Is there a list of out-of-box Chronicle rules available somewhere to review? Similar to what SCC Premium provides here: https://cloud.google.com/security-command-center/docs/how-to-use-event-threat-detection
Solved! Go to Solution.
Hi,
Sorry, I thought I had answered this question in my earlier updates. You are right that we will not have out of the box rules without Curated Detections. The community rules can act as a starting point for writing your own rules.
Hello,
Please see https://github.com/chronicle/detection-rules for some examples. The community directory has some newer rules that take advantage of recent Chronicle features (Entity Graph for example) and can be used as a starting point.
Hope this helps,
Mantha
Thank you.
A quick follow up questions (I don't have access to Chronicle at this time), for threat detection (malware, unauthorized access, etc.), does Chronicle provides a list of default detection rules similar to what Security Command Center premium has Or Chronicle needs such feed from SCC or other tools?
Hello,
Chronicle has curated detections that are out-of-the-box. See this documentation
Chronicle can ingest data from a variety of sources and custom rules can be written using the YARA-L 2.0 syntax.
Hope this helps,
Mantha
Thank you.
As per the documentation you shared, if I look into 'Overview of Cloud Threats Category' section, it dictates correlation of different SCC findings. So there is a dependency for these rules I assume.
Looking into the 'curated detections' section, there are screenshots in the documentation. I am wondering if Chronicle provides a list of out-of-box rules similar to this one: https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview#rules
Hello,
Yes, SCC feeds are required for the Curated Detections part. Regarding out-of-the-box rules, we have them at the github repository and have documentation on how to write rules but do not provide examples in the product.
So these are all rules available in Github repo, right?
https://github.com/chronicle/detection-rules
Without SCC premium feed (or other 3rd party feeds), there won't be any Out-of-Box (Not created by users) Rules for following threat detections (as example):
Malware: bad domain MALWARE_BAD_DOMAIN
Brute force SSH BRUTE_FORCE_SSH
Evasion: Access from Anonymizing Proxy ANOMALOUS_ACCESS
Any feedback please?
Hi,
Sorry, I thought I had answered this question in my earlier updates. You are right that we will not have out of the box rules without Curated Detections. The community rules can act as a starting point for writing your own rules.
Thank you.