This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Security Operations: Step 3.1 - Detect | Threat Detection

‎10-30-2024 06:44 PM - edited ‎02-07-2025 07:37 AM

GCSCommunity
Staff
0 0 684

Table of Contents

GCSCommunity_0-1730338822076.png

Google SecOps Threat Detection feature allows for detection enrichment capabilities that enables security analysts and detection engineers to craft a detection on a basic pattern of event telemetry (an outbound network connection), creating numerous detections for their analysts to triage. The analysts attempt to stitch together an understanding of what happened to trigger the alert and how significant the threat is.

Actions

GCSCommunity_1-1730338837064.png
View Alerts and IOCs

Google SecOps features an Alerts and IOCs page, that displays all the alerts and indicators of compromise (IOC) currently impacting your enterprise. This provides multiple tools that enable you to filter and view your alerts and IOCs.

Show More

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select Alerts & IOCs to display the Alerts & IOCs page. 
  3. Users will see two tabs:
    1. Alerts
    2. IOC Matches
  4. Users will have  options in the popout page, under the Alerts tab consisting of:
    1. Manage Columns
    2. Filter
    3. Status
    4. Clear All
    5. Search Bar
    6. Refresh Time
    7. Showing (Date Range)
    8. Refresh
    9. Alerts List Options GCSCommunity_12-1730339076815.png
  5.  Under the IOC Matches tab, users will see a Filters section consisting of:
    1. Associations
    2. Campaigns
    3. Categories
    4. GCTI Priority
    5. Sources
    6. Status
    7. Type
  6. At the top of the IOCs list popout, users will see Filter options consisting of: GCSCommunity_11-1730339068511.png
    1. Filter
    2. Search Bar
    3. Date Range
    4. Refresh
    5. Download as CSV
  7. In the IOCs popout section, users will see a list of IOCs with multiple columns:
    1. IOC
    2. Type
    3. Status
    4. GCTI Priority
    5. Categories
    6. Sources
    7. Assets
    8. Severity
    9. Associations
    10. Campaigns
    11. First/ Last Seen 
    12. VirusTotal Context
Additional Documentation Links
GCSCommunity_2-1730338853194.png
Create/ Monitor Events w/ Rules

Google SecOps features Rules feature, that are the backbone of ensuring data is actionable and aligned to your unique policies within Google SecOps. Rules allow your SecOps team to tailor information and alerting to the unique needs of your organization.

Show More

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select Rules & Detections in the dropdown to display the Rules & Detections page. 
  3. The Rules & Detections page will display four tabs consisting of the following features:
    1. Rules Dashboard
    2. Rules Editor
    3. Curtated Detections
    4. Exclusions
  4. In the Rules Dashboard, users will see the following features at the top of the page:
    1. Search Rules
    2. Data Freshness
    3. Last Refreshed Time
  5. Below in the Rules Dashboard users will be able to see a Rules List consisting of the Rules Search results.
  6. The Rules Dashboard results list consists of the following columns:
    1. Number of Detections Found Today
    2. Rule Name
    3. Detections Per Day
    4. Last Detection
    5. Author
    6. Severity
    7. Alerting
    8. Retrohunt
    9. Rule Type
    10. Run Frequency
    11. Live Status
  7. The Rules Editor page will display the capability to:
    1. Create New Rule GCSCommunity_10-1730339021410.png
    2. Filter GCSCommunity_9-1730338999741.png
    3. Reference List
  8.  When users select the New Rule button, a Rules Editor Terminal will appear in the Rules Editor page.
  9. When a Rule is completed, user will have the option to Discard the Rule or Save New Rule.
  10. At the bottom-right of the Rules Editor, users can run a test on their new Rule by selecting Run Test.
  11. Users will have the capability to select from a Curated Detection list under the Curated Detections tab.
  12. At the top of the page, users will see a display of the highlighted Rules, consisting of:
    1. Enabled Rule Sets
    2. Most Active Rules
    3. Most Active Rule Sets
  13. Users will also be able to see in the main section of Curated Detections:
    1. Rules Sets
    2. Rules Dashboard
  14. In the Rule Sets section, users will see displayed, a list of Rule Sets, with the following columns:
    1. Name
    2. Last Updated
    3. Enabled Rules
    4. Alerting
    5. Capacity
    6. MITRE Tactics
    7. MITRE Techniques
  15. When a Rule Set is selected, user will see a display page of the Rule’s Settings and Sources.
  16. In the Exclusions page, users will see a display of Exclusions, with the following columns:
    1. Exclusion Name
    2. Applied To
    3. Activity
    4. Created On
    5. Last Updated
    6. Status
  17. Users can create an Exclusion by selecting Create Exclusion. GCSCommunity_8-1730338982203.png
  18. In the Create An Exclusion popup, users can filter out Detections that meet specific criteria, under the following entry fields:
    1. Exclusion Name
    2. Rule Set or Rule
    3. UDM Field
    4. Operator
    5. Values
    6. Add Conditional Statement
  19. Users will have an option to test the Exclusion Rule by selecting Run TestGCSCommunity_7-1730338969880.png
  20. To add the Exclusion Rule, users will select Add Rule Exclusion. GCSCommunity_6-1730338951295.png
Additional Documentation Links
GCSCommunity_3-1730338872493.png
Risk Analytics

Google SecOps Risk Analytics dashboard lets you view your environment through a risk-based lens. Visualizing entity risk trends helps you identify unusual behavior and understand the potential risk that entities pose to your enterprise.

The Risk Analytics dashboard lists at-risk entities and risk factor details.

Show More

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select Risk Analytics in the dropdown to display the Risk Analytics page. 
  3. The Risk Analytics page will display two tabs consisting of the following features:
    1. Behavior Analytics
    2. Watchlists
  4. In the Behavior Analytics page, users will see the following sections:
    1. Summary Metrics
    2. Entities
  5. The Summary Metrics section will display the Total Count of Entities and Risk Score Distribution metrics.
  6. At the bottom of the Behavioral Analytics page, users will see the Entities section consisting of the following columns:
    1. Entity Name
    2. Entity Type
    3. Normalized 
    4. Normalized Change
    5. Normalized Trend
    6. Base
    7. Base Change
    8. Base Trend
    9. Findings Count
    10. First Seen in Window
    11. Last Seen in Window
  7. Users will select a Risk Analytic Entity and see the Findings Timeline consisting of the Findings and the Entity Details.
Additional Documentation Links
GCSCommunity_4-1730338888506.png
List Manager

Google SecOps List Manager is a tool that allows users to manage reference lists and add custom lists. Users can add scopes to reference lists, open reference lists associated with rule sets, and add items to them.

Show More

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select List in the dropdown to display the List Manager page. 
  3. The List Manager page will display a popout of the Lists available to the user, along with the List Details and who the List is Referenced By
  4. Users will be able to Create a List by selecting Create in the List Manger. GCSCommunity_5-1730338921046.png
  5. The List Manager will show a List Manager Details Terminal consisting of the following:
    1. Syntax Type
    2. Title
    3. Description
    4. Terminal
  6. When complete users will select Save Edits.
Additional Documentation Links

Next Step: Security Operations: Step 4 - Investigate 

Previous Step: Security Operations: Step 3 - Detect 

Topic Labels
Contributors
0 Likes
Version history
Last update:
‎02-07-2025 07:37 AM
Updated by: