This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Better understanding of curated detection rules

Posted on 06-21-2024 07:59 AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

We activated most of the curated detection rules that are available within SecOps SIEM (about 150 of them), but we are receiving close to none alerts from them (only one or two have been triggered so far). For how much I whish to think that everything is going nice, I am more prone to think there is actually some unnoticed issue within our configuration. 

My fear is that the log been injected are not right for those rules. In particular, within the Windows Threat set, some have "Log Sources: EDR". How can I test/check if the logs from our EDR are actually fine for these rules? (We are using MalwareBytes with a custom written parser).

We used the "Managed Detection Testing", but for what I see they test windows event source, not EDR.

Any insight about this?

 

Many thanks

0 1 151
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

@Tonio - There's some test rules available in curated detections that you can trigger with benign actions on an endpoint.  You can use these to validate the logs are flowing into chronicle and the content is being parsed into the fields the curated detections expect.
https://cloud.google.com/chronicle/docs/detection/verify-data-ingestion

0 Likes
Top Solution Authors
View all