Using Chronicle curated detections

For Chronicle customers, Google Cloud Threat Intelligence (GCTI) team is offering out-of-the-box threat analytics as part of Google Cloud Security Shared Fate model. As part of these curated detections, GCTI provides and manages a set of YARA-L rules to help customers identify threats to their enterprise. These GCTI managed rules:

  • Provide customers with immediately actionable intelligence which can be used against their ingested data.

  • Leverages Google's threat intelligence by providing customers with a simple way to use it within Chronicle.

Before you begin

For information about out-of-the-box threat detection policies, see the following:

To verify that data required for each policy is in the correct format, see Verify log data ingestion using test rules.

Curated detections features

The following are some of the key curated detections features:

  • Curated Detection—curated detection created and managed by GCTI for Chronicle customers.

  • Rule Sets—Collection of rules managed by GCTI for Chronicle customers. GCTI provides and maintains multiple Rule Sets. The customer has the option to enable or disable these rules within their Chronicle account and to enable or disable alerts for these rules. New rules and Rule Sets will be periodically provided by GCTI as the threat landscape changes.

Open the curated detections page and Rule Sets

To open the curated detections page, complete the following steps:

  1. Select Rules from the main menu.

  2. Click Curated Detections to open the Rule Sets tab.

    Curated Detections

    Figure 1: Rule Sets

The Curated Detection page provides information about each of the Rule Sets active for your Chronicle account including the following:

  • Last updated—Time GCTI last updated the Rule Set.

  • Enabled Rules—Indicates which of the Precise and Broad rules are enabled for each Rule Set. Precise rules find malicious threats with a high degree of confidence. Broad rules search for suspicious behavior that may be more common and produce more false positives. Both Precise and Broad rules might be available for a Rule Set.

  • Alerting—Indicates which of the Precise and Broad rules have alerting enabled for each Rule Set.

  • Mitre Tactics—Identifier of the Mitre ATT&CK® tactics covered by each Rule Set. Mitre ATT&CK® tactics represent the intent behind malicious behavior.

  • Mitre Techniques—Identifier of the Mitre ATT&CK® techniques covered by each Rule Set. Mitre ATT&CK® techniques represent specific actions of malicious behavior

From this page, you can also enable or disable the rule and alerting for the rule. You can do this for either the broad or the precise rules.

Open the curated detection dashboard

The curated detection dashboard displays information about each curated detection which has produced a detection against the log data in your Chronicle account. Rules with detections are grouped by Rule Set.

To open the curated detection dashboard, complete the following steps:

  1. Select Rules from the main menu. The default tab is curated detections and the default view is Rule Sets.

  2. Click Dashboard.

    Curated Detections

    Figure 2: Curated Detections dashboard

  3. The Curated Detections dashboard displays each of the Rule Sets available to your Chronicle account. Each display includes the following:

    • Chart tracking the current activity for each of the rules associated with a Rule Set.

    • Time of the last detection.

    • Status of each rule.

    • Severity of recent detections.

    • Whether alerting is enabled or disabled.

  4. You can edit the rule settings by clicking the menu icon or the rule set name.

  5. Click Rule Sets to switch back to the Rule Sets view. Rule Sets view provides information about each of the Rule Sets active for your Chronicle account.

Enable all Rule Sets

Use the Quick Actions menu to make the following changes to your curated detections:

  • Set up recommended rule settings—Sets the following recommended settings for customers:

    • Enable all Rule Sets.

    • Set alerting to on for the precise Rule Sets.

  • Set up precise rules—Lets you enable or disable alerting for all of your precise rules.

  • Set up broad rules—Lets you enable or disable alerting for all of your broad rules.

View details about a Rule Set

You can modify the settings for any of your curated detections by clicking the menu icon of any displayed rule and selecting View and edit rule settings. Specifically, you can enable all of the Rule Sets and turn on or off alerting for the precise rules within each Rule Set.

You can also view all of the exclusions configured for the Rule Set. You can edit the exclusions by clicking View. See Configure rule exclusions for more information.

Rule Settings

Figure 3: Rules Settings

Reduce alerts from Rule Sets using reference lists

There are reference lists associated with each Rule Set. From the Rule Settings page, you can open a reference list associated with a specific Rule Set by clicking Open next to the list. You can add additional items to it.

The following is an example of the procedure you would follow to suppress alerts for a specific domain:

  1. You are receiving alerts associated with a domain called probablyokay.com and you no longer want to receive these alerts.

  2. Click OPEN next to the reference list. This opens the List Manager window.

  3. Add probablyokay.com to the Rows field and click Save Edits.

View Curated Detections

You can view any of the curated detections in the Curated Detection view. This view enables you to examine any of the detections associated with the rule and pivot to other views such as Asset view from the Timeline.

To open the Curated Detection view, complete the following steps:

  1. Click Dashboard.

  2. Click the rule name link in the Rule column.

    Curated Detection view

    Figure 4: Curated Detection view

What's next

For information about investigating GCTI alerts, see Investigate a GCTI alert.