Use curated detections to identify threats

Google Cloud Threat Intelligence (GCTI) team offers predefined threat analytics. As part of these curated detections, GCTI provides and manages a set of YARA-L rules to help customers identify threats to their enterprise.

The GCTI-managed rules do the following:

  • Provide customers with immediately actionable intelligence which can be used against their ingested data.

  • Leverages Google threat intelligence by providing customers with a simple way to use this information through curated detections.

This document summarizes the steps required to use curated detections to identify threats, including how to enable curated detection rule sets, view detections generated by the rule sets, and investigate alerts.

Ingest the required data

Each rule set has been designed to identify pattern in specific data sources and may require a different set of data, including the following:

  • Event data: describes activities and events that occurred related to services.
  • Context data: describes the entities, devices, services, or users defined in the event data. This is also called entity data.

In documentation describing each rule sets, also review the required data needed by the rule set.

Verify the ingestion of data

The following methods are available to verify successful data ingestion:

  • Data Ingestion and Health dashboard: this lets you to monitor ingestion from all sources.
  • Managed Detection Testing test rules: Enable test rules to verify the required incoming data both exists and is in a format required by the specific curated detection rule set.

Use the Data Ingestion and Health dashboard

Use the prebuilt SIEM dashboard, called Data Ingestion and Health, that provides information about the type and volume of data being ingested. Newly ingested data should appear in the dashboard within approximately 30 minutes. For information, see Using SIEM dashboards.

(Optional) Use Managed Detection Testing test rules

Certain categories also provided as set of test rules that can help you verify that data required for each rule set is in the correct format.

These test rules are under the Managed Detection Testing category. Each rule set validates that data received by the test device is in a format expected by rules for that specified category.

This is useful if you want to verify the ingestion set up or if you want to troubleshoot an issue. For detailed steps about how to use these test rules, see Verify data ingestion using test rules.

Enable rule sets

Curated detections are threat analytics delivered as YARA-L rule sets that help you identify threats to their enterprise. These rule sets do the following:

  • Provide you with immediately actionable intelligence which can be used against their ingested data.
  • Use Google threat intelligence by providing you with a simple way to use this information.

Each rule set identifies a specific pattern of suspicious activity. To enable and view details about rule sets, do the following:

  1. Select Detections > Rules & Detections from the main menu. The default tab is Curated detections and the default view is rule sets.
  2. Click Curated Detections to open the Rule Sets view.
  3. Select a rule set in the Cloud Threats category, such as CDIR SCC Enhanced Exfiltration Alerts.
  4. Set Status to Enabled and Alerting to On for both Broad and Precise rules. The rules will evaluate incoming data for patterns that match rule logic. With Status = Enabled, the rules generate a detection when a pattern match is found. With Alerting = On the rules also generate an alert when a pattern match is found.

For information about working with curated detections page, see the following:

If you don't receive detections or alerts after enabling a rule set, you can perform steps to trigger one or more test rules that verify data required for the rule set is being received and is in the correct format. For more information, see Verify log data ingestion.

Identify detections created by the rule set

The curated detections dashboard displays information about each rule that generated a detection against your data. To open the curated detection dashboard, do the following:

  1. Select Detections > Rules & Detections from the main menu.
  2. Click Curated Detections > Dashboard to open the Dashboard view. You will see a list of rule sets and individual rules that generated detections. Rules are grouped by rule set.
  3. Go to the rule set of interest, such as CDIR SCC Enhanced Exfiltration Alerts.
  4. To view the detections generated by a specific rule, click the rule. This opens the Detections page which displays the detections, plus the entity or event data that generated the detection.
  5. You can filter and search on the data in this view.

For more information, see View curated detections and Open the curated detection dashboard.

Tune alerts returned by one or more rule sets

You might find that the curated detections generate too many detections or alerts. You can reduce the number of detections a rule or rule set generates using rule exclusions. Rule exclusions are used only with curated detections, and not with custom rules.

A rule exclusion defines the criteria used to exclude an event from being evaluated by the rule set, or by specific rules in the rule set. Create one or more rule exclusions to help reduce the volume of detections. For example, you might exclude events based on the following Unified Data Model (UDM) fields:

  • metadata.product_event_type
  • principal.user.userid
  • target.resource.name
  • target.resource.product_object_id
  • target.resource.attribute.labels["Recipient Account Id"]
  • principal.ip
  • network.http.user_agent

Investigate alerts created by the rule set

The Alerts & IOCs page, gives context about the alert and related entities. You can view details about an alert, manage the alert, and view relationships with entities.

  1. Select Detections > Alerts & IOCs from the main menu. The Alerts view displays a list of alerts generated by all rules.
  2. Select the time range to filter the list of alerts.
  3. Filter the list by rule set name, such as CDIR SCC Enhanced Exfiltration. You can also filter the list by rule name, such as SCC: BigQuery Exfiltration to Google Drive with DLP Context.
  4. Click an alert in the list to open the Alerts & IOCs page.
  5. The Alerts & IOCs > Overview tab displays details about the alert.

Gather investigative context using entity graph

The Alerts & IOCs > Graph tab displays an alert graph that visually represents relationships between an alert and other alerts, or between an alert and other entities.

  1. Select Detections > Alerts & IOCs from the main menu. The Alerts view displays a list of alerts generated by all rules.
  2. Select the time range to filter the list of alerts.
  3. Filter the list by the rule set name, such as CDIR SCC Enhanced Exfiltration. You can also filter the list by the rule name, such as SCC: BigQuery Exfiltration to Google Drive with DLP Context.
  4. Click an alert in the list to open the Alerts & IOCs page.
  5. The Alerts & IOCs > Graph tab displays the alert graph.
  6. Select a node in the alert graph to view details about the node.

You can use the UDM search capability during your investigation to gather additional context about events related to the original alert. UDM Search lets you find UDM events and alerts generated by rules. UDM Search includes a variety of search options, enabling you to navigate through your UDM data. You can search both for individual UDM events and groups of UDM events related to specific search terms.

Select Search from the main menu to open the UDM Search page.

For information about UDM Search queries, see Enter a UDM search. For guidance about writing UDM Search queries optimized for performance and capabilities of the feature, see UDM Search best practices.

Create a response from an alert

If an alert or detection requires an incident response, you can initiate the response using SOAR features. For more information, see Cases overview and Overview of the Playbooks screen.

What's next