Welcome to the Google Cloud Security Forums! Your ultimate security conversation spot. Collaborate with peers and experts to solve challenges, together.
SecOps starts here! Q&A, ask, share, connect.
Google Threat Intelligence chat space. Inquire, contribute, pass it on.
SCC questions? Join in, discuss, solve together.
Security Validation forum: Engage, be curious, stay up to date
reCAPTCHA troubleshooting. Find out the answers together.
Join the discussion. Post, diagnose, get the latest.
Hello Everyone! I trying to build some widgets in my dashboard, but I’ve some problems with my query. I trying to show severity for my custom rule detections and the curated detections in just one field. My problem resume to can’t use field detection.detection.severity in my if condition, because this field is “enum” data type, and another field is string data type. Query → $dynamic_severity = if(detection.detection.severity = “UNKNOWN_SEVERITY”, detection.detection.outcomes["severity"], detection.detection.severity) detection.detection.outcomes["severity"] → This is severity of my custom rules (string data). Feel free to send me another logics for this query!
Occasionally, we are experiencing an issue where a case is not created even though an alert is detected by a rule.When we contact support about this issue, we are usually told to update the Google Chronicle connector to the latest version. Updating often resolves the issue, but is it possible to create some kind of system that will automatically update when the latest version is released?If automatic updates are difficult, we would like to create a system that will notify us when an update is available.We look forward to your response.Best regards
Based on available documentation I created a data table with data about my assets (hosts). I mapped columns to entity.asset.hostname, entity.asset.software.version etc. and I was expecting that this is enough to see this data being used to enrich entities and events. Unfortunately, I’m not seeing any effect neither in entity nor events. I’m running following search to confirm the there is a match between the events and data table (principal.hostname = "my_hostname" and principal.hostname in %my_datatable.Hostname) and I’m getting results, but the enriched data is just not there. I do realize that stitching enrichment takes place once every 24h, but I checked after a few days.User that I have is RBAC based with Chronicle API Admin rights level. What troubleshooting can I do to fix this issue?
Hey folks! In Q3, it was announced that Data Tables are now officially GA and alongside of it, Google Chronicle integration was updated with new actions that allow you to interact with them. In this guide, I will go through all relevant actions and explain how they work. If you are not familiar with Data Tables, please check this documentation. ❗❗Important Note: Data Table actions are only supported for Chronicle API. Backstory API doesn’t support it. To change the integration to work with Chronicle API, you need to adjust the API Root in the integration configuration. Keep in mind that this will affect the whole integration and some action outputs are slightly different, if executed with Chronicle API.❗❗ Initial StateTo make it easier to follow the guide, I am going to create an initial state of a Data Table, which will be used as a reference across the guide: Get Data Tables ActionThe purpose of this action is to allow you to fetch information about available Data Tables (including
Hi SecOps Community, I am attempting to reproduce this superb blog post:https://dispatch.thorcollective.com/p/cant-hide-in-3d The blog post is written for Splunk, utilizing the resources here:Code Repository TTB Implementation SPL Code - GitHub TTB_BOTS_v2 GitHub TTB Framework Evolution MITRE TTP-Based Hunting Paper (2019) MITRE's 11 Strategies for a World-Class SOC (2022) MAD20 Course Materials (2024) Splunk Threat Hunter's Cookbook (2025) BOTS v2 Dataset Splunk Boss of the SOC v2 Dataset BOTS v2 Scenario Documentation Technical Implementation Splunk 3D Scatterplot Visualization How can SecOps security engineers utilize datasets like BOTS? How do we utilize 3D scatterplot visualization in Chronicle? I dug through John Stoner’s New to Chronicle series, and David French’s posts, and I’d like to see a practical technical demonstration of these potent threat detection techniques, specifically TTB and utilizing community detection datasets like BOTS.
Hello Everyone,I am working on building native dashboards in Google SecOps and came across multiple issues related to global filters and drill-downs.1. Additional Field Filters for EntityI need to create a global filter on a native dashboard using graph.additional.fields["key"]. Has anyone been able to use Entity additional fields as filters in native dashboards? Example: graph.additional.fields["key"] = "value" 2. Time Range Filter Not Working as ExpectedI applied a global filter using graph.metadata.interval.start_time across all charts in a native dashboard. When applied, no data is returned. But when editing an individual panel and applying the same time range, data is shown correctly. 👉 Question: Does the panel time filter actually use graph.metadata.interval.start_time, or is it mapped to another field internally? If so, which one?Global FIlterPanel Filter 3. Drill-Down Default Time RangeI configured a drill-down on a column in a native dashboard. When I click drill-down, it
We're having trouble importing Salesforce SetupAuditTrail logs.Chronicle successfully calls Salesforce: /services/data/v50.0/query and our Salesforce instance returns logs from Salesforce: /services/data/v50.0/sobjects/EventLogFile/ but logs from /services/data/v51.0/sobjects/SetupAuditTrail/ are failing.What experience do other Chronicle users have with importing Salesforce logs, specifically SetupAuditTrail.
meta: author = "XXX XXX" description = "Detects a successful logon immediately following multiple failed logon attempts from the same IP or user, using specific Windows Event IDs." severity = "High" priority="High" mitre = "T1110.001" yara_version = "YL2.0" tactic = "Credential Access" technique = "Brute Force" events: // Event 1: Failed authentication attempts from Windows logs (4625). $fail.metadata.event_type = "LOGIN_FAILED" and $fail.principal.asset.ip = $ip_address and $fail.target.user.userid = $user_id // Event 2: A single successful authentication from the same IP (Windows 4624). $success.metadata.event_type = "LOGIN_SUCCESS" and $success.principal.asset.ip = $ip_address and $success.target.user.userid = $user_id match: $ip_address, $user_id over 5m outcome: $failed_attempts = count($fail) $alert_type = array_distinct("Successful Brute Force Attack via Event IDs 4624/4625") condition: $success and $fail an
I want to build a Logstash parser to handle CEF-format logs where the field keys resemble nested structures with array indices. The CEF format includes key-value pairs, which I can extract using: kv { source => "cef_event_attributes" field_split => "|" value_split => "=" target => "cef_fields" } Here are a few example key-value pairs: mitre1.enterprise.10.techniques.5.techniqueID = T1047 mitre1.enterprise.10.techniques.4.techniqueID = T1021 mitre1.enterprise.9.techniques.3.techniqueID = T1059 user = abc123 These are flattened field names. For example,mitre1.enterprise.10.techniques.5.techniqueID represents a path-like structure and can be interpreted (conceptually) as:mitre1[0].enterprise[10].techniques[5].techniqueID — though I don't need to construct a nested object, just treat the key as a full string.✅ What I’m Looking For:Is there any Logstash-native way to: Dynamically iterate over all key-value pairs in cef_fields? Skip a known field like user (which I can
So I am creating a dashboard that is breaking down events by event types, we are handling event types with tags within SecOps, however tags are also being used in multiple other areas.What I am trying to create is a dashboard showing all cases with some defined tags in a pie chart, but I only want it to display THOSE defined tags, not any other tags that may be attached to the same cases.Excluding those tags in the query also excludes those cases they are attached to which is no useIs there a way for a defined output list in the query that will only show the required tags (This was possible in the legacy Dashboarding but I cannot seem to do it in the new Dashboarding)
Hi All, I’ve looked high and low in search of a solution here, so hopefully, someone here can help us. We provide access to specific cases and event data based on environments, but I cannot figure out how to have cases created by curated alerts automatically assigned to the correct environment based on feed. If anyone has documentation or can provide guidance on how this can be done, it would be much appreciated. We have ingestion label of Org set up on specific feeds with the org names set as values, but it’s unclear how we use this to have cases automatically created in the correct environments. If feed namespaces are the better method for this, cool, please let us know how we would go about doing that. Solution doesn’t seem to be at the playbook level, since there’s no action to move cases to specific environments based on conditions. Thanks, [removed by moderator]
Hello,I’m looking for advice regarding the operation of Chronicle SecOps.Currently, we’re managing multiple Feeds (log ingestion sources) in SecOps, and our goal is to detect issues such as ingestion failures or delays on a per-Feed basis as early as possible and trigger alerts accordingly.At the moment, we haven’t decided on any specific implementation method. We’re considering various approaches, including built-in SecOps or Cloud Monitoring features, API integrations, or other cloud services, but we’re not sure which would be the most effective or practical.If anyone has experience implementing Feed-level ingestion monitoring and alerting in Chronicle SecOps, I’d appreciate your recommendations, tips, or any lessons learned.Thank you!
The leaderboard is currently empty. Contribute to the community to earn your spot!
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
