Hi,
I'm looking for timestamp details, such as when rules are enabled and disabled ( Alerting Mode/ Live Mode). I want to create a dashboard using this information. Please let me know if you have any insights.
Page 1 / 1
Hi @AV007,
Are you ingesting Google Cloud Audit logs into your Google SecOps tenant? Specifically, the Google Cloud Audit Logs for the Google Cloud project that's linked to your SecOps tenant.
Here is a search query that identifies when rules in SecOps are created, updated, or deleted. The UpdateRuleDeployment log event contains information about whether a rule was enabled/disabled/archived, etc. This assumes that the Chronicle REST API is enabled for your SecOps tenant.
metadata.log_type = "GCP_CLOUDAUDIT"
(
metadata.product_event_type = "google.cloud.chronicle.v1alpha.RuleService.CreateRule" OR
metadata.product_event_type = "google.cloud.chronicle.v1alpha.RuleService.UpdateRule" OR
metadata.product_event_type = "google.cloud.chronicle.v1alpha.RuleService.UpdateRuleDeployment" OR
metadata.product_event_type = "google.cloud.chronicle.v1alpha.RuleService.DeleteRule"
)
You might find this two-part blog series helpful as well: https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Unexpected-Rule-Changes-in-Google-Security/ba-p/810901
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.