Detect threats

Supported in:

Google secops SIEM

This guide is for detection engineers who want to detect threats for their organization. It explains how to leverage the unified rules interface to accelerate your threat detection capabilities.

Common use cases

Common use cases for this workflow include the following:

Accelerated rule deployment

Objective:Quickly identify and enable curated detections for specific adversary tactics (for example, Initial Access ).

Value:Reduces the mean-time-to-detect (MTTD) for common attack vectors without requiring manual rule development.

Centralized rule lifecycle management

Objective:Monitor rule execution, status, and deployment history from a single console.

Value:Improves operational oversight and ensures that active detections are performing as expected.

Key terminology

Curated detections:Prebuilt detection sets managed by Google Cloud security experts.
Unified rules interface:A consolidated management console for both custom YARA-L rules and curated content.
Rule deployment:The state of a rule (live or archived) and its associated alerting configuration.
Retro hunt:A process that runs a rule against historical data to find past instances of a threat.

Before you begin

If your team uses custom IAM roles, make sure you have the following permissions for working with the unified rules dashboard and editor.

Rules dashboard permissions

Permission

Required IAM permission

View

chronicle.rules.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle.legacies.legacySearchCustomerStats
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyGetCuratedRulesTrends
chronicle.sharedPreferenceSets.get
chronicle.sharedPreferenceSets.list
chronicle.rules.get
chronicle.rules.listRevisions
chronicle.legacies.legacyTestRuleStreaming
chronicle.legacies.legacyFetchAlertsView

Edit

chronicle.retrohunts.create
chronicle.ruleDeployments.update
chronicle.ModifyRules
chronicle.rules.create
chronicle.rules.update
chronicle.rules.verifyRuleText

Saved Views - List and Create Saved Rule Views

Permission

Required IAM permission

Manage

chronicle.sharedPreferenceSets.get
chronicle.sharedPreferenceSets.list
chronicle.sharedPreferenceSets.create
chronicle.sharedPreferenceSets.update
chronicle.sharedPreferenceSets.delete

Rules editor permissions

Component	IAM permission (if you use IAM)	Analyst permission (if you use legacy RBAC)
Rules editorpage	`chronicle.ruleDeployments.list` `chronicle.rules.list`	`detectRulesView`
Related reference list section	`chronicle.referenceLists.get` `chronicle.referenceLists.list`	`referenceListView`
Related data table section	`chronicle.dataTables.get` `chronicle.dataTables.list`	N/A
Create new rulebutton	`chronicle.rules.verifyRuleText` `chronicle.rules.create`	`detectRulesCreate`
Test rulebutton	`chronicle.legacies.legacyRunTestRule`	`detectRulesRun`
Rule scopemenu	`chronicle.rules.update`	`detectRulesEdit`
Save rulebutton	`chronicle.rules.update`	`detectRulesEdit`
Save as new rulebutton	`chronicle.rules.create`	`detectRulesCreate`
Rule retro huntbutton	`chronicle.retrohunts.create`	`detectRulesRun`
Rule livetoggle	`chronicle.ruleDeployments.update`	`detectRulesEdit`
Rule alerttoggle	`chronicle.ruleDeployments.update`	`detectRulesEdit`
Rule run frequencytoggle	`chronicle.ruleDeployments.update`	`detectRulesEdit`
Rule archive and unarchivetoggle	`chronicle.ruleDeployments.update`	`detectRulesEdit`
View curated rule in editor	`chronicle.featuredContentRules.list`	N/A

Manage your unified interface preferences

You can switch between the unified experience and the legacy view for both the rules dashboard and the rules editor. Once you make a selection, your instance saves your preference and loads that specific version by default.

Rules dashboard:To opt in to the unified rules dashboard, navigate to the rules dashboard and click Try our new unified rules page. To opt out, click Go back to the legacy rules dashboard.
Rules editor:To opt in to the new rules editor, navigate to the rules editor page and click New rule editor page. To opt out, click Legacy rules editor page.

Accelerate threat detection with curated rules

You can use the unified rules interface to identify detections for specific MITRE ATT&CK tactics. To find rules with alerting enabled and are related to initial access, do the following:

Navigate to the Rulesdashboard.
Use the search bar to filter for specific threats.

For example, to find curated rules related to initial access (MITRE ATT&CK tactic TA0001 ), use the following search query:

alerting_enabled = true AND tags:"TA0001"

For complex filtering, see the advanced syntax on the Search rules page.
Optional: Select a rule from your search results to view the rule details.
Click Menuadjacent to the rule that you want to deploy.
Click the Live ruleand Alertingtoggles to begin actively detecting threats.

You can track the rule's execution, status, and alert history from your dashboard.

Troubleshooting

Latency and limits

Rule execution:There may be a short propagation delay (typically a few minutes) between saving a rule and seeing its first execution metrics in the dashboard.
Retro hunt limits:Curated detections cannot be run as retro hunts. Additionally, retro hunts are subject to lookback window limits based on your data retention tier.

Error remediation

Deployment failed	Rule syntax error or conflict.	Use the Test Rulebutton in the Rules editor to validate YARA-L syntax.

What's next

Need more help? Get answers from Community members and Google SecOps professionals.