This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

search to find changes in rules - SIEM

Posted on 06-17-2024 05:59 AM
Chris_B
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Is there a way to run a SIEM search on rules so I can report out rules by name, status, last updated, updated by, rule text? Hoping to do this for SOPs and auditing rule changes.

I've looked for rule strings in UDM raw search and do not find anything.

If I manage my SIEM rules via GitHub I  can do this from there.

Any thoughts or is report editing simply not logged?

Solved Solved
0 2 91
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
David-French
Staff
Reply posted on --/--/---- --:-- AM

To the best of my knowledge, you can't run a UDM search or report to retrieve the metadata for your rules as you described. I think the best way to accomplish this is to call the list rules API method like you mentioned.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
David-French
Staff
Reply posted on --/--/---- --:-- AM

To the best of my knowledge, you can't run a UDM search or report to retrieve the metadata for your rules as you described. I think the best way to accomplish this is to call the list rules API method like you mentioned.

Jump to Solution

Posted on --/--/---- --:-- AM
MrMeeseeks
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Cloud Audit logging might work. 

Logs with service name chronicle.googleapis.com

The following log types are available for Google Security Operations audit logs with the chronicle.googleapis.com service name.

For more information, see Google SecOps permissions in IAM.

Audit log type Description
Admin Activity audit logsIncludes admin write operations that write metadata or configuration information. Actions in Google Security Operations that generate this type of log include updating feeds and creating rules.

chronicle.googleapis.com/feeds.update
chronicle.googleapis.com/rules.create
chronicle.googleapis.com/parsers.activate
Data Access audit logsIncludes admin read operations that read metadata or configuration information. Also includes data read and data write operations that read or write user-provided data. Actions in Google Security Operations that generate this type of log include getting feeds and listing rules.

chronicle.googleapis.com/feeds.get
chronicle.googleapis.com/rules.list
chronicle.googleapis.com/curatedRuleSets.countCuratedRuleSetDetections
Jump to Solution
Top Solution Authors
View all