Skip to main content
Question

SECOPS CURATED RULES

  • July 3, 2026
  • 1 reply
  • 8 views

arv261095
Forum|alt.badge.img+5

Hi Folks any idea of how to use the curated ruleset in google secops as i can see thousands of rules but not sure which of them are essentially required any suggested approach around those

1 reply

a_aleinikov
Forum|alt.badge.img+7
  • Bronze 2
  • July 7, 2026

Hi ​@arv261095Ā , I would not enable all curated rules at once.

Start with the rule sets that match your actual log sources and security priorities. For example, identity, endpoint, cloud, email, network, or firewall rules depending on what data you are ingesting into Google SecOps. A practical approach is to enable rules in phases. Start with high-confidence and high-severity detections, monitor the alert volume, tune exceptions, and then expand gradually.

Also check whether each rule has the required data source available. A rule may be useful in theory, but it will not add much value if the required logs are missing or incomplete. I’d suggest creating a baseline first: top use cases, available log sources, expected alert volume, and ownership for investigation. Then enable curated rules by category rather than trying to decide rule by rule across the full library.