Skip to main content

Hello everyone,

We activated most of the curated detection rules that are available within SecOps SIEM (about 150 of them), but we are receiving close to none alerts from them (only one or two have been triggered so far). For how much I whish to think that everything is going nice, I am more prone to think there is actually some unnoticed issue within our configuration. 

My fear is that the log been injected are not right for those rules. In particular, within the Windows Threat set, some have "Log Sources: EDR". How can I test/check if the logs from our EDR are actually fine for these rules? (We are using MalwareBytes with a custom written parser).

We used the "Managed Detection Testing", but for what I see they test windows event source, not EDR.

Any insight about this?

 

Many thanks

@Tonio - There's some test rules available in curated detections that you can trigger with benign actions on an endpoint.  You can use these to validate the logs are flowing into chronicle and the content is being parsed into the fields the curated detections expect.
https://cloud.google.com/chronicle/docs/detection/verify-data-ingestion

@Tonio - There's some test rules available in curated detections that you can trigger with benign actions on an endpoint.  You can use these to validate the logs are flowing into chronicle and the content is being parsed into the fields the curated detections expect.
https://cloud.google.com/chronicle/docs/detection/verify-data-ingestion


Hi  @JeremyLand, thanks for your reply!

I totally missed it, and seeing it just only now, apologies! 

We used the test ruleset and we had positive results, but still at the moment we are unable to trigger some (most) of the curated detections. This is due to the fact that the rule scripts are not known, but based on the description and the log source for each, the tests we performed should have been effective.

Are there any documented scnearios o procedures  that we can be sure will trigger the different rulesets? 

Thanks for any advice!

 

@Tonio We have some improvements to Curated Detection rule transparency coming soon, but right now we don't have public docs for test/validation procedures beyond what is linked above.

If you have a Customer Success team on your account I recommend reaching out to them, they can provide a timeline around the pending transparency improvements and should be able to provide better descriptions or partial rule logic for many of the rules today.

I will be looking forward to them then!!

Thanks again, Jeremy.

A

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.