Skip to main content

The new composite rules are slick. 

So far, we have created three provider rules: local Host Discovery, AD Discovery, and Privilege Escalation. 

We have two consumer rules, one for the two discovery provider rules and one for all three providers.

I did find that we can't use the command history in the provider rules. This could be due to the complexity of these discovery rules.  They do work very well off on the process command field, though. 

One issue that I see very quickly, though, is the lack of rule management functionality. The flat file type structure within the SIEM makes it difficult to understand any rule groupings that are created. Are there any plans to address this? 

 

 

There is work underway to overhaul the rule management experience.   I'm not sure on the exact timelines for delivery, but the work should address the "flat" nature of the rule management UI.

What did you mean by:


I did find that we can't use the command history in the provider rules. This could be due to the complexity of these discovery rules.  

We have two reference lists with regex statements for the discovery commands, and we are looking at at least four hits. I set up a rule for the target process command line and one rule for the command history. The rule for the command history displayed the processing error on the detections page. 

We have two reference lists with regex statements for the discovery commands, and we are looking at at least four hits. I set up a rule for the target process command line and one rule for the command history. The rule for the command history displayed the processing error on the detections page. 


Can you share that error? 

Can you share that error? 


Some runtime errors were detected that may impact detection results

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.