Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New to Chronicle: Community Rules
John Stoner
Principal Security Strategist, Google Cloud
December 20, 2023
Join the discussion
Interact with your peers, access best practices, documentation and more in the Google Cloud Security Community.
Explore the Community Explore the Community

"New to Chronicle" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Platforms with Chronicle. You can view the entire series here.

As we reach the end of the year and approach the winter holiday season, I wanted to release one more blog in our series to put a bow on this year. CWIDT?

Today, we are going to focus on a common question that we get when users start digging into Chronicle. Where can I find rules that I can start using immediately? Now, Chronicle provides curated detections which provide admins the ability to toggle on rule packs to address specific categories of concern, like info stealer or initial access or anomalous PowerShell, to name a few. That’s a good start. However, for analysts who want to build their own rules, where can they find templates of rules to leverage as they get started? Additionally, if detection engineers want to leverage the entity graph in their rules, how can they get started joining events and entities?

This is where community rules come in! Community rules are part of our Chronicle Github repository which contains content that we are creating for workshops, blogs, conferences and research.

So, if you are just getting started with rules and would like to see an example of a multi-event rule that uses aggregation and thresholding that can be adapted to your environment, the password spray rule in community might help. This rule is also covered in our hands-on workshop on rule building!

While we have covered a number of entity graph related rules in this blog series, like this one on prevalence, there are many additional rules that we’ve created within the threat_intel folder that leverage entity graph data. If you want to take DNS events and better understand how VirusTotal relationships interact together, this rule could help.

Earlier this year we partnered with Okta and my colleague Serhat Gülbetekin to develop a set of rules that can be used in Chronicle if you are ingesting Okta data. For users building use cases around Okta, this provides a way to accelerate this development.

If you are an analyst just getting familiar with YARA-L or want to understand all of the components that should go into a rule to get the most out of it, we just released our style guide into the Github repository. This guide lays out best practices when it comes to rule writing using YARA-L. We’ve done our best to apply the concepts in the guide to the rules we publish in the community folder of the repo and align with what we evangelize in our workshops on rule development.

One word of caution when it comes to Community Rules. We build these rules to: 

  • Serve as inspiration

  • Provide a template for additional customization

  • Show the way forward to building rules using data sets that users may not be familiar with

  • Demonstrate YARA-L's capabilities

This does not mean that these rules are production ready for every environment. Chronicle provides a test rule capability that should always be used when validating any rules in your environment. Additionally, rule options allow rules to be run in the background without generating an alert. Use these tools as you tune community rules for your environment.

Finally, as we look ahead to next year, we plan to publish more community rules to assist Chronicle users in getting a leg up on detection development. The Google Cloud Security Community site is the best place to keep up with new announcements on content and best practices. In fact this month, Ali Kapucu wrote about extending visibility into Chrome with Chronicle and David French on detecting suspicious domains in Chronicle. Their rules are posted to community rules, so if you like what you see in those blogs, go and download those rules too!

Thank you for your engagement and I hope everyone has a great holiday season!

New to Chronicle Series

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page