Re: Rule triggered for the very first time in the ...

NASEEF · 04-07-2025 12:27 PM

hello team , I am looking for few things at the content level and if you can come up something with these, it will be really helpful

Rule triggered for the very first time in the SecOps
Rule not triggered in last 30 / 90 days
Rule recently triggered, but not seen in last 90days

Rene_Figueroa

Hi @NASEEF,

When you say rule, are you referring to one of your own rules or Curated Detections?

In any case, the reason why the rule just triggered might be due to the following factors:

Rule was recently enabled.
Rule had been enabled, but the log source it was expecting was not parsed and it recently started getting parsed.
For regular rules, it is likely the rule's logic recently changed and it now matches some of your environment UDM events? This could also be a reason for Curated Detections, but they are not updated regularly.
Lastly, it might just be that there are UDM events in your SecOps instance that match the rule's logic.

NASEEF

Apologies for the confusion.

What I’m trying to achieve is a setup where, if a rule triggers for the first time since it was enabled (for example, possibly the first time in two years), I should receive some sort of alert indicating that this is the first time we are observing this alert , can i leverage dashboard for this

Similarly, I’d like to be notified about rules that have not triggered in the last 90 days, as well as rules that have recently triggered after a gap of 90 days or more.

Rene_Figueroa

@NASEEF +1 to using dashboards. You can query the detection fields through native dashboards. More info can be found in our documentation:

https://cloud.google.com/chronicle/docs/reports/native-dashboards

jstoner

Using a dashboard at the moment is the best way to generate these kinds of items.

AV007

Hi @jstoner @Rene_Figueroa , we tried these scenario using dashboard. However we are unable to get the expected results.

For Rule not triggered in last 30 / 90 days, tried below filters but it is not giving any detection, but we do have data to produce the result. It should list the rules not triggered in last 30 days timeframe.

1) Alert name is Any value

2) Detection time frame - 1 month

3) Detection rule count is 0

Please let us know if you have any idea to acheive it.

jstoner

I don't have something for Looker to share directly but here is an example with search syntax that might provide some ideas on how this could work

detection.detection.alert_state = "ALERTING"
timestamp.now() - detection.created_time.seconds < 604800
match:
 detection.detection.rule_name
outcome:
$detection_count = count(detection.detection.rule_id)
$last_seen = timestamp.get_timestamp(max(detection.created_time.seconds))

The filter condition would need to be something like now minus the detection time is less than (30 days/90 days/whatever) to get the list of things that have not been seen.

I realize this doesn't solve for the we have 100 rules and some have never fired since we are looking at the detection data set but it could address the we had these rules firing in the past but we have not seen them recently.

Rene_Figueroa

@AV007 @NASEEF syntax @jstoner provided is for our native dashboards.

https://cloud.google.com/chronicle/docs/reports/native-dashboards

If your instance is on IAM, then you can open a support case for us to enable the native dashboard in your instance, so you can try John's recommendation.

NASEEF

from the same dashboard can i set condition to give me the list of all the rules which was never triggered for the past one year

cmorris

That's what John is doing in the second line above. You'll need to adjust the count of seconds depending on the value you want to filter on. For tracking rules with no detections ever, you can also use the rules source for the dashboards:

$display_name = rules.display_name
rules.latest_detection_time.seconds = 0

match:
      $display_name

NASEEF

thank you very much team

let me try all these step

AV007

Hi Team, Thanks for the response. We are able to achieve rule not triggered and triggered within specific time frame.

However we unable to solve "Rule triggered for the very first time in the SecOps" item. Is there any way to identify if the rule triggered for the very first time and not before/ only once. In this case , in last one year time i need to see the list of rules triggered for very first time.

Rene_Figueroa

When you say "Rule triggered for the very first time in the SecOps", you mean the first time the rule creates a detection, correct?