Is there a way to run a SIEM search on rules so I can report out rules by name, status, last updated, updated by, rule text? Hoping to do this for SOPs and auditing rule changes.
I've looked for rule strings in UDM raw search and do not find anything.
If I manage my SIEM rules via GitHub I can do this from there.
Any thoughts or is report editing simply not logged?
Solved! Go to Solution.
To the best of my knowledge, you can't run a UDM search or report to retrieve the metadata for your rules as you described. I think the best way to accomplish this is to call the list rules API method like you mentioned.
To the best of my knowledge, you can't run a UDM search or report to retrieve the metadata for your rules as you described. I think the best way to accomplish this is to call the list rules API method like you mentioned.
Cloud Audit logging might work.
The following log types are available for Google Security Operations audit logs with the chronicle.googleapis.com service name.
For more information, see Google SecOps permissions in IAM.
Admin Activity audit logs | Includes admin write operations that write metadata or configuration information. Actions in Google Security Operations that generate this type of log include updating feeds and creating rules. chronicle.googleapis.com/feeds.update chronicle.googleapis.com/rules.create chronicle.googleapis.com/parsers.activate |
Data Access audit logs | Includes admin read operations that read metadata or configuration information. Also includes data read and data write operations that read or write user-provided data. Actions in Google Security Operations that generate this type of log include getting feeds and listing rules. chronicle.googleapis.com/feeds.get chronicle.googleapis.com/rules.list chronicle.googleapis.com/curatedRuleSets.countCuratedRuleSetDetections |