Community & Learning workshop - RSAC 2024
Attending RSAC 2024? Join us at the upcoming Google Security Operations workshop, where we'll do a deep dive i...
Forum Posts
New Google Cloud Security Customer Success Services Available!
We are excited to announce the availability of Google Cloud Security Customer Success subscriptions. Optimize ...
metrics - data is being bucketed on a daily basis across a window of 30 days.
I am reaching out in relation to:https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-U...
Throttle Rule Alerts
Hi #community,Is there any option to throttle or prevent a rule with same criteria triggers for x period of ti...
Problem with outcome aggregation (array) for a multiple-event rule
Hello,I struggle with the outcome section for a rule i'm working on at the moment. I looked in the documentati...
Aggregate functions in metrics
I am reaching out in relation to the following metrics post:https://www.googlecloudcommunity.com/gc/Community-...
Dynamic risk score assigning in outcome section
Hi guys,I am creating a yara rule to find the lateral movement of the users. But i am stuck at assigning risk ...
Yara-l outcome problems
Hi!I want to create a rule that contemplates different clients($udm.metadata.ingestion_labels["customer"]) and...
500K CIDR Block inclusion List
We have a list of ~500k CIDRs previously used as a lookup table in Splunk that we would like to replicate as a...
YARA-L Rule Using External List
Hi, My reading suggests otherwise but wanted to ask on here whether anyone had successfully managed to create ...
Needhelp with yara rule to find the users who are accessing the website which is hosted in AppEngine
Hi everyone,I'm currently working on setting up some security monitoring for my Google App Engine-hosted websi...
How Do I Delete A Reference List?
Hey Folks, I ran into a situation today where I wanted to delete a reference list but couldn't figure it out. ...
assistance in YARA rule
HiI need to migrate the below Splunk alert to Chronicle , can some one assist how this can be converted in YAR...
YARA-L, Rule Schreiben
Hi,i have wrotten a new Rule, but it shows always 2 or more Events/Alerts. I want to see only one Event at a s...
Statedump of a for loop
Hello!I am trying to understand the statedump of a for loop.Raw log in JSON: { "data":{ "businessPhones":[ "(1...
WMIC Suspicious Scheduled Tasks and WMIC File Download
Hi, Does anyone have a sample rule example for detecting WMIC Suspicious Scheduled Tasks and WMIC File Downloa...
Google - Next - Content Development - SIEM
How many of us will be at Google Next? I will be, and one of the items that I would like us to do as a communi...
Can i use last seen for a user in a rule
Hi I would like to know if i can user the last seen metric of a user in a YARA rule , if yes while i am using ...
Alert for silent log source
Hi Team,Can anyone provide an insight on how can we create an alert if a log source (Let's assume a principal....
what is "idm" in UDM fields in Chronicle?
In Chronicle, UDM stands for Unified Data Model.But in some UDM fields, like the following, there is an "idm":...
Chronicle Rule
Hello,Can I create a rule that will alert me every time a new user is created in gcp? how?Thank you.
UDM Search to find triggered alerts
Is there anyway of querying via a UDM search to find alerts that have triggered?Thanks
Is raw log search and entity search the same?
Hello,I am looking at the following preview documentation:https://cloud.google.com/chronicle/docs/preview/sear...
How to write a use cases for any network devices
Hi All,Please help us, how to write the use cases for Network devices in SIEM.Please share with me if have any...
Hacking Tools - SharpH0und, Cred Dumping, etc.
Hello Experts, Can someone please provide some sample rules to detect SharpH0und, Cred Dumping?Is this one of ...
WebShell detections
Hello Experts, Can someone please provide some sample rules to detect WebShell detections?In Essense are tryin...
semantic analysis: match variable encoded_value is not assigned to an event field - help required
Hi all, I am having an issue with the error message in the title field and some help would be really appreciat...
Randomized powershell executables - hash is poweshell.exe but file name is different.
Can someone please provide some guidance on how to go about writing a YARA-L rule for to detect this?- Randomi...
UDM search
I am looking at the following blog:https://chronicle.security/blog/posts/new-to-chronicle-a-new-view-for-searc...
Help with YARA-L Rule
I need to create a rule that will trigger an alert every time a new bucket is created in GCP.I tried to do thi...
remote login analysis using IP addresses - unreliable?
@Marie_Chudolij YouTube video 2-27-24 - Chronicle SOAR to the Rescue: Orchestrate SIEM Reference List Updates ...
Empowering Detection Engineering with Chronicle SIEM and Mandiant Security Validation
Empowering Detection Engineering with Chronicle SIEM and Mandiant Security Validation Introduction Detection e...