

Gaining Greater Visibility with Microsoft Graph API Activity Logs

If you are an Entra ID user who is using Google SecOps, the Graph API Activity logs provide a way to generate greater insight into activities happening beneath the waves in your Microsoft cloud environment. Learn how Google SecOps can work with this data set to better protect your organization!

The Power of Artificial Intelligence - From Search to Detection Rule at Light Speed

David Nehoda reveals the capabilities of Artificial Intelligence by showcasing how to effectively utilize the AI console within Chronicle SIEM for crafting detection rules.

Using Event Threat Detection to Detect VMs in Unauthorized Regions

Use Security Command Center Premium to detect workloads in unauthorized regions

New to Google SecOps: Capturing Strings for Additional Analysis

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on October 20th, 2022 and demonstrates how users can capture portions of UDM fields and use them for additional detection logic.

New to Google SecOps: Matching with Regular Expression Functions

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on October 10th, 2022 and introduces the regex function re.regex for use in YARA-L rules.

Fastest Two Minutes in SecOps: Top SOC Challenges [Video]

You give us two minutes, we'll give you the world of security operations. The first in a new short-and-sweet video series from Google Cloud Security covering essential SecOps topics brings us Anton Chuvakin, who shares the top challenges facing SOC teams and dispenses advice for overcoming them.

New to Google SecOps: Using Metrics in YARA-L Rules (Part 1)

Google SecOps provides greater flexibility for organizations writing detections based on statistical measures over time. This post introduces the concepts of metric functions and how they can be used in YARA-L rules!

New to Google SecOps: Rule Outcomes

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on September 22nd, 2022 and adds the outcome section and its usage to YARA-L rules to provide additional context around the detection.

New to Google SecOps: Multi-Event Rules

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on September 6th, 2022 and extends the concepts of single event YARA-L rules to add additional capabilities for multi-event rules.

Better Together: Detecting Suspicious Okta Events with Google Security Operations Detections

Not everyone has time to create and maintain detections. We recognize that customers require the ability to easily access and tune detection rules across various use cases to their own unique needs. And Google Security Operations and Okta have been collaborating to bring these use case-based detections to an even wider audience.

Part 1: Dipping Your Toe into SOAR: Understanding the Basics

Ready to streamline your incident response and supercharge your security team? This 3-part blog series by David Nehoda will show you how to get the most out of your SOAR platform.

New to Google SecOps: Single event rules

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on August 18th, 2022 and introduces the concepts found in single event YARA-L rules.

"Scaling Cyber Resilience Peaks: A 12-Month Roadmap to Mandiant Security Validation Success"

A clear roadmap is essential for success with any new technology. In this blog post, david-nehoda will outline the ideal path to adopting Mandiant Security Validation, maximizing your investment and achieving a stronger security posture.

New to Google SecOps: Unified Data Model (UDM)

The “New to Chronicle” blog found on chronicle.security has moved to the Community Blog. This blog was originally published on August 1st, 2022. Learn the basics of unified data model, UDM, in Google SecOps using searches to see how querying this data extracts a good deal of value very easily