Chronicle Detect Rules

Chronicle Detect is a threat detection tool built on the power of Google's infrastructure. Learn more about Chronicle here.

With Chronicle Detect, you can use advanced rules out-of-the-box, create your own, or migrate rules over from legacy tools. The rules engine incorporates one of the most flexible and widely-used detection languages globally, YARA, which makes it easy to build detections for tactics and techniques found in the commonly used MITRE ATT&CK security framework.

In this post, we talk through Chronicle Detect rules including the "rules dashboard", how to create new rules and a quick look at the real-time threat indicators from Chronicle's threat research team Uppercase, to help automate your search for security issues.

The dashboard

Here you can see how the "rules dashboard" looks. Rules are ordered by the greatest number of detections over the past three weeks, the rule at the top of the list will be the one most detected. It also displays each rule's activity to see when the rules have been detected and the rule severity. The layout of the dashboard means that you can save time searching for detections and instead Chronicle has already presented you with the order of the most important rules.

To view more about specific rule detections, clicking on the rule name opens a new view, giving more information such as a timeline of events.

Creating a rule

By creating your own rules and using the out-of-the-box rules, you can easily detect activity which might be a security issue.