Skip to content

chronicle/detection-rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits
rules
rules
 
 
tools/rule_manager
tools/rule_manager
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
STYLE_GUIDE.md
STYLE_GUIDE.md
 
 

Repository files navigation

Google Security Operations Detection Rules

This repository contains example YARA-L rules and dashboards for use within Google Security Operations (SecOps).

The rules in this repository are distinct from Google SecOps Curated Detections that are developed by Google Cloud Threat Intelligence and designed to generate detections & alerts that are highly actionable. Curated Detections are available to Google SecOps customers with an Enterprise license or higher.

Before deploying any rules, using Google SecOps' test rule functionality is considered a best practice and provides the opportunity for users to tune rules to their environment before creating alerts for them.

Dashboard YAML files can be imported into Google SecOps dashboards using the Add - Import Dashboard capability found next to the Personal Dashboards or Shared Dashboards section of the UI. The intent of this is to provide sample dashboards that can serve as templates, inspiration or starting points for your own dashboards and can be modified as you see fit.

Directory Structure

Directory Description
rules/community/ YARA-L rules created by members of the Google SecOps team and user community
tools/rule_manager/ CLI tool used to manage rules and other content via Google SecOps' REST API

Getting Started

Rules can be created within your Google SecOps instance by using the Rules Editor. Simply download the rule from the repository and copy the content of the rule to the rules editor when creating a new rule.

Detailed instructions can be found in your Google SecOps instance under documentation.

The rule manager tool and accompanying documentation & tutorials can be used to easily implement a Detection-as-Code pipeline for managing rules via Google SecOps' REST API.

How to Get Help

If you have questions related to this project, please open a new issue in this GitHub repository. You can also ask questions related to Google SecOps in the Google Cloud Security Community.

How to Contribute

Interested in contributing to this project? We'd love to hear from you! Example contributions include new rules and updates to existing rules.

Please refer to our contribution guide for further information.

Our style guide for authoring YARA-L detection rules can be found here.

Useful Resources

YARA-L rules and Unified Data Model (UDM)

Code Samples

About

Collection of YARA-L 2.0 sample rules for the Chronicle Detection API

chronicle.security

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

342 stars

Watchers

39 watching

Forks

81 forks
Report repository

Contributors 11

Languages