Skip to main content

How many of us will be at Google Next? I will be, and one of the items that I would like us to do as a community is to share our rules. Why do we all work in a vacuum? I am sure some people have some killer rules that they could share. 

We are in the middle of a cloud purple team engagement and now have some good rules around Azure. 

 

I don't believe that everyone creating their own GitHub repository and sharing is the best way to do this. I believe Google should take the lead on this, and have users submit rules to be reviewed and shared with the community. We have had this platform for a couple of years and have over 500 rules. 

The SIEM is very powerful and has a ton of good features. The content that could be provided by this community would be an extremely powerful feature. It just needs to be harnessed.  

 

 

 

 

 

 

 

 

 

Good Morning, 


There's hundreds of community rules out on our GIT page.  


https://github.com/chronicle/detection-rules/tree/main/community


 

I'll be at Google Next in Vegas! Let's make sure to connect while out there! I agree with you about community sharing of YARA-L rules. @dnehoda do you know if @mccrilb can contribute to the Github repo that you shared out? 

London, Vegas. Only the best locations 🙂

London, Vegas. Only the best locations 🙂


There is a way to contribute but it requires:


Contributions to this project must be accompanied by a Contributor License Agreement (CLA). You (or your employer) retain the copyright to your contribution; this simply gives us permission to use and redistribute your contributions as part of the project. Head over to https://cla.developers.google.com/ to see your current agreements on file or to sign a new one.


https://github.com/chronicle/detection-rules/blob/main/CONTRIBUTING.md


Everything is also reviewed so would need to understand that process better.   


@David-French would probably know more.  

There is a way to contribute but it requires:


Contributions to this project must be accompanied by a Contributor License Agreement (CLA). You (or your employer) retain the copyright to your contribution; this simply gives us permission to use and redistribute your contributions as part of the project. Head over to https://cla.developers.google.com/ to see your current agreements on file or to sign a new one.


https://github.com/chronicle/detection-rules/blob/main/CONTRIBUTING.md


Everything is also reviewed so would need to understand that process better.   


@David-French would probably know more.  


Hey @mccrilb,


Thanks for your interest in contributing some rules to this project!


@dnehoda is right. In a nutshell, here's the process to contribute to the chronicle/detection-rules GitHub repo.



  1. Sign the Contributor License Agreement (CLA) that @dnehoda mentioned above.

  2. Fork the chronicle/detection-rules repo under your GitHub account.

  3. Stage your proposed changes in a pull request with the main branch of chronicle/detection-rules as the target.

  4. We'll review your pull request and collaborate on the proposed changes.

  5. Your changes will be merged into the chronicle/detection-rules repo if they're approved.


Please familiarize yourself with the style guide for YARA-L rules in the community repo.

@mccrilb we've been working to revitalize the GitHub repo that's home to community-driven detection content for Google SecOps.


We're ready to collaborate on any rule contributions that Google SecOps users would like to make. You can learn more in this blog post. Thanks.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.