Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
A Look Back at Curated Detections
Rick Correa
Manager, Security Engineering
May 25, 2023

Chronicle's Curated Detections is a powerful capability that can help you identify and respond to security threats. In August 2022, we released our initial set of curated detections to identify a variety of threats facing our customers.

If you have yet to explore the curated content provided, Curated Detections are a collection of rules grouped together to cover specific threats. Since the initial release, we have continued to develop new rule sets to cover even more threats and have introduced a set of new powerful features to enable customers to build their own detections. In this post, we will discuss some of the new detections we have added since the initial launch.

New Curated Detections 

The following new curated detection rule sets are available:

Windows Centric:

  • Anomalous-Powershell - Detects PowerShell commands containing obfuscation techniques or other anomalous behavior.

  • Security-Downgrade - Detects behavior that impairs or disables common security tooling or detection capabilities.

  • Living-off-the-Land - Detects anomalous usage of tools native to Windows operating systems that can be abused by threat actors for malicious purposes.

Google Cloud Centric:

  • Admin-Action - Activity associated with Google Cloud administrative actions, deemed suspicious but potentially legitimate depending on organizational use.

  • IAM-abuse - Activity associated with suspicious Google Cloud IAM permissions or roles.

  • Resource-Masquerading - Activity masqueraded to appear as legitimate default resources or services in Google Cloud.

  • Suspicious-Infrastructure-Change - Activity involving modifications of infrastructure in Google Cloud.

  • Suspicious-Behavior - Activity that could be considered suspicious in some Google Cloud environments.

  • Service-Disruption - Activity that may indicate a Google Cloud service disruption has occurred.

  • Hacktools - Activity associated with known Offensive Security frameworks and/or Google Cloud-oriented hacktools.

  • Cloud SQL Ransom - Activity associated with threat actors ransoming Google Cloud SQL assets.

New IOC Enrichment within Chronicle

Additionally, we’ve been working at providing data enrichment to make customer generated content more actionable. Previously, customers would have to normalize, enrich, and post-process this data on their own. With built-in enrichments in entity and event data, we have the ability to provide security teams easier ways to build powerful and actionable alerting at the detection level, opening up the possibilities for powerful alert creation to amplify or dampen relevant threat detection signals. Some examples of enrichments we have developed include:

  • GeoIP - Leverage country, state, ASN, Carrier name, DNS and Organization name in your alerting.

  • Safe Browsing - Leverage Google’s Safe Browsing’s reputation service to help determine if a file is malicious.

  • WHOIS - Add whois data to your alerting to find potential phishing or masquerading domains. 

  • Google Cloud Threat Intelligence (GCTI) - Leverage Google’s threat intelligence to find TOR exit nodes, or identify benign binaries that Google has deemed as benign.

  • VirusTotal Metadata and Relationship Metadata - Leverage VirusTotal metadata that includes file compilation timestamps, digital signatures, entropy, and extracted network indicators (to name just a few fields available).  

How to use Curated Content

To enable Curated Detections, Chronicle offers a set of quick actions that will set up recommended rule settings. Alternatively, you can go into each rule pack and configure each set. This is all available in the Curated Detections tab under Rules.

When you click on a rule set you have settings for both precise and broad rules. Precise rules find malicious behavior with a high degree of confidence, with fewer false positives. Broad rules find behavior that could potentially be malicious or anomalous, but with typically more false positives.

Alerting can be switched on precise, broad, both or neither. Alerting will place the event in queue for an analyst where just activating the rule allows it to be run in the background and where the results can be analyzed and tuned using exclusions prior to adding it to your security operations processes. 

To view the performance of curated detections, click on Dashboard to view the rules that have fired and modify as needed.

What’s Next?

We are planning to continue to provide a quarterly update featuring some of the exciting work the Google Cloud Threat Intelligence (GCTI) team has been building into Curated Detections. We are also excited to be partnering with Mandiant on an upcoming rule set targeting the frontline threats observed by Mandiant.  We’re also working on more enrichments including a remote access tooling feed to identify remote access tools operating in customer environments to give customers the ability to alert or exclude any remote access tooling they are observing in their environments.

Threat Detection

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page