Skip to main content

Security Command Center Enterprise: Step 4.1.3 - Remediation | Google SecOps | Detection

  • June 20, 2025
  • 0 replies
  • 92 views
Digital-Customer-Excellence
Staff
Forum|alt.badge.img+7

Table of Contents

 

149415i91B4B3F8FE8BE970.png

134311i36A3842A29287239.png

Detection

Threat Detection

Google SecOps Threat Detection feature allows for detection enrichment capabilities that enables security analysts and detection engineers to craft a detection on a basic pattern of event telemetry (an outbound network connection), creating numerous detections for their analysts to triage. The analysts attempt to stitch together an understanding of what happened to trigger the alert and how significant the threat is.

 

134333iE60489EB5807EC46.png

View Alerts and IOCs

Google SecOps features an Alerts and IOCs page, that displays all the alerts and indicators of compromise (IOC) currently impacting your enterprise. This provides multiple tools that enable you to filter and view your alerts and IOCs.

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select Alerts & IOCs to display the Alerts & IOCs page. 
  3. Users will see two tabs:
    1. Alerts
    2. IOC Matches
  4. Users will have options in the popout page, under the Alerts tab consisting of:
    1. Manage Columns
    2. Filter
    3. Status
    4. Clear All
    5. Search Bar
    6. Refresh Time
    7. Showing (Date Range)
    8. Refresh
    9. Alerts List Options 134365i9497A204E7ECDBFF.png
  5. Under the IOC Matches tab, users will see a Procedural Filtering section consisting of:
    1. IOC Categories
    2. IOC Confidence Score
    3. IOC Feed
    4. IOC/ Alert Severity
  6. At the top of the IOCs list popout, users will see Filter 134366i33EB91599593847E.png options consisting of:
    1. IOC Matches
    2. Fetch Limit
    3. Download as CSV
    4. Refresh Time
    5. Date Range
  7. In the IOCs popout section, users will see a list of IOCs with multiple columns:
    1. IOC
    2. Categories
    3. Sources
    4. Assets
    5. Confidence
    6. Severity
    7. IOC Ingest TIme
    8. First Seen
    9. Last Seen
Relevant Documentation Links

 

 

134334i057C3B75A6D11F4B.png

Create/ Monitor Events w/ Rules

Google SecOps features Rules feature, that are the backbone of ensuring data is actionable and aligned to your unique policies within Google SecOps. Rules allow your SecOps team to tailor information and alerting to the unique needs of your organization.

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select Rules & Detections in the dropdown to display the Rules & Detections page. 
  3. The Rules & Detections page will display four tabs consisting of the following features:
    1. Rules Dashboard
    2. Rules Editor
    3. Curtated Detections
    4. Exclusions
  4. In the Rules Dashboard, users will see the following features at the top of the page:
    1. Search Rules
    2. Data Freshness
    3. Last Refreshed Time
  5. Below in the Rules Dashboard users will be able to see a Rules List consisting of the Rules Search results.
  6. The Rules Dashboard results list consists of the following columns:
    1. Number of Detections Found Today
    2. Rule Name
    3. Detections Per Day
    4. Last Detection
    5. Author
    6. Severity
    7. Alerting
    8. Retrohunt
    9. Rule Type
    10. Run Frequency
    11. Live Status
  7. The Rules Editor page will display the capability to:
    1. Create New Rule 134367iEF6F02E1620E4828.png
    2. Filter 134368iB05CA0F03D9F2C11.png
    3. Reference List
      Note: Create New Rule is disabled in Google SCCE versions of SecOps.
  8. Users will have the capability to select from a Curated Detection list under the Curated Detections tab.
  9. At the top of the page, users will see a display of the highlighted Rules, consisting of:
    1. Enabled Rule Sets
    2. Most Active Rules
    3. Most Active Rule Sets
  10. Users will also be able to see in the main section of Curated Detections:
    1. Rules Sets
    2. Rules Dashboard
  11. In the Rule Sets section, users will see displayed, a list of Rule Sets, with the following columns:
    1. Name
    2. Last Updated
    3. Enabled Rules
    4. Alerting
    5. Capacity
    6. MITRE Tactics
    7. MITRE Techniques
  12. When a Rule Set is selected, user will see a display page of the Rule’s Settings and Sources.
  13. In the Exclusions page, users will see a display of Exclusions, with the following columns:
    1. Exclusion Name
    2. Applied To
    3. Activity
    4. Created On
    5. Last Updated
    6. Status
  14. Users can create an Exclusion by selecting Create Exclusion. 134369iF3CCF572553336EF.png
  15. In the Create An Exclusion popup, users can filter out Detections that meet specific criteria, under the following entry fields:
    1. Exclusion Name
    2. Rule Set or Rule
    3. UDM Field
    4. Operator
    5. Values
    6. Add Conditional Statement
  16. Users will have an option to test the Exclusion Rule by selecting Run Test134370i06C70C52FB315C6A.png
  17. To add the Exclusion Rule, users will select Add Rule Exclusion. 134371i25E75507794CC9D1.png
Relevant Documentation Links

 

 

134335iC7D3CB9C4700EFBC.png

List Manager

Google SecOps List Manager is a tool that allows users to manage reference lists and add custom lists. Users can add scopes to reference lists, open reference lists associated with rule sets, and add items to them.

 

Steps
  1. Users will navigate to the left-side Navigation Bar and then select Detection, which will display a dropdown menu.
  2. Select List in the dropdown to display the List Manager page. 
  3. The List Manager page will display a popout of the Lists available to the user, along with the List Details and who the List is Referenced By
  4. Users will be able to Create a List by selecting Create in the List Manger. 134372iFFDE8C062EFA54A8.png
Relevant Documentation Links

 

 

Next Step: Security Command Center Enterprise: Step 4.1.4 - Remediation | Google SecOps | Investigation

Previous Step: Security Command Center Enterprise: Step 4.1.2 - Remediation | Google SecOps | Ingestion 

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.