Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New SOC Prime detection rules available in Chronicle
April 29, 2021

The Chronicle team is excited to release new SOC Prime detection rules, now available to use in the Chronicle Detect rules engine. SOC Prime Threat Detection Marketplace is the industry standard one-stop shop for Detection as Code operations and practices, offering access to detection signatures across multiple languages. This new set of detection content makes it simple for security teams to incorporate and build new threat detection rules, and apply them across all the security telemetry stored in Chronicle.

The capabilities of the Chronicle Detect rules engine are accessed using the YARA-L threat detection language which was designed by and for security practitioners to express complex threat behavior. SOC Prime and Chronicle partnered closely to develop a Sigma to YARA-L converter so that you can easily port or migrate existing rules from legacy systems to Chronicle. And now, you can access 500+ YARA-L based SOC Prime rules — at no additional charge — in the Chronicle GitHub repository.

“We’re excited to partner with Chronicle and enable our customers to implement flexible SOC Prime rulesets to be used as part of the Chronicle Detect rule engine. These new detections will help security teams identify threats and IOCs across all of the security telemetry they feed into the Chronicle platform.” — Andrii Bezverkhyi, Founder and CEO, SOC Prime

This brand new content set offers rules in the following categories:

Cloud Security — rules related to IaaS, SaaS, or PaaS data sources, such as web skimming attacks, suspicious command line activity containing secrets, and the execution of threats like ntdsutil.exe.

Compliance — rules that cover compliance-related security controls. For example, the ability to configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

Proactive Exploit Detection — rules related to CVEs and exploits. Examples include CVE detection, such as a vulnerable CRYPT32.DLL library, CVE-2020–1350 (SIGRED), as well as suspicious activity such as anonymous users changing machine passwords, RDP logins from non-private IP ranges, and potential abuse of Active Directory Replication Service (ADRS) from a non machine account.

Threat Hunting — rules for threat hunting hypotheses that develop an understanding of the customer attack surface. Rules such as “detect local user creation” create a basis for more advanced detections that build upon the knowledge that local users typically should not be created on windows servers such as Active Directory controllers.

Using SOC Prime rules, security teams can elastically apply these new detections across incoming and historical security telemetry in the Chronicle platform.

Chronicle customers can access the new SOC Prime rules in the soc_prime_rules folder, and can add them to their Chronicle via the Detection UI or the Detection API. All technical documentation is available in your Chronicle instance.

To learn more about Chronicle’s SOC Prime rules, check out the Chronicle GitHub repository and visit SOC Prime’s Threat Detection Marketplace. Read the blog post to learn more about the Chronicle Detect rules engine. Interested in learning more about Chronicle? Complete our contact form.

Threat Detection

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page