Skip to main content
Question

SECOPS CURATED RULES

  • July 3, 2026
  • 1 reply
  • 19 views

arv261095
Forum|alt.badge.img+5

Hi Folks any idea of how to use the curated ruleset in google secops as i can see thousands of rules but not sure which of them are essentially required any suggested approach around those

1 reply

hliu
Forum|alt.badge.img+4
  • Bronze 2
  • July 3, 2026

I’d suggest filter / prioritize / enable those that matters for your environment, either by available data / technology or by MITRE tactics and techniques.

You could enable them 1st without alerting, just to assess for detection volumes and reliability.

There might be 1000 curated rules for AWS but they won’t matter if there’s no AWS data in your environment.

In the SOAR if you are using custom environments other than default, you might want to check this post to decide where should the detections from curated rules go:


other community fellows are using the detections from curated rules as additional signals for advanced composite detections, for instance to map the attack chain
 




there’s also a curated rule agent skill by @cmmartin_google
https://medium.com/@thatsiemguy/building-a-curated-detections-agent-skill-14dd58c15ee4