Using Chronicle curated detections
For Chronicle customers, Google Cloud Threat Intelligence (GCTI) team is offering out-of-the-box threat analytics as part of Google Cloud Security Shared Fate model. As part of these curated detections, GCTI provides and manages a set of YARA-L rules to help customers identify threats to their enterprise. These GCTI managed rules:
Provide customers with immediately actionable intelligence which can be used against their ingested data.
Leverages Google's threat intelligence by providing customers with a simple way to use it within Chronicle.
Before you begin
For information about out-of-the-box threat detection policies, see the following:
To verify that data required for each policy is in the correct format, see Verify log data ingestion using test rules.
Chronicle Rules features
The following are some of the key Chronicle Rules features:
Chronicle Rule—Chronicle rule created and managed by GCTI for Chronicle customers.
Rule Sets—Collection of rules managed by GCTI for Chronicle customers. GCTI provides and maintains multiple Rule Sets. The customer has the option to enable or disable these rules within their Chronicle account and to enable or disable alerts for these rules. New rules and Rule Sets will be periodically provided by GCTI as the threat landscape changes.
Open the Chronicle Rules page and Rule Sets
To open the Chronicle Rules page, complete the following steps:
Select Rules from the main menu.
Click Rule Sets to open the Rule Sets tab.
The Rule Sets page provides information about each of the Rule Sets active for your Chronicle account including the following:
Last updated—Time GCTI last updated the Rule Set.
Enabled Rules—Indicates which of the Precise and Broad rules are enabled for each Rule Set. Precise rules find malicious threats with a high degree of confidence. Broad rules search for suspicious behavior that may be more common and produce more false positives. Both Precise and Broad rules might be available for a Rule Set.
Alerting—Indicates which of the Precise and Broad rules have alerting enabled for each Rule Set.
Mitre Tactics—Identifier of the Mitre ATT&CK® tactics covered by each Rule Set. Mitre ATT&CK® tactics represent the intent behind malicious behavior.
Mitre Techniques—Identifier of the Mitre ATT&CK® techniques covered by each Rule Set. Mitre ATT&CK® techniques represent specific actions of malicious behavior
From this page, you can also enable or disable the rule and alerting for the rule. You can do this for either the broad or the precise rules.
Open the Chronicle Rules dashboard
The Chronicle Rules dashboard displays information about each Chronicle rule which has produced a detection against the log data in your Chronicle account. Rules with detections are grouped by Rule Set.
To open the Chronicle Rules dashboard, complete the following steps:
Select Rules from the main menu. The default tab is Chronicle Rules and the default view is Rule Sets.
Chronicle Rules dashboard
The Chronicle Rules dashboard displays each of the Rule Sets available to your Chronicle account. Each display includes the following:
Chart tracking the current activity for each of the rules associated with a Rule Set.
Time of the last detection.
Status of each rule.
Severity of recent detections.
Whether alerting is enabled or disabled.
You can edit the rule settings by clicking the three dot menu icon or the rule set name.
Click Rule Sets to switch back to the Rule Sets view. Rule Sets view provides information about each of the Rule Sets active for your Chronicle account.
Enable all Rule Sets
Use the Quick Actions menu to make the following changes to your Chronicle rules:
Set up recommended rule settings—Sets the following recommended settings for customers:
Enable all Rule Sets.
Set alerting to on for the precise Rule Sets.
Set up precise rules—Lets you enable or disable alerting for all of your precise rules.
Set up broad rules—Lets you enable or disable alerting for all of your broad rules.
View details about a Rule Set
You can modify the settings for any of your Chronicle rules by clicking the three dot icon to right of any displayed rule and selecting View and edit rule settings. Specifically, you can enable all of the Rule Sets and turn on or off alerting for the precise rules within each Rule Set.
Reduce alerts from Rule Sets using reference lists
There are reference lists associated with each Rule Set. From the Rule Settings page, you can open a reference list associated with a specific Rule Set by clicking OPEN next to the list. You can add additional items to it.
The following is an example of the procedure you would follow to suppress alerts for a specific domain:
You are receiving alerts associated with a domain called
probablyokay.comand you no longer want to receive these alerts.
Click OPEN next to the reference list. This opens the List Manager window.
probablyokay.comto the Rows field and click SAVE EDITS.
View Chronicle Rule Detections
You can view any of the Chronicle Rule detections in the Chronicle Rules Detection view. This view enables you to examine any of the detections associated with the rule and pivot to other views such as Asset view from the Timeline.
To open the Chronicle Rules Detection view for a Chronicle Rule, complete the following steps:
Click the rule name link in the Rule column.
Chronicle Rules Detection view