Overview of composite rules category

This document provides an overview of the composite rule sets, the required data sources, and the configuration options for tuning the alerts they generate. These rule sets provide higher-fidelity alerting. They establish severity, confidence, risk, and priority levels across all Google Security Operations-enabled detection content for Google Cloud and endpoint environments.

Describe rule sets

The Composite Rules category includes the following rule sets:

• Endpoint composite rules
• Cloud composite rules

Understand endpoint composite rules

These rules correlate findings from multiple detection rules that relate to the same endpoint over a defined time period. Confidence and risk levels are determined by specific characteristics of those detections.

Understand Cloud composite rules

These rules correlate findings from multiple detection rules associated with the same Google Cloud account or Google Cloud resource over a defined time period. Confidence and risk levels are based on specific characteristics of those detections.

Supported devices and log types

These rules primarily rely on Cloud Audit Logs, endpoint detection and response logs, and network proxy logs. Google SecOps UDM automatically normalizes these log sources. The following categories outline the most important log sources required for the curated composite content to function effectively:

Endpoint composite rule log sources

• Linux threats
• MacOS threats
• Windows threats

Google Cloud composite rule log sources

• Google Cloud
• AWS
• Azure
• Office365
• Okta

Google Cloud and endpoint rule log sources

• Applied Threat Intelligence (ATI)
• Chrome Enterprise Threats
• Risk Analytics for UEBA

For a complete list of the available curated detections, see Use curated detections. Contact your Google SecOps representative if you need to enable the detection sources using a different mechanism.

Google SecOps provides default parsers that parse and normalize raw logs to create UDM records with data required by composite and curated detection rule sets. For a list of all Google SecOps supported data sources, see Supported default parsers.

Modify rules in a rule set

You can customize the behavior of rules within a rule set to meet your organization's needs. Adjust how each rule operates by selecting one of the following detection modes, and configure whether the rules generate alerts.

• Broad: detects potentially malicious or anomalous behavior, but may produce more false positives due to the general nature of the rule.

To modify the settings, do the following:

1. From the rules list, select the checkbox next to each rule that you want to modify.

2. Configure the Status and Alerting settings for the rules as follows:

   • Status: applies the mode (Precise or Broad) to the selected rule. Set to Enabled to activate the rule's status to the mode.

   • Alerting: controls whether the rule generates an alert on the Alerts page. Set to On to enable alerts.

Tune alerts from rule sets

You can reduce the number of alerts generated by a composite rule by using rule exclusions.

A rule exclusion specifies criteria that prevent certain events from being evaluated by a rule or rule set. Use exclusions to reduce detection volume. See Configure rule exclusions for more information.

Need more help? Get answers from Community members and Google SecOps professionals.