Google Cloud recently announced the general availability of curated detections as a part of the Chronicle SecOps Suite. Using out-of-the-box threat analytics, security operations teams can now detect cybersecurity threats proactively and take relevant actions.
The detections are created and maintained by Google Cloud Threat Intelligence (GCTI) research team. GCTI manages, updates, and refines a set of YARA-L rules, capable of covering a growing number of threats. The threats can be related to network and Windows-based threats such as ransomware, remote access tools (RAT), infostealers, misused software, and crypto activity. Through the Chronicle console, the security operations team can enable the high-fidelity curated detections, and can also map detection coverage to the MITRE ATT&CK framework.
Curated detections also bring an ability to view telemetry, entity context, relationships, and vulnerabilities as a single detection within the user’s Chronicle Account. Using these context-aware analytics, teams can reduce time spent on triage and manually gathering information from different IT security systems (such as Identity Access Management [IAM] and Configuration Management Database[CMDB]). With prevalence visualization, security analysts can speed up threat investigation and response. Generally, the less prevalent domains in an enterprise pose a greater threat due to the fewer assets connected to them.
As an example, the security teams can use the interface to understand detections and understand how they map to the MITRE ATT&CK framework. They can also configure deployment and alerting, along with specifying exceptions through a reference list.
Source: Announcing curated detections in Chronicle SecOps Suite
The announcement in a blog post also mentioned the upcoming release of new detection categories covering a range of threats, community-driven content, and other out-of-the-box analytics. Curated detections can also enable security analysts to spend time responding to actual threats and reduce fatigue due to too many threat alerts.
Chronicle is Google’s security information and event management (SIEM) platform. Chronicle was also in the news recently as Chronicle Security Operations was announced at the Google Cloud Next 2022. The blog post also mentioned how the Google Cloud customers using the public preview of curated detections were able to detect malicious activity and take actions to prevent threats earlier in their lifecycle.
The tech community on LinkedIn took notice of this announcement. Ivan Ninichuck, technical solutions engineer at Google, posted on LinkedIn,
This is a huge progression and will definitely bring immediate defensive value to anyone using Chronicle.
Interested readers can learn more about these features and Chronicle as a whole in the product documentation.