Detect threats

Supported in:

This guide is for detection engineers who want to detect threats for their organization. It explains how to leverage the unified rules interface to accelerate your threat detection capabilities.

Common use cases

Common use cases for this workflow include the following:

Accelerated rule deployment

Objective: Quickly identify and enable curated detections for specific adversary tactics (for example, Initial Access).

Value: Reduces the mean-time-to-detect (MTTD) for common attack vectors without requiring manual rule development.

Centralized rule lifecycle management

Objective: Monitor rule execution, status, and deployment history from a single console.

Value: Improves operational oversight and ensures that active detections are performing as expected.

Key terminology

  • Curated detections: Prebuilt detection sets managed by Google Cloud security experts.

  • Unified rules interface: A consolidated management console for both custom YARA-L rules and curated content.

  • Rule deployment: The state of a rule (live or archived) and its associated alerting configuration.

  • Retro hunt: A process that runs a rule against historical data to find past instances of a threat.

Before you begin

If your team uses custom IAM roles, make sure you have the following permissions for working with the unified rules dashboard and editor.

Rules dashboard permissions

Permission Required IAM permission
View
  • chronicle.rules.list
  • chronicle.retrohunts.list
  • chronicle.ruleDeployments.list
  • chronicle.legacies.legacySearchCustomerStats
  • chronicle.legacies.legacyGetRuleCounts
  • chronicle.legacies.legacyGetRulesTrends
  • chronicle.legacies.legacyGetCuratedRulesTrends
Edit
  • chronicle.retrohunts.create
  • chronicle.ruleDeployments.update
  • chronicle.ModifyRules

Rules editor permissions

Component IAM permission (if you use IAM) Analyst permission (if you use legacy RBAC)
Rules editor page

chronicle.ruleDeployments.list

chronicle.rules.list

 detectRulesView
Related reference list section

chronicle.referenceLists.get

chronicle.referenceLists.list

 referenceListView
Related data table section

chronicle.dataTables.get

chronicle.dataTables.list

 N/A
Create new rule button

chronicle.rules.verifyRuleText

chronicle.rules.create

 detectRulesCreate
Test rule button chronicle.legacies.legacyRunTestRule detectRulesRun
Rule scope menu chronicle.rules.update detectRulesEdit
Save rule button chronicle.rules.update detectRulesEdit
Save as new rule button chronicle.rules.create detectRulesCreate
Rule retro hunt button chronicle.retrohunts.create detectRulesRun
Rule live toggle chronicle.ruleDeployments.update detectRulesEdit
Rule alert toggle chronicle.ruleDeployments.update detectRulesEdit
Rule run frequency toggle chronicle.ruleDeployments.update detectRulesEdit
Rule archive and unarchive toggle chronicle.ruleDeployments.update detectRulesEdit
View curated rule in editor chronicle.featuredContentRules.list N/A

Manage your unified interface preferences

You can switch between the unified experience and the legacy view for both the rules dashboard and the rules editor. Once you make a selection, your instance saves your preference and loads that specific version by default.

  • Rules dashboard: To opt in to the unified rules dashboard, navigate to the rules dashboard and click Try our new unified rules page. To opt out, click Go back to the legacy rules dashboard.

  • Rules editor: To opt in to the new rules editor, navigate to the rules editor page and click New rule editor page. To opt out, click Legacy rules editor page.

Accelerate threat detection with curated rules

You can use the unified rules interface to identify detections for specific MITRE ATT&CK tactics. To find rules with alerting enabled and are related to initial access, do the following:

  1. Navigate to the Rules dashboard.

  2. Use the search bar to filter for specific threats.

    For example, to find curated rules related to initial access (MITRE ATT&CK tactic TA0001), use the following search query:

    alerting_enabled = true AND tags:"TA0001"

    For complex filtering, see the advanced syntax on the Search rules page.

  3. Optional: Select a rule from your search results to view the rule details.

  4. Click Menu adjacent to the rule that you want to deploy.

  5. Click the Live rule and Alerting toggles to begin actively detecting threats.

You can track the rule's execution, status, and alert history from your dashboard.

Troubleshooting

Latency and limits

  • Rule execution: There may be a short propagation delay (typically a few minutes) between saving a rule and seeing its first execution metrics in the dashboard.

  • Retro hunt limits: Curated detections cannot be run as retro hunts. Additionally, retro hunts are subject to lookback window limits based on your data retention tier.

Error remediation

Error code Issue description Fix
403 Forbidden Missing permissions to view curated content. Ensure chronicle.featuredContentRules.list is added to your IAM role.
Deployment failed Rule syntax error or conflict. Use the Test Rule button in the Rules editor to validate YARA-L syntax.

What's next

Need more help? Get answers from Community members and Google SecOps professionals.