This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Better understanding of curated detection rules

Posted on 06-21-2024 07:59 AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

We activated most of the curated detection rules that are available within SecOps SIEM (about 150 of them), but we are receiving close to none alerts from them (only one or two have been triggered so far). For how much I whish to think that everything is going nice, I am more prone to think there is actually some unnoticed issue within our configuration. 

My fear is that the log been injected are not right for those rules. In particular, within the Windows Threat set, some have "Log Sources: EDR". How can I test/check if the logs from our EDR are actually fine for these rules? (We are using MalwareBytes with a custom written parser).

We used the "Managed Detection Testing", but for what I see they test windows event source, not EDR.

Any insight about this?

 

Many thanks

0 4 1,045
0 Likes
Reply
4 REPLIES 4

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

@Tonio - There's some test rules available in curated detections that you can trigger with benign actions on an endpoint.  You can use these to validate the logs are flowing into chronicle and the content is being parsed into the fields the curated detections expect.
https://cloud.google.com/chronicle/docs/detection/verify-data-ingestion

Reply

Posted on --/--/---- --:-- AM
Tonio
Bronze 5
Bronze 5
In response to JeremyLand
Reply posted on --/--/---- --:-- AM

Hi  @JeremyLand, thanks for your reply!

I totally missed it, and seeing it just only now, apologies! 

We used the test ruleset and we had positive results, but still at the moment we are unable to trigger some (most) of the curated detections. This is due to the fact that the rule scripts are not known, but based on the description and the log source for each, the tests we performed should have been effective.

Are there any documented scnearios o procedures  that we can be sure will trigger the different rulesets? 

Thanks for any advice!

 

0 Likes
Reply

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

@Tonio We have some improvements to Curated Detection rule transparency coming soon, but right now we don't have public docs for test/validation procedures beyond what is linked above.

If you have a Customer Success team on your account I recommend reaching out to them, they can provide a timeline around the pending transparency improvements and should be able to provide better descriptions or partial rule logic for many of the rules today.

Reply

Posted on --/--/---- --:-- AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I will be looking forward to them then!!

Thanks again, Jeremy.

A

0 Likes
Reply
Top Solution Authors
View all